MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea
SHA3-384 hash: 3f4fa6548d104f88eb299b0fe46065a60ad525e71832785d7a96fdeb90e295825f9f18a1d20b4086ae2a4b0c7b5df389
SHA1 hash: 9735c0c4cd4c9df7ed4e42820c9d64dd818ec982
MD5 hash: ed94a35c782570966aa8a65993925359
humanhash: red-steak-network-magnesium
File name:ed94a35c782570966aa8a65993925359.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'083'392 bytes
First seen:2020-10-13 16:52:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:cKHweUU6btitw+wBjZLDJTXrGglF68SwtS:n1f+t8FaVBpF68S
Threatray 332 similar samples on MalwareBazaar
TLSH C93502D83A41FA9FEE2E4C72C5152D60D320B966721BF2473433A5EA9E4E351DE060F6
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
AZORult C2:
http://morasergio.ac.ug/index.php

ArkeiStealer C2:
http://morasegio.ug/

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.37165.31264.766.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
DNS request
Creating a process with a hidden window
Sending a custom TCP request
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Replacing files
Delayed writing of the file
Running batch commands
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Launching a tool to kill processes
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Result
Threat name:
Azorult Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/490078
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Executable Used by PlugX in Uncommon Location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 297484 Sample: vP02Va7ICw.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 117 marcapalgo.ug 2->117 119 macapslafg.ug 2->119 121 4 other IPs or domains 2->121 139 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->139 141 Malicious sample detected (through community Yara rule) 2->141 143 Antivirus / Scanner detection for submitted sample 2->143 145 10 other signatures 2->145 12 vP02Va7ICw.exe 3 4 2->12         started        signatures3 process4 file5 107 C:\Users\user\AppData\Local\Temp\Limos.exe, PE32 12->107 dropped 109 C:\Users\user\AppData\...\vP02Va7ICw.exe.log, ASCII 12->109 dropped 175 Injects a PE file into a foreign processes 12->175 16 wscript.exe 1 12->16         started        19 vP02Va7ICw.exe 93 12->19         started        signatures6 process7 dnsIp8 111 192.168.2.1 unknown unknown 16->111 23 Limos.exe 4 16->23         started        113 trqqwsad.site 101.32.97.85, 443, 49742, 49743 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 19->113 115 telete.in 195.201.225.248, 443, 49738 HETZNER-ASDE Germany 19->115 77 C:\Users\user\AppData\...\qv3qrgMwF7.exe, PE32 19->77 dropped 79 C:\Users\user\AppData\...\Hwhz5O8POL.exe, PE32 19->79 dropped 81 C:\Users\user\AppData\...\Fqr8omckb9.exe, PE32 19->81 dropped 83 65 other files (none is malicious) 19->83 dropped 147 Tries to steal Mail credentials (via file access) 19->147 27 Hwhz5O8POL.exe 19->27         started        30 Fqr8omckb9.exe 19->30         started        32 qv3qrgMwF7.exe 19->32         started        34 2 other processes 19->34 file9 signatures10 process11 dnsIp12 85 C:\Users\user\AppData\Local\Temp\La.exe, PE32 23->85 dropped 153 Injects a PE file into a foreign processes 23->153 36 wscript.exe 1 23->36         started        38 Limos.exe 23->38         started        133 cdn.discordapp.com 162.159.129.233, 443, 49761, 49778 CLOUDFLARENETUS United States 27->133 135 discord.com 162.159.137.232, 443, 49758, 49760 CLOUDFLARENETUS United States 27->135 87 C:\Users\user\AppData\Local\...\Uvzmdrv.exe, PE32 27->87 dropped 155 Writes to foreign memory regions 27->155 157 Allocates memory in foreign processes 27->157 159 Creates a thread in another existing process (thread injection) 27->159 89 C:\Users\user\AppData\Roaming\...\ddvlc.exe, PE32 30->89 dropped 161 Creates an undocumented autostart registry key 30->161 163 Adds a directory exclusion to Windows Defender 30->163 43 powershell.exe 30->43         started        45 conhost.exe 34->45         started        47 timeout.exe 34->47         started        file13 signatures14 process15 dnsIp16 49 La.exe 36->49         started        129 morasegio.ug 217.8.117.77, 49744, 49753, 49754 CREXFEXPEX-RUSSIARU Russian Federation 38->129 91 C:\ProgramData\vcruntime140.dll, PE32 38->91 dropped 93 C:\ProgramData\sqlite3.dll, PE32 38->93 dropped 95 C:\ProgramData\softokn3.dll, PE32 38->95 dropped 97 4 other files (none is malicious) 38->97 dropped 165 Tries to steal Crypto Currency Wallets 38->165 52 cmd.exe 38->52         started        54 conhost.exe 43->54         started        file17 signatures18 process19 signatures20 137 Injects a PE file into a foreign processes 49->137 56 La.exe 49->56         started        61 La.exe 49->61         started        63 conhost.exe 52->63         started        65 taskkill.exe 52->65         started        process21 dnsIp22 131 morasergio.ac.ug 56->131 99 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 56->99 dropped 101 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 56->101 dropped 103 C:\Users\user\AppData\Local\Temp\ds1.exe, PE32 56->103 dropped 105 49 other files (1 malicious) 56->105 dropped 167 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 56->167 169 Tries to steal Instant Messenger accounts or passwords 56->169 171 Tries to steal Mail credentials (via file access) 56->171 173 4 other signatures 56->173 67 rc.exe 56->67         started        71 ac.exe 56->71         started        73 ds2.exe 56->73         started        75 ds1.exe 56->75         started        file23 signatures24 process25 dnsIp26 123 162.159.130.233, 443, 49764 CLOUDFLARENETUS United States 67->123 125 discord.com 67->125 127 cdn.discordapp.com 67->127 149 Creates a thread in another existing process (thread injection) 67->149 151 Injects a PE file into a foreign processes 67->151 signatures27
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea/
Threat name:
ByteCode-MSIL.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 14:52:46 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jpq6sexuw33f3wjy6ctpuhy5toguyih4ewwdymmj4eabhqu6jxva._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
masslogger
Create hunting rule
Similar samples:
033dd7d02172855d2e61e1dcfae24bdeb9136310503e06bf7079ef78db9422ae
RaccoonStealer
286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
RaccoonStealer
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
RaccoonStealer
61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
RaccoonStealer
8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
RaccoonStealer
c686c7b2fff2ad2853c1d450d44fcf96ff3df67f34205b6b4e0352153893c924
RaccoonStealer
ce4c9d123144cb01aaa09ecfc34a21b6808c8d891fdd777e3bc8736fc3d877ca
RaccoonStealer
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
RaccoonStealer
ed9d96725b88ce0a3caee6d98c11369fb84a1d7eca3847db66abe63c49955f73
RaccoonStealer
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
RaccoonStealer
+ 322 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
evasion trojan rat family:asyncrat infostealer family:azorult family:oski spyware discovery family:modiloader
Link:
https://tria.ge/reports/201013-s2kl6agd9x/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
JavaScript code in executable
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
ModiLoader First Stage
AsyncRat
Azorult
Contains code to disable Windows Defender
ModiLoader, DBatLoader
Modifies Windows Defender Real-time Protection settings
Oski
Malware Config
C2 Extraction:
:
Unpacked files
SH256 hash:
4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea
MD5 hash:
ed94a35c782570966aa8a65993925359
SHA1 hash:
9735c0c4cd4c9df7ed4e42820c9d64dd818ec982
Link:
https://www.unpac.me/results/ef8f52bc-eb1d-4bb7-adfb-0dcefc53439f/
SH256 hash:
752d700195073767a9349fda21a6b4c1d8b6cc87c64a891a3abe3b8e060c5bab
MD5 hash:
81a21f44616463e14e78b1510af7540d
SHA1 hash:
2f948d0114927b8d2fa93c8fefdc11e3357ac40a
Link:
https://www.unpac.me/results/ef8f52bc-eb1d-4bb7-adfb-0dcefc53439f/
SH256 hash:
6ec8b8722011387a91473b37ca0349b07a8913ef6dd8577758a466ab7dcf8fad
MD5 hash:
c5fd08072b41f2c2ac8f44ed25360539
SHA1 hash:
534b1beaaee160be36c62e5a96330c85ca8cce07
Detections:
win_raccoon_a0
Create hunting rule
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/ef8f52bc-eb1d-4bb7-adfb-0dcefc53439f/
Parent samples :
c686c7b2fff2ad2853c1d450d44fcf96ff3df67f34205b6b4e0352153893c924
4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/ef8f52bc-eb1d-4bb7-adfb-0dcefc53439f/
SH256 hash:
d0591386bf31ad4ed629a218bebccb6e0367fbb459e8c814708f1cdff4fa2087
MD5 hash:
8c0fb427359fcd12e4f9cd4b87f5546b
SHA1 hash:
a047bcbf61e148676ac2d2baab828876eb43f5cd
Link:
https://www.unpac.me/results/ef8f52bc-eb1d-4bb7-adfb-0dcefc53439f/
SH256 hash:
398b4dc5b20473ce23cc5e1b0f76eaa50cea962d06ad081e41c116c39703a6a7
MD5 hash:
da4c507b5c94abcb658546185bfc20d4
SHA1 hash:
b065c4a45e510477a56aacc26b78ea8ace6bc7e0
Link:
https://www.unpac.me/results/ef8f52bc-eb1d-4bb7-adfb-0dcefc53439f/
SH256 hash:
ce739d824f1d6ab398bd7e84c2a23a986ac02f9aea35b15bf9bed16bc05c44dd
MD5 hash:
4e6ff8c9980a029ffbd613115e7d162c
SHA1 hash:
00322313e0c56fa903e0f28f3c8ff230d2c707be
Link:
https://www.unpac.me/results/ef8f52bc-eb1d-4bb7-adfb-0dcefc53439f/
SH256 hash:
e4fd56e6b8cf048f21fe3462bd0b6ee773cd8701572e45d149fc736bd5da4512
MD5 hash:
fe459b700a188a29fc8012fa47d529ce
SHA1 hash:
84e744045fc9f4d3e70682baf7affc7d4a77d5a1
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/ef8f52bc-eb1d-4bb7-adfb-0dcefc53439f/
SH256 hash:
8ec08c3b5aaebb4816941f5c6aade55a4014f1707023584f716fd6c104f05977
MD5 hash:
18e326befdecb3172c031f2888afa1d5
SHA1 hash:
f43cf064bb21fbc41a8d13758887bd339728fcd6
Link:
https://www.unpac.me/results/ef8f52bc-eb1d-4bb7-adfb-0dcefc53439f/
SH256 hash:
04dc5191617933d0ab1016143435e33ae4b5ce534ddf8a30fbc798a1e582c232
MD5 hash:
ab49c8d9d6d5485a9b6f70e28ab6e42c
SHA1 hash:
f809c326f7a349ba4eaaac029fe8c524a31f04d9
Link:
https://www.unpac.me/results/ef8f52bc-eb1d-4bb7-adfb-0dcefc53439f/
SH256 hash:
904f21d8af4e04c73addb99d421e8dd96d9cb3fb0e6093df09ca330980555651
MD5 hash:
621a310aaba74dda6ec425275865c40e
SHA1 hash:
457907afe3bb97746ac036b299d74d3efa2a846c
Link:
https://www.unpac.me/results/ef8f52bc-eb1d-4bb7-adfb-0dcefc53439f/
SH256 hash:
a8af6144fb040e8987d2d6b5ecf8a05ce05f0f006a77de1406481a30a5509a66
MD5 hash:
e4aac3af104e7edd1962791c9924637a
SHA1 hash:
5d803a572e7eeaa9d7db99466faa87a9ebb594a3
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/ef8f52bc-eb1d-4bb7-adfb-0dcefc53439f/
SH256 hash:
a706bcacf34be5ff6b4b689a8b0db704069a72d3e0f1638e06416cff8329d4b0
MD5 hash:
0c8269296bdb8f1ff332fcd2c41ed64a
SHA1 hash:
e11d77eea5e30f4c9f9c2944053efdbc80a5a0f3
Link:
https://www.unpac.me/results/ef8f52bc-eb1d-4bb7-adfb-0dcefc53439f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_a0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/70553/
  
URLhaus
https://urlhaus.abuse.ch/url/446430/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/677631/
  
URLhaus
https://urlhaus.abuse.ch/url/677625/
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
URLhaus
https://urlhaus.abuse.ch/url/446435/
  
URLhaus
https://urlhaus.abuse.ch/url/584223/

Comments