MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5edb1348236c7fa03dae6c9e2d3c9e4241c2eaa2a8721e5c4b78abc9b66075f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5edb1348236c7fa03dae6c9e2d3c9e4241c2eaa2a8721e5c4b78abc9b66075f8
SHA3-384 hash: a4217319e824947454b9df9b42fbfb68b2ac9e85f5259deeacdf97c536f92ec5945b356316b5ef4ab41ed5e25a06a33f
SHA1 hash: 648c4f0115f50e4186e44fade356f635dc995362
MD5 hash: 6695ddd2891c24fc85a47ad37bd57f3f
humanhash: foxtrot-paris-georgia-artist
File name:5EDB1348236C7FA03DAE6C9E2D3C9E4241C2EAA2A8721.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:46'080 bytes
First seen:2021-10-29 03:02:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d88d597200c0081784c27940d743ec5 (6 x AZORult, 3 x RaccoonStealer, 1 x MBRLocker)
ssdeep 768:uVs46V9PAgK8pA9uhE9ton8g/kt0pptv+KgOEWEwnkasXKiaTnbcuyD7Ux:uioLuANE7pDv+JOEWNnkJaiaTnouy8
Threatray 6'936 similar samples on MalwareBazaar
TLSH T1FE23F171D85B0B28C72A8733162774D72700DB6D8C480955DAEAB0B95CA2A27FEEC1F5
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://194.180.174.181/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.181/ https://threatfox.abuse.ch/ioc/239344/

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Creating a window
Searching for the window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73c4d81c-f453-4a8a-ada9-3161a646741a
Result
Threat name:
Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878968
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates HTA files
Creates HTML files with .exe extension (expired dropper behavior)
Drops PE files to the user root directory
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Encoded FromBase64String
Sigma detected: Execution from Suspicious Folder
Sigma detected: FromBase64String Command Line
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious PowerShell Command Line
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected BatToExe compiled binary
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511402 Sample: 5EDB1348236C7FA03DAE6C9E2D3... Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 91 scarsa.ac.ug 2->91 93 milsom.ac.ug 2->93 95 telegka.top 2->95 115 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->115 117 Multi AV Scanner detection for domain / URL 2->117 119 Found malware configuration 2->119 121 17 other signatures 2->121 12 5EDB1348236C7FA03DAE6C9E2D3C9E4241C2EAA2A8721.exe 6 2->12         started        signatures3 process4 file5 85 C:\Users\user\Desktop\gen.exe, PE32 12->85 dropped 15 cmd.exe 1 12->15         started        17 conhost.exe 12->17         started        process6 process7 19 gen.exe 10 15->19         started        23 syz.exe 17->23         started        25 conhost.exe 17->25         started        file8 73 C:\Users\user\AppData\Local\...\start2.bat, DOS 19->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\m1a.hta, HTML 19->75 dropped 77 C:\Users\user\AppData\Local\Temp\...\m1.hta, HTML 19->77 dropped 83 4 other malicious files 19->83 dropped 123 Multi AV Scanner detection for dropped file 19->123 125 Machine Learning detection for dropped file 19->125 127 Creates HTA files 19->127 27 cmd.exe 3 2 19->27         started        79 C:\Users\user\AppData\Local\...\Vtergfds.exe, PE32 23->79 dropped 81 C:\Users\user\AppData\Local\...\Vereransa.exe, PE32 23->81 dropped 129 Antivirus detection for dropped file 23->129 29 Vtergfds.exe 23->29         started        32 Vereransa.exe 23->32         started        34 syz.exe 23->34         started        signatures9 process10 signatures11 36 mshta.exe 19 27->36         started        39 mshta.exe 1 27->39         started        41 mshta.exe 27->41         started        43 4 other processes 27->43 139 Antivirus detection for dropped file 29->139 141 Multi AV Scanner detection for dropped file 29->141 143 Machine Learning detection for dropped file 29->143 process12 signatures13 131 Suspicious powershell command line found 36->131 45 powershell.exe 36->45         started        49 powershell.exe 22 39->49         started        52 powershell.exe 41->52         started        54 powershell.exe 43->54         started        56 powershell.exe 43->56         started        58 powershell.exe 43->58         started        process14 dnsIp15 97 opsdjs.ug 194.87.46.42, 49717, 49719, 80 ASBAXETNRU Russian Federation 45->97 99 bit.do 54.83.52.76, 49716, 49718, 49722 AMAZON-AESUS United States 45->99 107 2 other IPs or domains 45->107 87 C:\Users\Public\yow.exe, PE32 45->87 dropped 60 yow.exe 45->60         started        63 conhost.exe 45->63         started        109 Creates HTML files with .exe extension (expired dropper behavior) 49->109 111 Drops PE files to the user root directory 49->111 113 Powershell drops PE file 49->113 65 conhost.exe 49->65         started        89 C:\Users\Public\syz.exe, PE32 52->89 dropped 101 kfdhsa.ru 54->101 67 conhost.exe 54->67         started        103 bratiop.ru 56->103 69 conhost.exe 56->69         started        105 nicoslag.ru 58->105 71 conhost.exe 58->71         started        file16 signatures17 process18 signatures19 133 Antivirus detection for dropped file 60->133 135 Multi AV Scanner detection for dropped file 60->135 137 Machine Learning detection for dropped file 60->137
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5edb1348236c7fa03dae6c9e2d3c9e4241c2eaa2a8721e5c4b78abc9b66075f8/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2019-08-31 15:35:56 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3nrgsbdnr72apnonspc2pe6ija4f2vcvbzb4xclpcv4tntaox4a._file
Verdict:
malicious
Similar samples:
06bc17a2517d3c471c978b342e512234a3f9a8eb16e938e7be57b1b67da99bea
RaccoonStealer
9d4a0a8ffa11fc953750c07bd6997bcd23871fe277f65b4113e197b779aa24f0
RaccoonStealer
a85ef03cd5003b5aa6f886fcf1ee608f913ce08f5d0d3d3bb64fa41201df8502
RaccoonStealer
bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334
RaccoonStealer
ccd5ab291113bf69fcbccee8ab889c9cf5a0d0240feed43b73785497ace3c467
RaccoonStealer
d3abda3195fac1ac78486e29fa82d05a3e3bbcba22aa29191dfc21926e027db7
RaccoonStealer
+ 6'926 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:b76017a227a0d879dec7c76613918569d03892fb discovery infostealer spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/211029-dj2bxahbhm/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Azorult
Oski
Raccoon
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
Malware Config
C2 Extraction:
scarsa.ac.ug
http://195.245.112.115/index.php
Dropper Extraction:
http://kfdhsa.ru/asdfg.exe
http://bit.do/e5K5i
http://bit.do/e5K4M
http://bratiop.ru/asdfg.exe
http://bit.do/e5K4b
http://nicoslag.ru/asdfg.exe
Unpacked files
SH256 hash:
4b81dc92fbf1407338075f7a9f06689c399473e9c95469d649082b78b66b7ba6
MD5 hash:
5271ab314f2b52eba226a7c6be80422b
SHA1 hash:
a96492640d3fbe797ba19e275649ede306bca396
Detections:
win_batchwiper_auto
Create hunting rule
Link:
https://www.unpac.me/results/45b56e83-5ea9-448a-a58a-ce1247803884/
SH256 hash:
5edb1348236c7fa03dae6c9e2d3c9e4241c2eaa2a8721e5c4b78abc9b66075f8
MD5 hash:
6695ddd2891c24fc85a47ad37bd57f3f
SHA1 hash:
648c4f0115f50e4186e44fade356f635dc995362
Link:
https://www.unpac.me/results/45b56e83-5ea9-448a-a58a-ce1247803884/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5edb1348236c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5edb1348236c7fa03dae6c9e2d3c9e4241c2eaa2a8721e5c4b78abc9b66075f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments