MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 362d3fd69c524f00f783eda97ea2229b80573d5cd1e849d3a0d6a17034ebd38a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 362d3fd69c524f00f783eda97ea2229b80573d5cd1e849d3a0d6a17034ebd38a
SHA3-384 hash: e654059a72239678964d61471d2c841f34e10a97ef59d6861e32f7595122cc09f905f43450447a0cf7017aae9249981d
SHA1 hash: 87a24cd1d7cc1985e29ff1bd384c48dbde1b97a0
MD5 hash: adba935c663db2d4c2a53f01434f1e11
humanhash: kitten-golf-beryllium-carolina
File name:adba935c663db2d4c2a53f01434f1e11.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'105'920 bytes
First seen:2020-09-20 03:43:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0320232b42c0bfbc92efc4f95a2299b9 (3 x RaccoonStealer)
ssdeep 24576:BGB08Fkcf4VYMOAcheLwsO7pcdpeewR1fGB08Fk8PviOCNGB08FkFmoz4OXzn:GpkenAJjOlcdMl1cpkOKOCCpkD4OXzn
Threatray 178 similar samples on MalwareBazaar
TLSH D6351227597B5613F88B07746BD58AD94BBDDC2732A63C3FCF042E042AA690542C7E36
Reporter abuse_ch
Tags:ArkeiStealer AsyncRAT exe nVpn RaccoonStealer RAT


Avatar
abuse_ch
RaccoonStealer C2:
http://chinadevmonster.top/gate/log.php

ArkeiStealer C2:
http://courtneysdv.ac.ug/

AsyncRAT C2:
masonp.ac.ug:6970 (194.5.98.95)

Pointing to nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.98.0 - 194.5.98.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU6
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-04-26T16:42:54Z
last-modified: 2020-07-30T03:41:26Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
Win.Malware.Zard-9653261-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Reading critical registry keys
Replacing files
Delayed writing of the file
Delayed reading of the file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the Windows subdirectories
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Launching a tool to kill processes
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Result
Threat name:
AsyncRAT Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/470704
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Connects to many ports of the same IP (likely port scanning)
Contains functionality to steal Internet Explorer form passwords
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Executable Used by PlugX in Uncommon Location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 287785 Sample: i7TDgdjsm9.exe Startdate: 20/09/2020 Architecture: WINDOWS Score: 100 116 telete.in 2->116 118 perrymason.ac.ug 2->118 120 7 other IPs or domains 2->120 156 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->156 158 Multi AV Scanner detection for domain / URL 2->158 160 Found malware configuration 2->160 162 16 other signatures 2->162 11 i7TDgdjsm9.exe 16 2->11         started        15 cmd.exe 2->15         started        signatures3 process4 file5 94 C:\Users\user\AppData\Local\...\gJHKfdgvr.exe, PE32 11->94 dropped 96 C:\Users\user\AppData\Local\...\JHdfbvhyt.exe, PE32 11->96 dropped 168 Detected unpacking (changes PE section rights) 11->168 170 Detected unpacking (overwrites its own PE header) 11->170 172 Contains functionality to steal Internet Explorer form passwords 11->172 174 Maps a DLL or memory area into another process 11->174 17 gJHKfdgvr.exe 4 11->17         started        20 i7TDgdjsm9.exe 90 11->20         started        24 JHdfbvhyt.exe 4 11->24         started        signatures6 process7 dnsIp8 146 Detected unpacking (changes PE section rights) 17->146 148 Maps a DLL or memory area into another process 17->148 26 gJHKfdgvr.exe 66 17->26         started        122 telete.in 195.201.225.248, 443, 49720 HETZNER-ASDE Germany 20->122 124 chinadevmonster.top 47.245.136.23, 49722, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 20->124 126 3 other IPs or domains 20->126 82 C:\Users\user\AppData\...\fYqvBWgLJn.exe, PE32 20->82 dropped 84 C:\Users\user\AppData\...\Z62TOoPKVA.exe, PE32 20->84 dropped 86 C:\Users\user\AppData\...\XGyuc4FugZ.exe, PE32 20->86 dropped 88 68 other files (2 malicious) 20->88 dropped 150 Tries to steal Mail credentials (via file access) 20->150 152 Hides threads from debuggers 20->152 31 FB2Wr0EEb4.exe 20->31         started        33 fYqvBWgLJn.exe 20->33         started        35 XGyuc4FugZ.exe 20->35         started        39 3 other processes 20->39 154 Detected unpacking (overwrites its own PE header) 24->154 37 JHdfbvhyt.exe 181 24->37         started        file9 signatures10 process11 dnsIp12 136 courtneyjuser.ac.ug 217.8.117.77, 49719, 49721, 49724 CREXFEXPEX-RUSSIARU Russian Federation 26->136 138 courtneyhones.ac.ug 26->138 98 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 26->98 dropped 100 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 26->100 dropped 102 C:\Users\user\AppData\Local\Temp\ds1.exe, PE32 26->102 dropped 112 49 other files (1 malicious) 26->112 dropped 176 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->176 178 Tries to steal Instant Messenger accounts or passwords 26->178 180 Tries to steal Mail credentials (via file access) 26->180 192 2 other signatures 26->192 41 ac.exe 26->41         started        46 ds1.exe 26->46         started        48 ds2.exe 26->48         started        60 2 other processes 26->60 104 C:\Users\user\AppData\...\Lime_oluma.exe, PE32 31->104 dropped 182 Detected unpacking (changes PE section rights) 31->182 184 Writes to foreign memory regions 31->184 186 Injects a PE file into a foreign processes 31->186 106 C:\Windows\Temp\jvz0sw0z.exe, PE32 33->106 dropped 50 cmstp.exe 33->50         started        52 powershell.exe 35->52         started        140 courtneysdv.ac.ug 37->140 108 C:\ProgramData\vcruntime140.dll, PE32 37->108 dropped 110 C:\ProgramData\sqlite3.dll, PE32 37->110 dropped 114 5 other files (none is malicious) 37->114 dropped 188 Tries to steal Crypto Currency Wallets 37->188 190 Hides threads from debuggers 37->190 54 cmd.exe 37->54         started        142 162.159.135.233, 443, 49733 CLOUDFLARENETUS United States 39->142 144 cdn.discordapp.com 39->144 56 conhost.exe 39->56         started        58 timeout.exe 39->58         started        file13 signatures14 process15 dnsIp16 128 perrymason.ac.ug 194.5.98.95 DANILENKODE Netherlands 41->128 130 masonp.ac.ug 41->130 132 jkhdgfxcsdfbakjvjhhjgdsf.ru 41->132 90 C:\Users\user\AppData\Roaming\...\dvlc.exe, PE32 41->90 dropped 164 Detected unpacking (changes PE section rights) 41->164 166 Creates an undocumented autostart registry key 41->166 62 powershell.exe 41->62         started        92 C:\Windows\Temp\zur5ewqp.exe, PE32 46->92 dropped 64 cmstp.exe 46->64         started        66 powershell.exe 48->66         started        68 conhost.exe 52->68         started        70 conhost.exe 54->70         started        72 taskkill.exe 54->72         started        134 cdn.discordapp.com 162.159.130.233, 443, 49726 CLOUDFLARENETUS United States 60->134 74 conhost.exe 60->74         started        76 timeout.exe 60->76         started        file17 signatures18 process19 process20 78 conhost.exe 62->78         started        80 conhost.exe 66->80         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/362d3fd69c524f00f783eda97ea2229b80573d5cd1e849d3a0d6a17034ebd38a/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-09-20 03:45:06 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gywt7vu4kjhqb54d5wux5irctoafopk42huetu5a22qxanhl2ofa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
masslogger
Create hunting rule
Similar samples:
15145ed8e5ae3cf2acf9ad25bbcb3f782c4d8ba9674185d06baa66ae6d17f25a
RaccoonStealer
1553300557f17e7cb62c914616267bc733854b98a0edc5215d901cc4f8e4d0f0
RaccoonStealer
286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
RaccoonStealer
3e9f05acde528ea5fd7ca9d0c2af0e82d29e343d2f61420290e6f660630cd25f
RaccoonStealer
682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6
RaccoonStealer
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
RaccoonStealer
7294bdc3333d08ac9c2397b3555c0126928c13600b23de09f21841cfee83f55a
RaccoonStealer
7dd09a71615dc2a60ba9dd906aebcff010f8442f4db392e4feb88baa01f8c999
RaccoonStealer
8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
RaccoonStealer
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
RaccoonStealer
+ 168 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
ransomware infostealer family:oski spyware stealer family:raccoon evasion trojan family:azorult discovery
Link:
https://tria.ge/reports/200920-5zlb42546n/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Azorult
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Oski
Raccoon
Raccoon log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/362d3fd69c524f00f783eda97ea2229b80573d5cd1e849d3a0d6a17034ebd38a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_a0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 362d3fd69c524f00f783eda97ea2229b80573d5cd1e849d3a0d6a17034ebd38a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/63812/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/446431/
  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/

Comments