MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f4dc31023ec39356b3aa220863cba0ac8b25770641423bccf79ee2b10d77278. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 2 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f4dc31023ec39356b3aa220863cba0ac8b25770641423bccf79ee2b10d77278
SHA3-384 hash: 68873fef4bd1cf43eb789e3200f852221d9d147198162c67e223835b338d6def6c744e1c23e3ed9532efb435edffee87
SHA1 hash: 7872ad8670696453d1b95e0193839167fe5e727f
MD5 hash: b57244a20b1130978e1f49045ae571a6
humanhash: king-tango-potato-sad
File name:b57244a20b1130978e1f49045ae571a6.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'109'504 bytes
First seen:2021-03-30 11:21:24 UTC
Last seen:2021-03-30 11:55:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'450 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:wrNX8v7dYpALWlQvz+/6xTkBFm61p/M1JocXzQPHQvkpI0WH:wrWp2ALW6+/eTkhS1OKzQPwvYI
Threatray 859 similar samples on MalwareBazaar
TLSH AB3512F03A94C794F62C97FAA525540007B9F3EA1153CB8C8D98E4EE295EF8D1DC4A93
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://moreirawag.ac.ug/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://moreirawag.ac.ug/index.php https://threatfox.abuse.ch/ioc/6037/
http://nmorbertomo.ac.ug/ https://threatfox.abuse.ch/ioc/6038/

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b57244a20b1130978e1f49045ae571a6.exe
Verdict:
Malicious activity
Analysis date:
2021-03-30 11:24:30 UTC
Tags:
loader trojan stealer raccoon rat azorult remcos vidar
Link:
https://app.any.run/tasks/a3a62146-bb14-4537-b38f-a21f617922fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127972/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.601.12906.2686.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
DNS request
Sending a custom TCP request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Creating a process with a hidden window
Running batch commands
Launching a process
Connection attempt to an infection source
Unauthorized injection to a recently created process
Stealing user critical data
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT Azorult Raccoon Remcos Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/658277
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Yara detected Remcos RAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 378067 Sample: 1AQz4ua1TU.exe Startdate: 30/03/2021 Architecture: WINDOWS Score: 100 125 nothinglike.ac.ug 2->125 127 icando.ug 2->127 129 3 other IPs or domains 2->129 151 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->151 153 Found malware configuration 2->153 155 Malicious sample detected (through community Yara rule) 2->155 157 14 other signatures 2->157 11 1AQz4ua1TU.exe 15 5 2->11         started        16 cmd.exe 2->16         started        18 Jksfmi.exe 2->18         started        20 taskkill.exe 2->20         started        signatures3 process4 dnsIp5 147 nmorbertomo.ac.ug 185.215.113.77, 49727, 49730, 49732 WHOLESALECONNECTIONSNL Portugal 11->147 121 C:\Users\user\AppData\Local\...\axcvngfd.exe, PE32 11->121 dropped 123 C:\Users\user\AppData\...\1AQz4ua1TU.exe.log, ASCII 11->123 dropped 181 Contains functionality to steal Internet Explorer form passwords 11->181 183 Injects a PE file into a foreign processes 11->183 22 axcvngfd.exe 14 5 11->22         started        26 1AQz4ua1TU.exe 87 11->26         started        29 txsqedqf.exe 16->29         started        31 conhost.exe 16->31         started        149 cdn.discordapp.com 18->149 33 conhost.exe 20->33         started        file6 signatures7 process8 dnsIp9 101 C:\Users\user\AppData\Local\...\oxcvngfd.exe, PE32 22->101 dropped 171 Injects a PE file into a foreign processes 22->171 35 axcvngfd.exe 22->35         started        40 oxcvngfd.exe 3 22->40         started        143 45.139.236.6, 49729, 80 TEAM-HOSTASRU Russian Federation 26->143 145 tttttt.me 95.216.186.40, 443, 49728 HETZNER-ASDE Germany 26->145 103 C:\Users\user\AppData\...\pMzpncK9JT.exe, PE32 26->103 dropped 105 C:\Users\user\AppData\...\byzzjdoZnt.exe, PE32 26->105 dropped 107 C:\Users\user\AppData\...\vqHLOVcy5m.exe, PE32 26->107 dropped 109 60 other files (none is malicious) 26->109 dropped 173 Tries to steal Mail credentials (via file access) 26->173 42 byzzjdoZnt.exe 26->42         started        44 pMzpncK9JT.exe 26->44         started        46 CmxQ1llE5j.exe 26->46         started        50 2 other processes 26->50 175 Detected unpacking (overwrites its own PE header) 29->175 48 powershell.exe 29->48         started        file10 signatures11 process12 dnsIp13 131 moreirawag.ac.ug 35->131 87 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 35->87 dropped 89 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 35->89 dropped 91 C:\Users\user\AppData\Local\Temp\ds1.exe, PE32 35->91 dropped 99 49 other files (none is malicious) 35->99 dropped 159 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->159 161 Tries to steal Instant Messenger accounts or passwords 35->161 163 Tries to steal Mail credentials (via file access) 35->163 169 4 other signatures 35->169 52 ac.exe 35->52         started        165 Injects a PE file into a foreign processes 40->165 54 oxcvngfd.exe 40->54         started        93 C:\Users\user\AppData\Local\...\tmpC5B3.tmp, XML 42->93 dropped 95 C:\Users\user\AppData\Roaming\gsHQIi.exe, PE32 42->95 dropped 167 Uses schtasks.exe or at.exe to add and modify task schedules 42->167 59 byzzjdoZnt.exe 42->59         started        67 3 other processes 42->67 61 pMzpncK9JT.exe 44->61         started        63 CmxQ1llE5j.exe 46->63         started        69 2 other processes 46->69 65 conhost.exe 48->65         started        133 cdn.discordapp.com 162.159.133.233, 443, 49738 CLOUDFLARENETUS United States 50->133 97 C:\Users\Public\Libraries\Jksfmi\Jksfmi.exe, PE32 50->97 dropped 71 2 other processes 50->71 file14 signatures15 process16 dnsIp17 135 nmorbertomo.ac.ug 54->135 111 C:\ProgramData\vcruntime140.dll, PE32 54->111 dropped 113 C:\ProgramData\sqlite3.dll, PE32 54->113 dropped 115 C:\ProgramData\nss3.dll, PE32 54->115 dropped 119 3 other files (none is malicious) 54->119 dropped 177 Tries to harvest and steal browser information (history, passwords, etc) 54->177 179 Tries to steal Crypto Currency Wallets 54->179 73 cmd.exe 54->73         started        137 icando.ug 194.5.98.107 DANILENKODE Netherlands 59->137 139 icacxndo.ac.ug 59->139 141 192.168.2.1 unknown unknown 59->141 75 powershell.exe 61->75         started        117 C:\Windows\Temp\txsqedqf.exe, PE32 63->117 dropped 77 cmstp.exe 63->77         started        79 conhost.exe 67->79         started        file18 signatures19 process20 process21 81 conhost.exe 73->81         started        83 taskkill.exe 73->83         started        85 conhost.exe 75->85         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2f4dc31023ec39356b3aa220863cba0ac8b25770641423bccf79ee2b10d77278/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-30 11:22:10 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f5g4gebd5q4tk2z2uiqimpf2blelev3qmqkchpgpphxcwegxoj4a._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
17e1ef78f68371282d030616c47734fa831864cac7fc0ed3171cdc0087bcc894
RaccoonStealer
286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
RaccoonStealer
2dae80e04d518be8a6e1659d53afd6aea2eecc35086db46b4dd0a701a4b6f812
RaccoonStealer
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
RaccoonStealer
4100f196d5289b085ea167afbec9aadbb5105bf46e48b5402f583db123878f96
RaccoonStealer
50cae11649a917039a3fadf933dcf5d724ce0db6fbe4d29cb0aa590896849ca6
RaccoonStealer
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
RaccoonStealer
ac8a0b325adca9cc88fc6ee32c912024adfe5228024712e1c757183c51260d16
RaccoonStealer
c9c5b4b76ac69632d5f5931198adb5d21d214c72d8524ffc60d7d6bbcd44cf03
RaccoonStealer
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
RaccoonStealer
+ 849 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:azorult family:oski family:raccoon botnet:be1e745131839c33316c80c0bc1bd78d92126430 discovery evasion infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210330-ac3ndx6sbe/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops desktop.ini file(s)
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Async RAT payload
AsyncRat
Azorult
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Oski
Raccoon
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
icando.ug:6970
icacxndo.ac.ug:6970
Unpacked files
SH256 hash:
9187cb1481edec556ac945cf99c28a980412215d72855e8df72ffd4f27235b23
MD5 hash:
427c97da9f3622e1c8a4619fc0c2756d
SHA1 hash:
74a06ce933d1cae0b36270960e4beabfaf7cd4eb
Link:
https://www.unpac.me/results/99180144-71cf-4070-975f-0d6f80dbaf63/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/99180144-71cf-4070-975f-0d6f80dbaf63/
SH256 hash:
3c0ca2b4476202e0d3ae42e6972528086367e90b1ab9c6ef05e449653e18805c
MD5 hash:
df03f4ae9ee151ebd6c5c473373eab25
SHA1 hash:
0e5c6d72d6cd4713768b07318b302966b94b8c94
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/99180144-71cf-4070-975f-0d6f80dbaf63/
SH256 hash:
2f4dc31023ec39356b3aa220863cba0ac8b25770641423bccf79ee2b10d77278
MD5 hash:
b57244a20b1130978e1f49045ae571a6
SHA1 hash:
7872ad8670696453d1b95e0193839167fe5e727f
Link:
https://www.unpac.me/results/99180144-71cf-4070-975f-0d6f80dbaf63/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/2f4dc31023ec39356b3aa220863cba0ac8b25770641423bccf79ee2b10d77278

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:Remcos
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Remcos in memory
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 2f4dc31023ec39356b3aa220863cba0ac8b25770641423bccf79ee2b10d77278

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/879389/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/446430/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/790808/
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
Cape
Cape
https://www.capesandbox.com/analysis/127972/

Comments