MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f
SHA3-384 hash: fc2486828f6a431bac2ad7ef6fa4f78a4192bb91d59e6a7b580ac0f69193f1c940c288cc1c1246b4062fc1bbce82bc70
SHA1 hash: fea201d9f1b3d81c67abead708afee8f619785d7
MD5 hash: 2cae1b3be4c37e8f0ca5dac99dbbac17
humanhash: winner-juliet-wyoming-spring
File name:2cae1b3be4c37e8f0ca5dac99dbbac17.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'214'464 bytes
First seen:2021-08-16 12:01:13 UTC
Last seen:2021-08-16 12:53:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:kiKH63AanJL5WRxc493rVedPdiHxO0KQJ2dJd0+Tf7Lsg77R:vZA0L5WRq493heB2ydJ/LsS7R
Threatray 2'657 similar samples on MalwareBazaar
TLSH T16D4533E598DC2217DC4BBC767CB06BCB2B25B5911680C5AFCF149EBACCA37440199D4E
dhash icon a08cb2b2b2dac4f0 (1 x RaccoonStealer, 1 x Amadey)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://myproskxa.ac.ug/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://myproskxa.ac.ug/index.php https://threatfox.abuse.ch/ioc/190118/

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2cae1b3be4c37e8f0ca5dac99dbbac17.exe
Verdict:
Malicious activity
Analysis date:
2021-08-16 12:01:47 UTC
Tags:
trojan stealer vidar raccoon rat azorult loader
Link:
https://app.any.run/tasks/15588728-00ae-48be-b0f9-3dccb6aaadef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179535/
Detection(s):
SecuriteInfo.com.Artemis2CAE1B3BE4C3.5605.6365.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Connection attempt to an infection source
Connection attempt
Sending an HTTP POST request
Sending an HTTP POST request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88a4080e-7785-443e-9d74-f928bbddf099
Result
Threat name:
Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833479
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465919 Sample: UGWnAkfPCF.exe Startdate: 16/08/2021 Architecture: WINDOWS Score: 100 59 kullasa.ac.ug 2->59 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 9 other signatures 2->75 9 UGWnAkfPCF.exe 3 8 2->9         started        signatures3 process4 file5 43 C:\Users\user\AppData\...\UGWnAkfPCF.exe, PE32 9->43 dropped 45 C:\Users\user\...\Qhbcytidvconsoleapp6aa.exe, PE32 9->45 dropped 47 C:\Users\...\UGWnAkfPCF.exe:Zone.Identifier, ASCII 9->47 dropped 49 2 other malicious files 9->49 dropped 79 Writes to foreign memory regions 9->79 81 Injects a PE file into a foreign processes 9->81 13 wscript.exe 1 9->13         started        15 UGWnAkfPCF.exe 83 9->15         started        20 UGWnAkfPCF.exe 9->20         started        signatures6 process7 dnsIp8 22 Qhbcytidvconsoleapp6aa.exe 6 13->22         started        63 185.163.45.248, 49722, 49729, 80 MIVOCLOUDMD Moldova Republic of 15->63 65 telete.in 195.201.225.248, 443, 49721 HETZNER-ASDE Germany 15->65 33 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 15->33 dropped 35 C:\Users\user\AppData\...\vcruntime140.dll, PE32 15->35 dropped 37 C:\Users\user\AppData\...\ucrtbase.dll, PE32 15->37 dropped 39 56 other files (none is malicious) 15->39 dropped 67 Tries to steal Mail credentials (via file access) 15->67 file9 signatures10 process11 file12 41 Ehjayxmtvzhapkaunfnnsaconsoleapp19o.exe, PE32 22->41 dropped 77 Injects a PE file into a foreign processes 22->77 26 Qhbcytidvconsoleapp6aa.exe 22->26         started        31 wscript.exe 22->31         started        signatures13 process14 dnsIp15 61 myproskxa.ac.ug 185.215.113.77, 49726, 49727, 49735 WHOLESALECONNECTIONSNL Portugal 26->61 51 C:\Users\user\AppData\...\vcruntime140.dll, PE32 26->51 dropped 53 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 26->53 dropped 55 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 26->55 dropped 57 45 other files (none is malicious) 26->57 dropped 83 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->83 85 Tries to steal Instant Messenger accounts or passwords 26->85 87 Tries to steal Mail credentials (via file access) 26->87 89 4 other signatures 26->89 file16 signatures17
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f/
Threat name:
ByteCode-MSIL.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 12:02:06 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=obc6xseqdmueg6yrn6p7g7loc3fpfnd6hn4yntbdhloyiehr5spq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85
RaccoonStealer
29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a
RaccoonStealer
31452b50fe8475fa4566b814ed702c6910029ff66db45d3dbb21c2e3ed63594f
RaccoonStealer
65a54e89f60b25715ee91d43b0ff2634e643de22a35af6c182b080a33778da85
RaccoonStealer
663d11c6a687961e8b5cda09b720a9511d972a9ea164cf8c385037a33eea53fa
RaccoonStealer
704ea934e75448ed30e38117fe27b81b6dfdeb0f2a498bd0ae5474ec3d5014d7
RaccoonStealer
959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
RaccoonStealer
acf073ae5f8b4e643367dc746674f1e228ecc8e94e9327a70b176b21a0dda604
RaccoonStealer
+ 2'647 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:c81fb6015c832710f869f6911e1aec18747e0184 discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/210816-vpd9j9ppj2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
kullasa.ac.ug
Unpacked files
SH256 hash:
1ff11786034cedcfd8827b258253042574c62f6f6488dc4b6a1484bb2d3bcd63
MD5 hash:
b3bb67eadd6ff776949a0ee85bc066a7
SHA1 hash:
f82fde0be79b7dfb8d9b26d78fac6e35acc40506
Link:
https://www.unpac.me/results/a14202f8-ed44-4a51-a4cf-4223972c9614/
SH256 hash:
065056440dc4a0342bd3b6acc661b8e1482aeb929c3be770363ed71ea8fb9c1d
MD5 hash:
261ad9274ee007c7ae2392b3999679bd
SHA1 hash:
c589ed33e4d1fb3c66f73541576d02686a2b8eeb
Link:
https://www.unpac.me/results/a14202f8-ed44-4a51-a4cf-4223972c9614/
SH256 hash:
c48cd46ce18961031c23001cea5e2eae284c819164f10917d4a1b1dac7b85ffe
MD5 hash:
7454286d39d200de2b08cb327cf07eba
SHA1 hash:
1f52a1689d330c9dfb606c152fd87ed262aed9a2
Link:
https://www.unpac.me/results/a14202f8-ed44-4a51-a4cf-4223972c9614/
SH256 hash:
d853d5fb14068e2210699e308f93ac858cdeca54e8690ec1955fb7c49fe8c3e5
MD5 hash:
d63491d968ec8990635ffea1634bd22c
SHA1 hash:
05672f5770b7db15d93ff8fa5d274297b717cd8b
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/a14202f8-ed44-4a51-a4cf-4223972c9614/
SH256 hash:
e739814cc1b8db9134619f461eaed24dc5daa1c4ff8dc935e290a40732efc5ec
MD5 hash:
fbbb721c5390074582ceaaa248ca289f
SHA1 hash:
f66419a8f4b95c6c08928eef8b46b35c03a9ab0f
Link:
https://www.unpac.me/results/a14202f8-ed44-4a51-a4cf-4223972c9614/
SH256 hash:
cf9dc7dfbe87becb508ddb6d4a963d3424b3e56e374951040bff12ad28326669
MD5 hash:
10d0f619f0bf78f1bab30c44a8c6481b
SHA1 hash:
a914e3aed25ead8cea087b293e90e4fcb43064ee
Link:
https://www.unpac.me/results/a14202f8-ed44-4a51-a4cf-4223972c9614/
SH256 hash:
c376b3369ff0b7bbaf3f73daa611928e0c202cfa63e1dd67ed8883b1d6bc5220
MD5 hash:
f6bcab0e94d8521f773c6e69194200d2
SHA1 hash:
66cf514339ca51c5efc7c8da44cec9be72b4857c
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/a14202f8-ed44-4a51-a4cf-4223972c9614/
Parent samples :
7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f
14a0d25b4d33216e9110c9588fa3168105efdad28827e772c4798337544eb708
e8e31ad00eb7d6e4124e0d9dcd2a2e4ca20afa68007c0e655ae8cc5ca4bfdad9
d0b7a458e09fd14ae8476200bd5acf2fc93ea0e2fea357079a88df80e720c23d
SH256 hash:
9c67da37d264d11c19931f8ede23df4c1c9d72dffac29e53239488175aa97904
MD5 hash:
f6b6165c90a0134cc2930d75b04f58cf
SHA1 hash:
b657faca9e948bf19c9e17ce0694b7bc8c77ae4b
Link:
https://www.unpac.me/results/a14202f8-ed44-4a51-a4cf-4223972c9614/
SH256 hash:
86a33503d8dd79f2d1bf5cbcef79705524d7558955a18569a43734cfc73a0528
MD5 hash:
5365bea8f8f3d51bd48548a47a9df7fb
SHA1 hash:
846b197d7c14e32b156e0b035088afe06f6527dd
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/a14202f8-ed44-4a51-a4cf-4223972c9614/
SH256 hash:
a2406ac5a33863845a075c76515bec7071e032afaaaee912a64c5d2767de9fa5
MD5 hash:
407f2114b425bb64d09b0403e72266a8
SHA1 hash:
108a2e0dde5ac1089d66bd29bc4d304a0971ff46
Link:
https://www.unpac.me/results/a14202f8-ed44-4a51-a4cf-4223972c9614/
SH256 hash:
7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f
MD5 hash:
2cae1b3be4c37e8f0ca5dac99dbbac17
SHA1 hash:
fea201d9f1b3d81c67abead708afee8f619785d7
Link:
https://www.unpac.me/results/a14202f8-ed44-4a51-a4cf-4223972c9614/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7045ebc8901b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1514313/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1322752/
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
Cape
Cape
https://www.capesandbox.com/analysis/179535/
  
URLhaus
https://urlhaus.abuse.ch/url/1539152/

Comments