MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
SHA3-384 hash: 142f23dae6c4adc95ebb383a0b55bc20066add1e5e4f9bf75da7b7ff678b1c4f2aeaf3d1a761085e5848cfc5dd5c0221
SHA1 hash: 3cf0c58d352f8589c30e31eaf9dbc4290e15abf9
MD5 hash: 7e6e324c1c852f1be6ec2037cc0871c7
humanhash: happy-hot-yellow-lactose
File name:7e6e324c1c852f1be6ec2037cc0871c7.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:663'552 bytes
First seen:2020-08-16 14:58:50 UTC
Last seen:2020-08-16 15:45:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'450 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:ys4EcmZHAFaxmVmie9bngPhHg69E/aj1SQA5C85aOG3MK4oXWwvY8SrwMoiuNfSl:54EcmZHAFaxmVmie9bngPhHvE+1g5UOp
Threatray 293 similar samples on MalwareBazaar
TLSH 79E4121C35E0B0B2F3F82EF56C707D0457A86B175E679E8F18A122B187E39F9294584E
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.89.215.215/gate/log.php

AZORult C2:
http://limjerome.ug/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46524/
Detection(s):
SecuriteInfo.com.Generic.mg.7e6e324c1c852f1b.379.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Sending an HTTP POST request
Sending an HTTP GET request
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Stealing user critical data
Sending an HTTP GET request to an infection source
Result
Threat name:
AsyncRAT Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/432329
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 267952 Sample: zU8SwFMOIH.exe Startdate: 16/08/2020 Architecture: WINDOWS Score: 100 70 singsing.ug 2->70 72 fgdjhksdfsdxcbv.ru 2->72 74 3 other IPs or domains 2->74 104 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->104 106 Found malware configuration 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 11 other signatures 2->110 9 zU8SwFMOIH.exe 15 7 2->9         started        signatures3 process4 dnsIp5 84 limjerome.ug 217.8.117.77, 49723, 49729, 49730 CREXFEXPEX-RUSSIARU Russian Federation 9->84 86 singaporeunited.ug 9->86 88 192.168.2.1 unknown unknown 9->88 56 C:\Users\user\AppData\Local\...\Uivcxbdsf.exe, PE32 9->56 dropped 58 C:\Users\user\AppData\...\zU8SwFMOIH.exe.log, ASCII 9->58 dropped 128 Contains functionality to steal Internet Explorer form passwords 9->128 130 Injects a PE file into a foreign processes 9->130 14 zU8SwFMOIH.exe 88 9->14         started        19 Uivcxbdsf.exe 14 7 9->19         started        file6 signatures7 process8 dnsIp9 90 singaporeunited.ug 14->90 92 telete.in 195.201.225.248, 443, 49724 HETZNER-ASDE Germany 14->92 94 34.89.215.215, 49725, 49726, 80 GOOGLEUS United States 14->94 60 C:\Users\user\AppData\...\Z75nYXjpr7.exe, PE32 14->60 dropped 62 C:\Users\user\AppData\...\Y5k0sGkEYI.exe, PE32 14->62 dropped 64 C:\Users\user\AppData\...\Lfy5IiLw1k.exe, PE32 14->64 dropped 68 66 other files (1 malicious) 14->68 dropped 98 Tries to steal Mail credentials (via file access) 14->98 21 Lfy5IiLw1k.exe 14->21         started        26 Y5k0sGkEYI.exe 14->26         started        28 Z75nYXjpr7.exe 14->28         started        34 2 other processes 14->34 96 singaporeunited.ug 19->96 66 C:\Users\user\AppData\...\JHGsvcsdfe.exe, PE32 19->66 dropped 100 Injects a PE file into a foreign processes 19->100 102 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 19->102 30 Uivcxbdsf.exe 19->30         started        32 JHGsvcsdfe.exe 3 19->32         started        file10 signatures11 process12 dnsIp13 76 googlehosted.l.googleusercontent.com 172.217.168.33, 443, 49734 GOOGLEUS United States 21->76 78 discord.com 162.159.128.233, 443, 49732 CLOUDFLARENETUS United States 21->78 80 doc-0c-50-docs.googleusercontent.com 21->80 42 C:\Users\user\AppData\Local\Turisec.exe, PE32 21->42 dropped 112 Writes to foreign memory regions 21->112 114 Allocates memory in foreign processes 21->114 116 Creates a thread in another existing process (thread injection) 21->116 44 C:\Users\user\AppData\Local\...\tmpBA6E.tmp, XML 26->44 dropped 46 C:\Users\user\AppData\...\IZxHxqmErtehZ.exe, PE32 26->46 dropped 118 Injects a PE file into a foreign processes 26->118 82 limjerome.ug 30->82 48 C:\Users\user\AppData\...\vcruntime140.dll, PE32 30->48 dropped 50 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 30->50 dropped 52 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 30->52 dropped 54 45 other files (none is malicious) 30->54 dropped 120 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->120 122 Tries to steal Instant Messenger accounts or passwords 30->122 124 Tries to steal Mail credentials (via file access) 30->124 126 3 other signatures 30->126 36 JHGsvcsdfe.exe 32->36         started        38 conhost.exe 34->38         started        40 timeout.exe 34->40         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-16 15:00:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gcgjmvl4nps5ium3us5mhdbd4yi4pnqwqph4cbr2mae6efwcj5pa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
azorult
Create hunting rule
Similar samples:
286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
RaccoonStealer
3e9f05acde528ea5fd7ca9d0c2af0e82d29e343d2f61420290e6f660630cd25f
RaccoonStealer
4100f196d5289b085ea167afbec9aadbb5105bf46e48b5402f583db123878f96
RaccoonStealer
682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6
RaccoonStealer
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
RaccoonStealer
6fa66f7851bea577cc6adfda11d3225a69b7c6554f028851eddd4d23ea074a59
RaccoonStealer
7294bdc3333d08ac9c2397b3555c0126928c13600b23de09f21841cfee83f55a
RaccoonStealer
8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
RaccoonStealer
bcb474ac919440674135c673d8c6a0fc8015a63a15b2849c3346f74a716b5249
RaccoonStealer
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
RaccoonStealer
+ 283 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
ransomware stealer family:raccoon spyware trojan infostealer family:azorult discovery
Link:
https://tria.ge/reports/200816-ft8vpkkd72/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
JavaScript code in executable
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Azorult
Raccoon
Raccoon log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/46524/
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/422731/
  
URLhaus
https://urlhaus.abuse.ch/url/422726/
  
URLhaus
https://urlhaus.abuse.ch/url/422730/
  
URLhaus
https://urlhaus.abuse.ch/url/422721/
  
URLhaus
https://urlhaus.abuse.ch/url/422728/
  
URLhaus
https://urlhaus.abuse.ch/url/422738/
  
URLhaus
https://urlhaus.abuse.ch/url/422744/
  
URLhaus
https://urlhaus.abuse.ch/url/401281/
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/366553/
  
URLhaus
https://urlhaus.abuse.ch/url/360443/

Comments