MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63cff2624610c0ba77145f4ca69ca649dd063e5da23b6f9534ffc643fe30b203. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 2 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63cff2624610c0ba77145f4ca69ca649dd063e5da23b6f9534ffc643fe30b203
SHA3-384 hash: 7a91f9789d619103d7bca937dcfc86dad5d53afba8cbfa45758c21323e6fe1510f7936209787a28261aab33660132ebe
SHA1 hash: 89cf58eb2fb76d42a1283c8068ac36adcc9d66c9
MD5 hash: d907de96adcb7c400834d974754ece57
humanhash: bacon-orange-tennessee-delaware
File name:d907de96adcb7c400834d974754ece57.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'210'304 bytes
First seen:2021-10-05 11:21:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:gHwokGmKN/QDrbeAtqA/mgWi9lSLis7XdzWJuHpaz27ZcS:iFtmKN/wbeADPHS4Juy2
Threatray 4'442 similar samples on MalwareBazaar
TLSH T108A5235A73175106C520C3B2EDF77B510B60AFA65D228317E9BA722DD1BF33A985C2C2
File icon (PE):PE icon
dhash icon 71e888e8cce869b2 (7 x AsyncRAT, 2 x RemcosRAT, 1 x CoinMiner.XMRig)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://194.180.174.80/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.80/ https://threatfox.abuse.ch/ioc/230436/
http://milsom.ug/ https://threatfox.abuse.ch/ioc/230525/

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194997/
Detection(s):
Win.Dropper.Generic-7113183-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a file in the %temp% directory
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint obfuscated packed stealer
Link:
https://www.filescan.io/uploads/615c386898a6280f3932513f/reports/a85ba4e2-6364-4dff-a936-b55c6c6fbd78/overview
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed79181e-a19f-4a03-965c-c217581cc75e
Result
Threat name:
Azorult Clipboard Hijacker DBatLoader IP
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864713
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Self deletion via cmd delete
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Clipboard Hijacker
Yara detected Costura Assembly Loader
Yara detected DBatLoader
Yara detected IPack Miner
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 497141 Sample: hK3SLEhK33.exe Startdate: 05/10/2021 Architecture: WINDOWS Score: 100 112 82.102.27.195, 46017, 49878 M247GB United Kingdom 2->112 114 162.159.134.233, 443, 49850, 49877 CLOUDFLARENETUS United States 2->114 116 2 other IPs or domains 2->116 132 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->132 134 Malicious sample detected (through community Yara rule) 2->134 136 Antivirus detection for URL or domain 2->136 138 14 other signatures 2->138 12 hK3SLEhK33.exe 3 6 2->12         started        signatures3 process4 file5 96 C:\Users\user\AppData\...\hK3SLEhK33.exe, PE32 12->96 dropped 98 C:\Users\...\Jscxuucrnkfaconsoleapp17.exe, PE32 12->98 dropped 100 C:\Users\...\hK3SLEhK33.exe:Zone.Identifier, ASCII 12->100 dropped 102 2 other malicious files 12->102 dropped 150 Writes to foreign memory regions 12->150 152 Allocates memory in foreign processes 12->152 154 Injects a PE file into a foreign processes 12->154 16 hK3SLEhK33.exe 85 12->16         started        21 wscript.exe 1 12->21         started        23 powershell.exe 16 12->23         started        25 powershell.exe 17 12->25         started        signatures6 process7 dnsIp8 104 194.180.174.80, 49782, 80 MIVOCLOUDMD unknown 16->104 106 t.me 149.154.167.99, 443, 49781 TELEGRAMRU United Kingdom 16->106 74 C:\Users\user\AppData\...\rkBHu8jJEY.exe, PE32+ 16->74 dropped 76 C:\Users\user\AppData\...\0Uqr5qXbYG.exe, PE32 16->76 dropped 78 C:\Users\user\AppData\...\vcruntime140.dll, PE32 16->78 dropped 80 58 other files (none is malicious) 16->80 dropped 120 Tries to steal Mail credentials (via file access) 16->120 122 Self deletion via cmd delete 16->122 27 rkBHu8jJEY.exe 16->27         started        31 0Uqr5qXbYG.exe 16->31         started        34 cmd.exe 16->34         started        36 Jscxuucrnkfaconsoleapp17.exe 4 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        file9 signatures10 process11 dnsIp12 90 C:\Users\user\AppData\...\aspnet_compiler.exe, PE32+ 27->90 dropped 92 C:\Users\user\AppData\Roaming\winda.exe, PE32+ 27->92 dropped 140 Writes to foreign memory regions 27->140 142 Allocates memory in foreign processes 27->142 144 Modifies the context of a thread in another process (thread injection) 27->144 42 powershell.exe 27->42         started        118 cdn.discordapp.com 162.159.133.233, 443, 49788, 49789 CLOUDFLARENETUS United States 31->118 146 Uses schtasks.exe or at.exe to add and modify task schedules 31->146 148 Injects a PE file into a foreign processes 31->148 44 conhost.exe 34->44         started        46 timeout.exe 34->46         started        94 Ghbauogxqhiavkucqe...jfoconsoleapp14.exe, PE32 36->94 dropped 48 Jscxuucrnkfaconsoleapp17.exe 36->48         started        53 wscript.exe 36->53         started        55 powershell.exe 36->55         started        57 powershell.exe 36->57         started        file13 signatures14 process15 dnsIp16 59 conhost.exe 42->59         started        108 ailsom.ac.ug 185.215.113.77, 49784, 49787, 49821 WHOLESALECONNECTIONSNL Portugal 48->108 110 192.168.2.1 unknown unknown 48->110 82 C:\Users\user\AppData\Local\Temp\pm.exe, PE32+ 48->82 dropped 84 C:\Users\user\AppData\Local\Temp\cc.exe, PE32 48->84 dropped 86 C:\Users\user\AppData\...\vcruntime140.dll, PE32 48->86 dropped 88 47 other files (none is malicious) 48->88 dropped 124 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 48->124 126 Tries to steal Instant Messenger accounts or passwords 48->126 128 Tries to steal Mail credentials (via file access) 48->128 130 4 other signatures 48->130 61 Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe 53->61         started        64 conhost.exe 55->64         started        66 conhost.exe 57->66         started        file17 signatures18 process19 signatures20 156 Injects a PE file into a foreign processes 61->156 68 powershell.exe 61->68         started        70 powershell.exe 61->70         started        process21 process22 72 conhost.exe 68->72         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/63cff2624610c0ba77145f4ca69ca649dd063e5da23b6f9534ffc643fe30b203/
Threat name:
ByteCode-MSIL.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 11:22:07 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mph7eysgcdalu5yul5gknhfgjhoqmps5ui5w7fju77deh7rqwibq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
raccoon
Create hunting rule
Similar samples:
314afbf4a221c8ce6f8d2674277a3c2fb119c34222b5c3ed83afd79005e352f4
RaccoonStealer
394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a
RaccoonStealer
7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f
RaccoonStealer
7b8ffb495d71939d9dfb9b4f4b0bd9bd9d3fad675aa487e2b20129c33f877c50
RaccoonStealer
a60bebe1f77523c999022885b6d6ba4c2e96e930d21b26f2254f113e179c48cc
RaccoonStealer
d0b7a458e09fd14ae8476200bd5acf2fc93ea0e2fea357079a88df80e720c23d
RaccoonStealer
d3d844bca757cfac2bc5cd8cc9bd9d806358eb3af100fdecddb5d0848cd706af
RaccoonStealer
e80d7de90473de5e1d9fb140d2537896872f7a7ca665e9342514426604f4f708
RaccoonStealer
e8e31ad00eb7d6e4124e0d9dcd2a2e4ca20afa68007c0e655ae8cc5ca4bfdad9
RaccoonStealer
fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
RaccoonStealer
+ 4'432 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:e16d9c3413a8d3bc552d87560e5a14148908608d discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/211005-ngklgshfe6/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
milsom.ug
Unpacked files
SH256 hash:
2c1fc4e50a842b3374247e7e62898dde821a461f844f3cb04afc7215b6556777
MD5 hash:
29f4eeacce2f3a60a71e503f25baae88
SHA1 hash:
b8e0cebaefe1a33c6dfa0174f83615054e93a375
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/e958d766-670f-4257-8cd1-fa6ede5364ed/
SH256 hash:
d51879fd5d54afb39fe027677503d46058b0dfbd8b8c8f6eafc891b05b7a3aef
MD5 hash:
6c4640762a587011c9afbe5d9431e187
SHA1 hash:
4fce7fc0f242de8201b46f10b209b27041cc9ef6
Link:
https://www.unpac.me/results/e958d766-670f-4257-8cd1-fa6ede5364ed/
SH256 hash:
9c764f4758780e53bfd697680a5c93f2abb650cec79a271006f602248556bacb
MD5 hash:
3d09d3fc5437670a123204dc88964fac
SHA1 hash:
00887c854a1bab7774a207d44c52cf169c2d7485
Link:
https://www.unpac.me/results/e958d766-670f-4257-8cd1-fa6ede5364ed/
SH256 hash:
0b00a9228e205910e00c68c9ac9cfe88e47f3bd7a4b8e301753e2afc01199848
MD5 hash:
810505e159fb35515d5560da7260605a
SHA1 hash:
f1687a08d67cd32046d5858c0ca1687a03d81e98
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/e958d766-670f-4257-8cd1-fa6ede5364ed/
Parent samples :
394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a
63cff2624610c0ba77145f4ca69ca649dd063e5da23b6f9534ffc643fe30b203
SH256 hash:
5edac5ccb2897eac9c3e74dc54daa34f5b495cee3289027daf061a639349acf5
MD5 hash:
56f7d377bdfacaf4ad52a3586684a2ee
SHA1 hash:
e9e91d95012eb85b0397cc8377674b83b8069941
Link:
https://www.unpac.me/results/e958d766-670f-4257-8cd1-fa6ede5364ed/
SH256 hash:
63cff2624610c0ba77145f4ca69ca649dd063e5da23b6f9534ffc643fe30b203
MD5 hash:
d907de96adcb7c400834d974754ece57
SHA1 hash:
89cf58eb2fb76d42a1283c8068ac36adcc9d66c9
Link:
https://www.unpac.me/results/e958d766-670f-4257-8cd1-fa6ede5364ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63cff2624610c0ba77145f4ca69ca649dd063e5da23b6f9534ffc643fe30b203

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 63cff2624610c0ba77145f4ca69ca649dd063e5da23b6f9534ffc643fe30b203

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1322752/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
Cape
Cape
https://www.capesandbox.com/analysis/194997/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/

Comments