MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
SHA3-384 hash: de6b31309f7793da7e97e1f082378d2c827044156f68ab2f5cd48b0da85d10f4b90b58497fd4cd1fb9fb964df090180e
SHA1 hash: 162fc936516aa07c626bf1422aa6e3e2e8ce128c
MD5 hash: 6754f10af6ecb656d75b2ef3d27a0e04
humanhash: quebec-hydrogen-mirror-vermont
File name:6754f10af6ecb656d75b2ef3d27a0e04.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:717'824 bytes
First seen:2020-10-04 17:32:08 UTC
Last seen:2020-10-04 18:39:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:P8Z38wKZ/W1GU4a0cvbtnMdKttAsd3mnF4q/Zzg8wgoHmB5r:PuBKFUuwbtMdK3Asdy+q/Zk1gomB
Threatray 1'339 similar samples on MalwareBazaar
TLSH 81E412C8B2807BDFD817A87289A52D71D710287F972FD207A49315BDCE4D49BCE129E2
Reporter abuse_ch
Tags:exe nVpn RaccoonStealer RAT


Avatar
abuse_ch
RaccoonStealer C2:
http://iloveyoubabu.ac.ug/index.php

AsyncRAT C2.
79.134.225.40:6970

Hosted on nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
DNS request
Creating a process with a hidden window
Sending a custom TCP request
Deleting a recently created file
Reading critical registry keys
Replacing files
Delayed writing of the file
Running batch commands
Using the Windows Management Instrumentation requests
Searching for the window
Delayed reading of the file
Launching a process
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Launching a tool to kill processes
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Result
Threat name:
AsyncRAT Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/480908
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Executable Used by PlugX in Uncommon Location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 292894 Sample: WIyvnR0Bxk.exe Startdate: 04/10/2020 Architecture: WINDOWS Score: 100 126 marcapalgo.ug 2->126 128 macapslafg.ug 2->128 130 perrymason.ac.ug 2->130 158 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->158 160 Found malware configuration 2->160 162 Malicious sample detected (through community Yara rule) 2->162 164 12 other signatures 2->164 14 WIyvnR0Bxk.exe 3 4 2->14         started        signatures3 process4 file5 122 C:\Users\user\AppData\Local\Temp\imeo.exe, PE32 14->122 dropped 124 C:\Users\user\AppData\...\WIyvnR0Bxk.exe.log, ASCII 14->124 dropped 196 Injects a PE file into a foreign processes 14->196 18 wscript.exe 1 14->18         started        20 WIyvnR0Bxk.exe 92 14->20         started        signatures6 process7 dnsIp8 25 imeo.exe 4 18->25         started        132 iloveyoubaby.ac.ug 20->132 134 telete.in 195.201.225.248, 443, 49745 HETZNER-ASDE Germany 20->134 136 2 other IPs or domains 20->136 96 C:\Users\user\AppData\...\xscEROGZ3r.exe, PE32 20->96 dropped 98 C:\Users\user\AppData\...wevqg2ACu.exe, PE32 20->98 dropped 100 C:\Users\user\AppData\...\ALCk19rXps.exe, PE32 20->100 dropped 102 65 other files (1 malicious) 20->102 dropped 176 Tries to steal Mail credentials (via file access) 20->176 29 Ewevqg2ACu.exe 20->29         started        31 6wpzZzfo1e.exe 20->31         started        34 xscEROGZ3r.exe 20->34         started        36 2 other processes 20->36 file9 signatures10 process11 dnsIp12 104 C:\Users\user\AppData\Local\Temp\imea.exe, PE32 25->104 dropped 178 Injects a PE file into a foreign processes 25->178 38 wscript.exe 1 25->38         started        40 imeo.exe 25->40         started        180 Allocates memory in foreign processes 29->180 182 Adds a directory exclusion to Windows Defender 29->182 45 powershell.exe 29->45         started        152 162.159.130.233, 443, 49771 CLOUDFLARENETUS United States 31->152 154 162.159.137.232, 443, 49768, 49769 CLOUDFLARENETUS United States 31->154 156 2 other IPs or domains 31->156 184 Creates a thread in another existing process (thread injection) 31->184 47 conhost.exe 36->47         started        49 timeout.exe 36->49         started        file13 signatures14 process15 dnsIp16 51 imea.exe 38->51         started        142 iloveyoubaby.ac.ug 217.8.117.77, 49751, 49752, 49758 CREXFEXPEX-RUSSIARU Russian Federation 40->142 144 malarcvgs.ac.ug 40->144 106 C:\ProgramData\vcruntime140.dll, PE32 40->106 dropped 108 C:\ProgramData\sqlite3.dll, PE32 40->108 dropped 110 C:\ProgramData\softokn3.dll, PE32 40->110 dropped 112 4 other files (none is malicious) 40->112 dropped 186 Tries to steal Crypto Currency Wallets 40->186 53 cmd.exe 40->53         started        55 conhost.exe 45->55         started        file17 signatures18 process19 process20 57 imea.exe 51->57         started        62 conhost.exe 53->62         started        64 taskkill.exe 53->64         started        dnsIp21 146 iloveyoubabu.ac.ug 57->146 114 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 57->114 dropped 116 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 57->116 dropped 118 C:\Users\user\AppData\Local\Temp\ds1.exe, PE32 57->118 dropped 120 49 other files (1 malicious) 57->120 dropped 188 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 57->188 190 Tries to steal Instant Messenger accounts or passwords 57->190 192 Tries to steal Mail credentials (via file access) 57->192 194 4 other signatures 57->194 66 ac.exe 57->66         started        70 rc.exe 57->70         started        73 ds1.exe 57->73         started        75 2 other processes 57->75 file22 signatures23 process24 dnsIp25 92 C:\Users\user\AppData\Roaming\...\dcvlc.exe, PE32 66->92 dropped 166 Creates an undocumented autostart registry key 66->166 168 Adds a directory exclusion to Windows Defender 66->168 170 Injects a PE file into a foreign processes 66->170 77 ac.exe 66->77         started        80 powershell.exe 66->80         started        138 cdn.discordapp.com 162.159.135.233, 443, 49762 CLOUDFLARENETUS United States 70->138 140 discord.com 162.159.138.232, 443, 49760, 49761 CLOUDFLARENETUS United States 70->140 94 C:\Users\user\AppData\Local\...\Oqxwnek.exe, PE32 70->94 dropped 172 Allocates memory in foreign processes 70->172 174 Creates a thread in another existing process (thread injection) 70->174 82 conhost.exe 75->82         started        84 timeout.exe 75->84         started        86 ds2.exe 75->86         started        88 ds2.exe 75->88         started        file26 signatures27 process28 dnsIp29 148 marcapalgo.ug 77->148 150 masonp.ac.ug 79.134.225.40, 49778, 49779, 49780 FINK-TELECOM-SERVICESCH Switzerland 77->150 90 conhost.exe 80->90         started        process30
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-04 15:42:26 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ja6gape7wcoc5eenpaxx43z7attoe236vl4kyy3xgosojizmqdtq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
remcos
Create hunting rule
azorult
Create hunting rule
Similar samples:
286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
RaccoonStealer
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
RaccoonStealer
3e9f05acde528ea5fd7ca9d0c2af0e82d29e343d2f61420290e6f660630cd25f
RaccoonStealer
61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
RaccoonStealer
682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6
RaccoonStealer
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
RaccoonStealer
8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
RaccoonStealer
9b1328490717e1e3c97216a17bf36b67103a40dae3bbac6865487e51fea82b32
RaccoonStealer
bcb474ac919440674135c673d8c6a0fc8015a63a15b2849c3346f74a716b5249
RaccoonStealer
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
RaccoonStealer
+ 1'329 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
rat evasion trojan family:asyncrat persistence family:modiloader spyware discovery infostealer family:azorult family:oski
Link:
https://tria.ge/reports/201004-sa5lr2m1tj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Accesses cryptocurrency wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops desktop.ini file(s)
JavaScript code in executable
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Async RAT payload
ModiLoader Second Stage
AsyncRat
Azorult
Contains code to disable Windows Defender
ModiLoader, DBatLoader
Modifies Windows Defender Real-time Protection settings
Oski
Unpacked files
SH256 hash:
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
MD5 hash:
6754f10af6ecb656d75b2ef3d27a0e04
SHA1 hash:
162fc936516aa07c626bf1422aa6e3e2e8ce128c
Link:
https://www.unpac.me/results/48b33b15-eba7-4c83-9fde-572da8788efb/
SH256 hash:
0fe1c5224aa5f44b0f9c2c066e409b8ef18754e7062e45216aa441573913b68b
MD5 hash:
0ba44bb2a39cb4d36073887d698d473d
SHA1 hash:
195c30e18ebfa97ace52bad0de60079ddafc9871
Detections:
win_raccoon_a0
Create hunting rule
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/48b33b15-eba7-4c83-9fde-572da8788efb/
SH256 hash:
ffe2ce6da6cf9f0e7e3b8b5ee5eddacc27d5d146a155aec1b330b6c923eebd72
MD5 hash:
907c0f7ca8bb5184e215b404dda6fb04
SHA1 hash:
88d498252730f48923b1fa76450448c6dc2be1c3
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/48b33b15-eba7-4c83-9fde-572da8788efb/
Parent samples :
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
SH256 hash:
de1a875b8c20d85f0674998752045b35cc78b8f1d4c33aa5596f95ab136f9ba3
MD5 hash:
33a4dc6208ccb9d0084a833f76ae2ce9
SHA1 hash:
0ee3f25585fdcc7f0f8c1a88e180cdada74c8a4d
Link:
https://www.unpac.me/results/48b33b15-eba7-4c83-9fde-572da8788efb/
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/48b33b15-eba7-4c83-9fde-572da8788efb/
SH256 hash:
c0a9445b0bd976ded107ecaf7a6b72b69ea230a6aa671d0c4b6705ea2b2c1d2e
MD5 hash:
7b595abaf42ea8e0eb181ee64a8ac33d
SHA1 hash:
f87ecd8a67120a4f7a66d67c14ba26d66cfda858
Link:
https://www.unpac.me/results/48b33b15-eba7-4c83-9fde-572da8788efb/
SH256 hash:
b80129836b52b25d9d6ebe67a1c99ee24236fdb27fb95a872e4bf11eeda168d5
MD5 hash:
d59b7e118f75ca47bc5148339017cda8
SHA1 hash:
b6a0a5b4918d9f68b7dd568c31470234b5d3700f
Link:
https://www.unpac.me/results/48b33b15-eba7-4c83-9fde-572da8788efb/
SH256 hash:
359420341df543b879574556d2ea3b481060fa8396781f7c19a0f1ba1d4b88c2
MD5 hash:
81618520c8cad2a5252489ff70ef7a6a
SHA1 hash:
d59c5aac70c0c9122557ee98241f2a8afc458894
Link:
https://www.unpac.me/results/48b33b15-eba7-4c83-9fde-572da8788efb/
SH256 hash:
4e5dfd99dd8df37bde449cc7f1f16f4b07d1fc71c03fc419887f5563d85ef30c
MD5 hash:
d7494847089f698d6b8834dc3d4aa969
SHA1 hash:
1ad1c3751e3e656961a726896e8547b85bfc4c12
Link:
https://www.unpac.me/results/48b33b15-eba7-4c83-9fde-572da8788efb/
SH256 hash:
5f36656d5870a537211e72ddecec81ec8b1fe9ae9f8a878185e724ba72f8939c
MD5 hash:
7a553d9e03028b3e87e544aa7eb4fc09
SHA1 hash:
8c81b03f25ed3e337e622b58cba90f86df332b1a
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/48b33b15-eba7-4c83-9fde-572da8788efb/
SH256 hash:
2a476f18dbae18eb0b57bb40486d316c55335ea00012620a1027cb46f70d9f74
MD5 hash:
e72b6c7af77127dc345b4eab850b4238
SHA1 hash:
962371fadebedd5c1adb0ee8fd56c730039d01b2
Link:
https://www.unpac.me/results/48b33b15-eba7-4c83-9fde-572da8788efb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_a0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/67999/

Comments