MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
SHA3-384 hash:	35ab47f0df9dd201ff61b7b8653d880105c39f54477f0cfbabd90cf898ca6f918bd57b887955d4a76586d187a58ed966
SHA1 hash:	57a2d4ff47c401e2619ba8626a8c91c6b34377b6
MD5 hash:	5de08824a170627fed763ecbcbf60290
humanhash:	autumn-may-nevada-early
File name:	evtrbz5n6um7j54g7.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	1'515'520 bytes
First seen:	2020-07-08 15:19:10 UTC
Last seen:	2020-07-08 16:07:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	48bbf7e2250a6bcf1d27d7c9a1b0e5b8 (1 x RaccoonStealer)
ssdeep	24576:Mbz/7nDIKTpUzv3RMhhRdrfVyqSf4gXx8rYAyUqMgWuAjSTco71j9Qs50MW:Mv/7D9psOhhRdfVxSfnDATqMgW1jSTvG
Threatray	644 similar samples on MalwareBazaar
TLSH	49651222BBA4D631E37746B009B66754467ABC252A02C90BFFCC351D6F33F45A929336
Reporter	James_inthe_box
Tags:	exe RaccoonStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/23152/

Detection(s):

SecuriteInfo.com.Win32.GenKryptik.ENSX.715.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

DNS request

Sending a custom TCP request

Creating a file

Launching a service

Reading critical registry keys

Deleting a recently created file

Reading Telegram data

Replacing files

Delayed writing of the file

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Launching a process

Creating a file in the Windows subdirectories

Sending an HTTP GET request

Sending an HTTP POST request

Delayed reading of the file

Creating a file in the %AppData% directory

Setting a global event handler

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Connection attempt to an infection source

Stealing user critical data

Launching a tool to kill processes

Setting a single autorun event

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Unauthorized injection to a system process

Enabling autorun with Startup directory

Detection:

azorult

Link:

https://mwdb.cert.pl/sample/69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c/

Threat name:

Win32.Downloader.BanLoad

Status:

Malicious

First seen:

2020-07-08 12:50:41 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nh7fxnfzox4ug63mhpht6b64qb5i6luer4paywacaerjlmdkoqwa._file

Verdict:

malicious

Label(s):

azorult

remcos

RaccoonStealer

286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5

RaccoonStealer

308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e

RaccoonStealer

3e9f05acde528ea5fd7ca9d0c2af0e82d29e343d2f61420290e6f660630cd25f

RaccoonStealer

682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6

RaccoonStealer

6fa66f7851bea577cc6adfda11d3225a69b7c6554f028851eddd4d23ea074a59

RaccoonStealer

7294bdc3333d08ac9c2397b3555c0126928c13600b23de09f21841cfee83f55a

RaccoonStealer

7dd09a71615dc2a60ba9dd906aebcff010f8442f4db392e4feb88baa01f8c999

RaccoonStealer

8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464

RaccoonStealer

f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb

RaccoonStealer

+ 634 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

ransomware infostealer family:oski evasion trojan family:azorult spyware discovery stealer family:raccoon

Link:

https://tria.ge/reports/200708-wmqsa7esrn/

Behaviour

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of SetThreadContext

Modifies system certificate store

Accesses cryptocurrency wallets, possible credential harvesting

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Checks for installed software on the system

Deletes itself

Windows security modification

Reads user/profile data of local email clients

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Raccoon

Modifies Windows Defender Real-time Protection settings

Azorult

Raccoon log file

Contains code to disable Windows Defender

oski

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_oski_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_oski_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator