MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84a40405e621a10c9259ff45e052fab0789a6ff956eb95985a12d715d64e5b72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84a40405e621a10c9259ff45e052fab0789a6ff956eb95985a12d715d64e5b72
SHA3-384 hash: beff56e768894724ed36fbd1de6f125628ecb55700390794de8c3367239a2927fce6e4bb17508c7081ea0acdea010c4e
SHA1 hash: 532703ddfa102fd99087d34853ad915144230ec0
MD5 hash: a6762497acf6d35d8122a9990832ce0b
humanhash: football-michigan-shade-eight
File name:A6762497ACF6D35D8122A9990832CE0B.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'014'080 bytes
First seen:2021-08-29 13:46:58 UTC
Last seen:2021-08-29 15:10:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ca357d1c9b605d95e9d31e67e1c53033 (6 x AZORult, 2 x RaccoonStealer, 1 x NetWire)
ssdeep 98304:iv+HVB0kjLuICdWMUamxpbtvysAfL28J0Jxs09Ai:ivKlPdbpbtyseL25nt
Threatray 6'995 similar samples on MalwareBazaar
TLSH T1F206331AB4B410DAF9007A318683D9F4073DFC529A41AD0B2764BD097EE6AD72DC237B
dhash icon d1d0d49e9eceecf0 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://5.181.156.252/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.252/ https://threatfox.abuse.ch/ioc/201911/

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
A6762497ACF6D35D8122A9990832CE0B.exe
Verdict:
Malicious activity
Analysis date:
2021-08-29 13:47:49 UTC
Tags:
trojan rat azorult stealer vidar loader raccoon
Link:
https://app.any.run/tasks/ef84f279-7bba-404b-86c7-4e75fe0b3409

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183258/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.62490.26178.154.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc877b9e-64d3-48b2-982c-613bb024835a
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841052
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473480 Sample: EarZA1AonY.exe Startdate: 29/08/2021 Architecture: WINDOWS Score: 100 48 hsagoi.ac.ug 2->48 50 gordons.ac.ug 2->50 52 telete.in 2->52 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 11 other signatures 2->66 10 EarZA1AonY.exe 15 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\...\cxvrame.exe, PE32 10->46 dropped 74 Maps a DLL or memory area into another process 10->74 14 cxvrame.exe 4 10->14         started        17 EarZA1AonY.exe 6 10->17         started        signatures6 process7 signatures8 82 Antivirus detection for dropped file 14->82 84 Multi AV Scanner detection for dropped file 14->84 86 Performs DNS queries to domains with low reputation 14->86 88 2 other signatures 14->88 19 cxvrame.exe 21 14->19         started        process9 dnsIp10 54 gordons.ac.ug 185.215.113.77, 49708, 49711, 49719 WHOLESALECONNECTIONSNL Portugal 19->54 56 markinda.xyz 64.32.26.89, 80 ST-BGPUS United States 19->56 58 14 other IPs or domains 19->58 34 C:\Users\user\AppData\Local\...\Dropkxa.exe, PE32 19->34 dropped 36 C:\Users\user\AppData\Local\...\Dropakxa.exe, PE32 19->36 dropped 38 C:\Users\user\AppData\Local\...\ghjk[1].exe, PE32 19->38 dropped 40 C:\Users\user\AppData\Local\...\ghjkl[1].exe, PE32 19->40 dropped 23 Dropakxa.exe 7 19->23         started        27 Dropkxa.exe 2 19->27         started        file11 process12 file13 42 C:\Users\user\AppData\...behaviorgraphFytrnvbas.exe, PE32 23->42 dropped 44 C:\Users\user\AppData\...behaviorgraphFsewerhgccbv.exe, PE32 23->44 dropped 68 Antivirus detection for dropped file 23->68 70 Multi AV Scanner detection for dropped file 23->70 72 Machine Learning detection for dropped file 23->72 29 GFsewerhgccbv.exe 4 23->29         started        32 GFytrnvbas.exe 4 23->32         started        signatures14 process15 signatures16 76 Antivirus detection for dropped file 29->76 78 Multi AV Scanner detection for dropped file 29->78 80 Machine Learning detection for dropped file 29->80
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/84a40405e621a10c9259ff45e052fab0789a6ff956eb95985a12d715d64e5b72/
Threat name:
Win32.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 01:45:00 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qssaibpgegqqzesz75c6aux2wb4ju37zk3vzlgc2cllrlvsolnza._file
Verdict:
unknown
Similar samples:
14a0d25b4d33216e9110c9588fa3168105efdad28827e772c4798337544eb708
RaccoonStealer
60f649f6d971c44b959f6fef2bf1d08c3dbe00edeac7a889e81adc761ba5ddba
RaccoonStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RaccoonStealer
895100760e67763505b9cad311be16b533db48d1f2cb28424a98495406220a2f
RaccoonStealer
8d7953ccff3dbc3b9aad9e25f9437b71070d7e63613e193ab4be05cffd9a1f8d
RaccoonStealer
a8fb61732f9696d24e02dda47d2f12abe0d8968e130f05d2381bb7b5a93f3ec0
RaccoonStealer
d8eb6d3fe02a890173827c242182acd22aa699e4bbd918fd22b95c00aa3a6445
RaccoonStealer
fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
RaccoonStealer
+ 6'985 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:c81fb6015c832710f869f6911e1aec18747e0184 discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/210829-tm9wr95m26/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
hsagoi.ac.ug
Unpacked files
SH256 hash:
a7e409631b6ea686af282eea3412bf07ef13303bdc9235aae8525b45945388b7
MD5 hash:
c81689483f642ec0f5606403613294e4
SHA1 hash:
7626d76070716bab61f4541e4033629c60f152be
Link:
https://www.unpac.me/results/ed02a93b-5c1e-4988-b809-896b821235f9/
SH256 hash:
c573513d0080a95cde4f6dfe9be569b29384cb71d51e8ef3153cb8621a8cd8c5
MD5 hash:
f5ecc09970578ac4537456b5008c7d5c
SHA1 hash:
fecf13756859623709ffbbcade6638e0bd8e58ec
Link:
https://www.unpac.me/results/ed02a93b-5c1e-4988-b809-896b821235f9/
SH256 hash:
0ef88bde7e7048af38c2597090e86dc09ddfdd442e88872badd17dc508c2133e
MD5 hash:
6334d5e57e220cc96c464862833d01b8
SHA1 hash:
effe5231ec9f02112e1c017accc6769fee3f13ff
Link:
https://www.unpac.me/results/ed02a93b-5c1e-4988-b809-896b821235f9/
SH256 hash:
76f439fb86a9f72cfc940b55ceca0bd73bea2f251f1654b5b556aed9d2488098
MD5 hash:
384bba82245442bb07cb79f11a476e45
SHA1 hash:
8b6ad9811970e19a6a50be38e6113ec84e72eb3b
Link:
https://www.unpac.me/results/ed02a93b-5c1e-4988-b809-896b821235f9/
SH256 hash:
84a40405e621a10c9259ff45e052fab0789a6ff956eb95985a12d715d64e5b72
MD5 hash:
a6762497acf6d35d8122a9990832ce0b
SHA1 hash:
532703ddfa102fd99087d34853ad915144230ec0
Link:
https://www.unpac.me/results/ed02a93b-5c1e-4988-b809-896b821235f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84a40405e621a10c9259ff45e052fab0789a6ff956eb95985a12d715d64e5b72

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183258/

Comments