MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
SHA3-384 hash: 14303ec8e84be63719d42e534b4e18ef20f4e9df72185744c795e125a89dd0cd8634bc10a46a0af220aacb6c44c646d2
SHA1 hash: 10d187b94b082e33513030ac825de250eec0dd5a
MD5 hash: 3f1a2ab1e63458d3c75ded4c3f4d47c5
humanhash: freddie-delaware-ack-finch
File name:3f1a2ab1e63458d3c75ded4c3f4d47c5.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'048'000 bytes
First seen:2020-10-04 17:30:24 UTC
Last seen:2020-10-04 18:39:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c527ec4fd7e542f708e9a6ac42ef3593 (5 x RaccoonStealer)
ssdeep 49152:rs5VcOMYoss5MV6fYbqs5n0DY5HK1bfYbVyfYbc:yVc5MvlnKAPg
Threatray 514 similar samples on MalwareBazaar
TLSH 8495222695632623F5061C3269E046E80BFCBD5377861C2FFF0C351D1BA2A09A5DDBB9
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/67998/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Replacing files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Sending an HTTP POST request to an infection source
Result
Threat name:
AsyncRAT Azorult Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/480906
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Executable Used by PlugX in Uncommon Location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 292893 Sample: FPPNZMgso6.exe Startdate: 04/10/2020 Architecture: WINDOWS Score: 100 121 macapslafg.ug 2->121 123 perrymason.ac.ug 2->123 125 3 other IPs or domains 2->125 141 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->141 143 Found malware configuration 2->143 145 Malicious sample detected (through community Yara rule) 2->145 147 13 other signatures 2->147 12 FPPNZMgso6.exe 16 2->12         started        16 cmd.exe 2->16         started        18 taskkill.exe 2->18         started        signatures3 process4 file5 111 C:\Users\user\AppData\...\IertvbDSFvca.exe, PE32 12->111 dropped 113 C:\Users\user\AppData\...\BhfgwserGB.exe, PE32 12->113 dropped 183 Detected unpacking (changes PE section rights) 12->183 185 Detected unpacking (overwrites its own PE header) 12->185 187 Maps a DLL or memory area into another process 12->187 20 BhfgwserGB.exe 4 12->20         started        23 IertvbDSFvca.exe 4 12->23         started        25 FPPNZMgso6.exe 93 12->25         started        29 conhost.exe 16->29         started        31 1qj3j1s0.exe 16->31         started        signatures6 process7 dnsIp8 161 Detected unpacking (changes PE section rights) 20->161 163 Maps a DLL or memory area into another process 20->163 33 BhfgwserGB.exe 71 20->33         started        165 Detected unpacking (overwrites its own PE header) 23->165 38 IertvbDSFvca.exe 188 23->38         started        131 iloveyoubaby.ac.ug 25->131 133 telete.in 195.201.225.248, 443, 49730 HETZNER-ASDE Germany 25->133 135 rsttrs.site 161.117.254.2, 443, 49733, 49740 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 25->135 103 C:\Users\user\AppData\...\qUn24wZSOt.exe, PE32 25->103 dropped 105 C:\Users\user\AppData\...\jU6IOBAZVB.exe, PE32 25->105 dropped 107 C:\Users\user\AppData\...\fhKWKK0GmM.exe, PE32 25->107 dropped 109 65 other files (none is malicious) 25->109 dropped 167 Tries to steal Mail credentials (via file access) 25->167 169 Tries to harvest and steal browser information (history, passwords, etc) 25->169 file9 signatures10 process11 dnsIp12 115 iloveyoubaby.ac.ug 217.8.117.77, 49727, 49729, 49732 CREXFEXPEX-RUSSIARU Russian Federation 33->115 117 iloveyoubabu.ac.ug 33->117 81 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 33->81 dropped 83 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 33->83 dropped 85 C:\Users\user\AppData\Local\Temp\ds1.exe, PE32 33->85 dropped 93 49 other files (1 malicious) 33->93 dropped 149 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->149 151 Tries to steal Instant Messenger accounts or passwords 33->151 153 Tries to steal Mail credentials (via file access) 33->153 159 2 other signatures 33->159 40 ac.exe 33->40         started        44 rc.exe 33->44         started        47 ds2.exe 33->47         started        51 2 other processes 33->51 119 malarcvgs.ac.ug 38->119 87 C:\ProgramData\vcruntime140.dll, PE32 38->87 dropped 89 C:\ProgramData\sqlite3.dll, PE32 38->89 dropped 91 C:\ProgramData\softokn3.dll, PE32 38->91 dropped 95 4 other files (none is malicious) 38->95 dropped 155 Tries to harvest and steal browser information (history, passwords, etc) 38->155 157 Tries to steal Crypto Currency Wallets 38->157 49 cmd.exe 38->49         started        file13 signatures14 process15 dnsIp16 99 C:\Users\user\AppData\Roaming\...\dcvlc.exe, PE32 40->99 dropped 171 Creates an undocumented autostart registry key 40->171 173 Adds a directory exclusion to Windows Defender 40->173 175 Injects a PE file into a foreign processes 40->175 53 ac.exe 40->53         started        56 powershell.exe 40->56         started        58 ac.exe 40->58         started        137 cdn.discordapp.com 162.159.135.233, 443, 49736 CLOUDFLARENETUS United States 44->137 139 discord.com 162.159.137.232, 443, 49734, 49735 CLOUDFLARENETUS United States 44->139 101 C:\Users\user\AppData\Local\...\Oqxwnek.exe, PE32 44->101 dropped 177 Writes to foreign memory regions 44->177 179 Allocates memory in foreign processes 44->179 181 Creates a thread in another existing process (thread injection) 44->181 60 notepad.exe 44->60         started        62 ds2.exe 47->62         started        64 conhost.exe 49->64         started        66 taskkill.exe 49->66         started        68 ds1.exe 51->68         started        71 2 other processes 51->71 file17 signatures18 process19 dnsIp20 127 marcapalgo.ug 53->127 129 masonp.ac.ug 79.134.225.40, 49749, 6970 FINK-TELECOM-SERVICESCH Switzerland 53->129 73 conhost.exe 56->73         started        75 powershell.exe 62->75         started        97 C:\Windows\Temp\1qj3j1s0.exe, PE32 68->97 dropped 77 cmstp.exe 68->77         started        file21 process22 process23 79 conhost.exe 75->79         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-04 14:37:40 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=memy3s2slv4amfmfau65ymhjtstqqqujsyrogm7lmtj3ndxhuftq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
azorult
Create hunting rule
Similar samples:
1afdcdeb74beab866c0f856e4381570ccd75dbffd12de925db0eb25bc0593596
RaccoonStealer
59826e007d50e1f3dcda5d2cb2ac50ba32f154da98c1348f7fbfee24f6b29841
RaccoonStealer
7c991793d6d9d1b21496bfd5867fc3d991a5f0f5013c0733ab57b2ac89f00a10
RaccoonStealer
81e96984130042d0ee70ae09a7bc9375974d513938e80877720d251330e4b37e
RaccoonStealer
8adeeedad895d174c55f2d43c1985ff77fc533975cfde64f8dfd99782e4c4b9f
RaccoonStealer
aa63e56d3e1f41d5989dc284148c75068d7bb57d8e1141f2f2ea88718df5d814
RaccoonStealer
c2e6a6a4dcceeb65c2b769b92223c4b5c6de325709146391a4863dd56f4eb3d1
RaccoonStealer
d82330b1d9bfbebbff4d21e9ddd0f86e90ed27031ba29557587d182246301ee5
RaccoonStealer
dcd32e037c7e83fb4114d1d9517830e21ad5738ad4e4ee8b685b49f805d1e8f7
RaccoonStealer
e45aa38e4f734a6b5e9d8e55d3b71b16e4ae389eb7c857bbdaa98fb47e1d9ef3
RaccoonStealer
+ 504 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
rat evasion trojan persistence infostealer family:azorult family:oski spyware family:modiloader discovery family:asyncrat
Link:
https://tria.ge/reports/201004-zk73d4dxke/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops desktop.ini file(s)
JavaScript code in executable
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Async RAT payload
ModiLoader Second Stage
AsyncRat
Azorult
Contains code to disable Windows Defender
ModiLoader, DBatLoader
Modifies Windows Defender Real-time Protection settings
Oski
Unpacked files
SH256 hash:
61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
MD5 hash:
3f1a2ab1e63458d3c75ded4c3f4d47c5
SHA1 hash:
10d187b94b082e33513030ac825de250eec0dd5a
Link:
https://www.unpac.me/results/e97907d7-403d-44be-bc4b-c2a8425da91a/
SH256 hash:
cd422411c59239b535c47c2862dbfe30dac1abba07663f174d3a49b96c587bb3
MD5 hash:
15fee751132d3cecbc7c8d1572783394
SHA1 hash:
b4ba0e8838d394ccf7764575bedcf2208eebc402
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/e97907d7-403d-44be-bc4b-c2a8425da91a/
SH256 hash:
def7401e60b151e2804fb0cd414b7be4992088f81fbea9848bdeb780db3435a1
MD5 hash:
300fee8a451213d11bff22767378a8f3
SHA1 hash:
f09cfd4bcbee3b30f946704998f06b07895ce84a
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/e97907d7-403d-44be-bc4b-c2a8425da91a/
SH256 hash:
d663c1d9990284bf7ac8ff35bd850d622a332dd7cb021f7373017c2b8a144c8e
MD5 hash:
99a64208b9898b0b1169b05ae8978a1c
SHA1 hash:
4497fab72c13b50275e68ccd78ca3b473bd7f680
Detections:
win_raccoon_a0
Create hunting rule
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/e97907d7-403d-44be-bc4b-c2a8425da91a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/67998/

Comments