MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60152e8f49b376387ea78e05be97894b52c0dc862a9906248b12a441e840ee2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60152e8f49b376387ea78e05be97894b52c0dc862a9906248b12a441e840ee2d
SHA3-384 hash: 46f1d069d7b676fbc09212c6977bf40a1cbcecd4992cfc5b3fbf2be012c16df44d0c09e31bf2945a45af9dce34366b6e
SHA1 hash: 678b1416dd2f1f748acc5c4619ebfaf4695946f1
MD5 hash: 1282cbd3580662cf9e2b218b132006f6
humanhash: hydrogen-river-happy-blossom
File name:1282cbd3580662cf9e2b218b132006f6.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'175'552 bytes
First seen:2020-10-14 14:49:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:OGC9A8U/ZwBi1K+2q7L2jSbKQIl6k4ErIjOtnNp3W5S4uPLmK:OGC9AhqBik+dLQSe0k4ErRLlW1u
Threatray 683 similar samples on MalwareBazaar
TLSH 564501CA76427D5FDA6D8C72C8481D20E251B656B207FB93342339EBAE0E3568F051F6
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
DNS request
Creating a process with a hidden window
Sending a custom TCP request
Deleting a recently created file
Reading critical registry keys
Replacing files
Delayed writing of the file
Running batch commands
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Launching a tool to kill processes
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Threat name:
AsyncRAT Azorult Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/491111
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Keylogger Generic
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 298014 Sample: EC6wTNKtx6.exe Startdate: 14/10/2020 Architecture: WINDOWS Score: 100 93 agentpurple.ac.ug 2->93 95 agentpapple.ac.ug 2->95 97 4 other IPs or domains 2->97 119 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 13 other signatures 2->125 11 EC6wTNKtx6.exe 3 4 2->11         started        signatures3 process4 file5 75 C:\Users\user\AppData\Local\Temp\Limo.exe, PE32 11->75 dropped 77 C:\Users\user\AppData\...C6wTNKtx6.exe.log, ASCII 11->77 dropped 14 wscript.exe 1 11->14         started        16 EC6wTNKtx6.exe 93 11->16         started        21 EC6wTNKtx6.exe 11->21         started        process6 dnsIp7 23 Limo.exe 4 14->23         started        87 trqqwsad.site 101.32.183.30, 443, 49726, 49731 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 16->87 89 telete.in 195.201.225.248, 443, 49720 HETZNER-ASDE Germany 16->89 91 192.168.2.1 unknown unknown 16->91 55 C:\Users\user\AppData\...\yL2MxxVLCB.exe, PE32 16->55 dropped 57 C:\Users\user\AppData\...577DCKYgKay.exe, PE32 16->57 dropped 59 C:\Users\user\AppData\...\MPBbwyayPM.exe, PE32 16->59 dropped 61 65 other files (none is malicious) 16->61 dropped 117 Tries to steal Mail credentials (via file access) 16->117 27 yL2MxxVLCB.exe 16->27         started        29 N7DCKYgKay.exe 16->29         started        32 Axks4NAM2h.exe 16->32         started        file8 signatures9 process10 dnsIp11 71 C:\Users\user\AppData\Local\Temp\Lima.exe, PE32 23->71 dropped 129 Injects a PE file into a foreign processes 23->129 34 wscript.exe 1 23->34         started        36 Limo.exe 23->36         started        73 C:\Users\user\AppData\Roaming\...\ddcvlc.exe, PE32 27->73 dropped 131 Creates an undocumented autostart registry key 27->131 133 Adds a directory exclusion to Windows Defender 27->133 103 discord.com 162.159.128.233, 443, 49749, 49750 CLOUDFLARENETUS United States 29->103 105 cdn.discordapp.com 162.159.134.233, 443, 49751, 49765 CLOUDFLARENETUS United States 29->105 file12 signatures13 process14 dnsIp15 41 Lima.exe 34->41         started        99 jamesrlongacre.ac.ug 217.8.117.77, 49728, 49746, 49748 CREXFEXPEX-RUSSIARU Russian Federation 36->99 101 jamesrlon.ug 36->101 63 C:\ProgramData\vcruntime140.dll, PE32 36->63 dropped 65 C:\ProgramData\sqlite3.dll, PE32 36->65 dropped 67 C:\ProgramData\softokn3.dll, PE32 36->67 dropped 69 4 other files (none is malicious) 36->69 dropped 127 Tries to steal Crypto Currency Wallets 36->127 44 cmd.exe 36->44         started        file16 signatures17 process18 signatures19 135 Injects a PE file into a foreign processes 41->135 46 Lima.exe 41->46         started        51 conhost.exe 44->51         started        53 taskkill.exe 44->53         started        process20 dnsIp21 107 jamesrlongacre.ac.ug 46->107 79 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 46->79 dropped 81 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 46->81 dropped 83 C:\Users\user\AppData\Local\Temp\ds1.exe, PE32 46->83 dropped 85 48 other files (none is malicious) 46->85 dropped 109 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 46->109 111 Tries to steal Instant Messenger accounts or passwords 46->111 113 Tries to steal Mail credentials (via file access) 46->113 115 4 other signatures 46->115 file22 signatures23
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/60152e8f49b376387ea78e05be97894b52c0dc862a9906248b12a441e840ee2d/
Threat name:
ByteCode-MSIL.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 08:48:53 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=maks5d2jwn3dq7vhryc35f4jjnjmbxegfkmqmjelcksed2ca5ywq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
azorult
Create hunting rule
Similar samples:
033dd7d02172855d2e61e1dcfae24bdeb9136310503e06bf7079ef78db9422ae
RaccoonStealer
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
RaccoonStealer
4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea
RaccoonStealer
61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
RaccoonStealer
8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
RaccoonStealer
c3c2a6747a34c92023bef1d5abc604f697408e60ee64d1155af7a8c62727e894
RaccoonStealer
c686c7b2fff2ad2853c1d450d44fcf96ff3df67f34205b6b4e0352153893c924
RaccoonStealer
ce4c9d123144cb01aaa09ecfc34a21b6808c8d891fdd777e3bc8736fc3d877ca
RaccoonStealer
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
RaccoonStealer
ed9d96725b88ce0a3caee6d98c11369fb84a1d7eca3847db66abe63c49955f73
RaccoonStealer
+ 673 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
rat trojan infostealer family:azorult family:modiloader spyware discovery evasion family:asyncrat family:oski
Link:
https://tria.ge/reports/201014-cqe15cctj2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
JavaScript code in executable
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Async RAT payload
ModiLoader First Stage
ModiLoader Second Stage
AsyncRat
Azorult
Contains code to disable Windows Defender
ModiLoader, DBatLoader
Modifies Windows Defender Real-time Protection settings
Oski
Malware Config
C2 Extraction:
agentttt.ac.ug,agentpurple.ac.ug:6970
Unpacked files
SH256 hash:
60152e8f49b376387ea78e05be97894b52c0dc862a9906248b12a441e840ee2d
MD5 hash:
1282cbd3580662cf9e2b218b132006f6
SHA1 hash:
678b1416dd2f1f748acc5c4619ebfaf4695946f1
Link:
https://www.unpac.me/results/da34563f-45c6-45cf-b968-298eeecfe0b5/
SH256 hash:
935e5ba701fe0232c124141fbfdbaa5137d8884ff888e41f7f145e8b742f0b2e
MD5 hash:
01214d0a3b40f96d70a6c2e8d4c21637
SHA1 hash:
ed0d6063652e334b3391aaa6ba97ef83e5eca0a0
Detections:
win_raccoon_a0
Create hunting rule
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/da34563f-45c6-45cf-b968-298eeecfe0b5/
Parent samples :
023fb24e4591fcbbff6096a61e7cbfb79bc1bade9236dd0db6ede7ab1e00bf9f
60152e8f49b376387ea78e05be97894b52c0dc862a9906248b12a441e840ee2d
SH256 hash:
651b77f17ddd0c9f8f3e142d92536c682b5b08fc913d058dda4321e0f5551925
MD5 hash:
bc760aa5ba5be2ca407db96a5ccae9a3
SHA1 hash:
fc84d592e00f1d223c9adfda0c79717a5b201bba
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/da34563f-45c6-45cf-b968-298eeecfe0b5/
SH256 hash:
e24d4f2e697acce368bc6a3a5cf6e28ab6d2b7782aedd9b76dfe13969f6e0df2
MD5 hash:
8488ddaf5b87ed3a6d09ab7606195b60
SHA1 hash:
3d361849be49bdd04688defdfa6c62a54d2069bc
Link:
https://www.unpac.me/results/da34563f-45c6-45cf-b968-298eeecfe0b5/
SH256 hash:
5c45d514e80e4d6a522da61d50e15334fefbea731937ac2e9e8f122664f5ca8b
MD5 hash:
1a1934832dcdcf7fa88c92ee6003ee6a
SHA1 hash:
b5cf478a46017759a0db70af802b8152aeb018bf
Link:
https://www.unpac.me/results/da34563f-45c6-45cf-b968-298eeecfe0b5/
SH256 hash:
16402da9aa7ca3d156f46f0c1fe57c3a0a7cf9bfdca314befa0845165e2b7a09
MD5 hash:
ed0a7d42cc6b47b1737a4d7c6e9af390
SHA1 hash:
683069d7d38aa4aa2a09d887cb73a1842de34390
Link:
https://www.unpac.me/results/da34563f-45c6-45cf-b968-298eeecfe0b5/
SH256 hash:
9a6fbadd930c4292e157fecfaff308e608ad76a6521a676c6ed4e3763951149e
MD5 hash:
fe71dbadb54543e27c4676b6fc10fce6
SHA1 hash:
ab04a27f243a02b04a92b76d8c6035d815dac727
Link:
https://www.unpac.me/results/da34563f-45c6-45cf-b968-298eeecfe0b5/
SH256 hash:
8e9c5a4c466284419476368233e22238022a63f1f480e4f71435e4eac8deb5a4
MD5 hash:
b3f0595831e22ee7856c897a34b410bc
SHA1 hash:
7665d301e9195cb727187e7c68186a888bbf6e11
Link:
https://www.unpac.me/results/da34563f-45c6-45cf-b968-298eeecfe0b5/
SH256 hash:
7ee16b865864d3415bdfd144cbde82b704469f9f65e78c8791dfbd5417e236fc
MD5 hash:
326f925977a2262df963e971ac3cb4e7
SHA1 hash:
89cfdb8674249ac5fc832cbae3603099b05847dc
Link:
https://www.unpac.me/results/da34563f-45c6-45cf-b968-298eeecfe0b5/
SH256 hash:
b80d85450155f6fbe14face0e0623605aa5721012227934dbf050d9f6b909652
MD5 hash:
aeaa3e397f20c344c8e590eba71180ae
SHA1 hash:
e23452bf28bf1abab5669383370d514c60def248
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/da34563f-45c6-45cf-b968-298eeecfe0b5/
SH256 hash:
58bfd65420e04903b0d8f98812191b4e7b222705fe8ab9447bda7e60b5026880
MD5 hash:
9b6400828458ef6c5abea8ee2cca800b
SHA1 hash:
ea5aefba3e786fbee361822d75cbda41432e4d51
Link:
https://www.unpac.me/results/da34563f-45c6-45cf-b968-298eeecfe0b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60152e8f49b376387ea78e05be97894b52c0dc862a9906248b12a441e840ee2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 60152e8f49b376387ea78e05be97894b52c0dc862a9906248b12a441e840ee2d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/446435/
  
URLhaus
https://urlhaus.abuse.ch/url/677625/
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
URLhaus
https://urlhaus.abuse.ch/url/677631/
  
URLhaus
https://urlhaus.abuse.ch/url/446430/
  
URLhaus
https://urlhaus.abuse.ch/url/584223/
Cape
Cape
https://www.capesandbox.com/analysis/70821/

Comments