MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b1328490717e1e3c97216a17bf36b67103a40dae3bbac6865487e51fea82b32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b1328490717e1e3c97216a17bf36b67103a40dae3bbac6865487e51fea82b32
SHA3-384 hash: 4420e4bdebe1de982f2c7c619f5aa9cd0271bc64a182d98d97d9fee239e01d1af02bddfcd7a9e4dfce688724ceaa2306
SHA1 hash: 58fda74ecd7f3976696ae0b3423b36d211e62750
MD5 hash: ca71563b7ac88247b3b0210b71cc50b6
humanhash: xray-mexico-connecticut-fourteen
File name:SecuriteInfo.com.Trojan.Siggen10.9265.86.6687
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:755'200 bytes
First seen:2020-08-29 07:36:11 UTC
Last seen:2020-08-29 20:46:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:5Cq5z6ZiNtmebO7UIrTri+IsbmGzee832kq6emEDZOhM3GW9H:3zKizmgO7UELSe832X6e1lz59
Threatray 268 similar samples on MalwareBazaar
TLSH BFF41211279DCF15E6FE1BBA982D310003F27AE569F6D3C85A25E65638F6F808C62713
Reporter SecuriteInfoCom
Tags:RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/52783/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.9265.86.6687.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Sending an HTTP POST request
Sending an HTTP GET request
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Stealing user critical data
Sending an HTTP GET request to an infection source
Result
Threat name:
AsyncRAT Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/454130
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Keylogger Generic
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 279437 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 29/08/2020 Architecture: WINDOWS Score: 100 117 fgdjhksdfsdxcbv.ru 2->117 119 protagonist.ac.ug 2->119 121 4 other IPs or domains 2->121 145 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->145 147 Multi AV Scanner detection for domain / URL 2->147 149 Found malware configuration 2->149 151 13 other signatures 2->151 11 SecuriteInfo.com.Trojan.Siggen10.9265.86.exe 15 7 2->11         started        16 cmd.exe 2->16         started        18 taskkill.exe 2->18         started        signatures3 process4 dnsIp5 139 projectx.ug 217.8.117.77, 49701, 49705, 49706 CREXFEXPEX-RUSSIARU Russian Federation 11->139 141 projectz.ug 11->141 143 192.168.2.1 unknown unknown 11->143 113 C:\Users\user\AppData\...\hfgjkdftFDS.exe, PE32 11->113 dropped 115 SecuriteInfo.com.T...n10.9265.86.exe.log, ASCII 11->115 dropped 173 Contains functionality to steal Internet Explorer form passwords 11->173 175 Injects a PE file into a foreign processes 11->175 20 hfgjkdftFDS.exe 14 7 11->20         started        25 SecuriteInfo.com.Trojan.Siggen10.9265.86.exe 88 11->25         started        27 SecuriteInfo.com.Trojan.Siggen10.9265.86.exe 11->27         started        29 qi1fzyl3.exe 16->29         started        31 conhost.exe 16->31         started        33 conhost.exe 18->33         started        file6 signatures7 process8 dnsIp9 129 projectz.ug 20->129 93 C:\Users\user\AppData\...\UHgfessdjvv.exe, PE32 20->93 dropped 165 Injects a PE file into a foreign processes 20->165 35 hfgjkdftFDS.exe 20->35         started        40 UHgfessdjvv.exe 3 20->40         started        42 hfgjkdftFDS.exe 20->42         started        131 telete.in 195.201.225.248, 443, 49702 HETZNER-ASDE Germany 25->131 133 projectz.ug 25->133 135 34.65.231.1, 49703, 49704, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 25->135 95 C:\Users\user\AppData\...\o5qQULGH7w.exe, PE32 25->95 dropped 97 C:\Users\user\AppData\...\ewDDEON4qN.exe, PE32 25->97 dropped 99 C:\Users\user\AppData\...behaviorgraphX2taQSmfS.exe, PE32 25->99 dropped 101 66 other files (1 malicious) 25->101 dropped 167 Tries to steal Mail credentials (via file access) 25->167 44 ewDDEON4qN.exe 25->44         started        46 GX2taQSmfS.exe 25->46         started        48 o5qQULGH7w.exe 25->48         started        52 2 other processes 25->52 169 Detected unpacking (overwrites its own PE header) 29->169 50 powershell.exe 29->50         started        file10 signatures11 process12 dnsIp13 123 projectx.ug 35->123 83 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 35->83 dropped 85 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 35->85 dropped 87 C:\Users\user\AppData\Local\Temp\ds1.exe, PE32 35->87 dropped 91 49 other files (none is malicious) 35->91 dropped 153 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->153 155 Tries to steal Instant Messenger accounts or passwords 35->155 157 Tries to steal Mail credentials (via file access) 35->157 163 3 other signatures 35->163 54 UHgfessdjvv.exe 40->54         started        89 C:\Users\user\AppData\...\KIiEzYfPlc.exe, PE32 44->89 dropped 159 Writes to foreign memory regions 44->159 161 Injects a PE file into a foreign processes 44->161 59 GX2taQSmfS.exe 46->59         started        61 o5qQULGH7w.exe 48->61         started        63 conhost.exe 50->63         started        125 googlehosted.l.googleusercontent.com 216.58.205.225, 443, 49718, 49721 GOOGLEUS United States 52->125 127 doc-0o-c4-docs.googleusercontent.com 52->127 65 conhost.exe 52->65         started        67 timeout.exe 52->67         started        file14 signatures15 process16 dnsIp17 137 projecty.ug 54->137 103 C:\ProgramData\vcruntime140.dll, PE32 54->103 dropped 105 C:\ProgramData\sqlite3.dll, PE32 54->105 dropped 107 C:\ProgramData\softokn3.dll, PE32 54->107 dropped 111 4 other files (none is malicious) 54->111 dropped 171 Tries to steal Crypto Currency Wallets 54->171 69 cmd.exe 54->69         started        109 C:\Windows\Temp\qi1fzyl3.exe, PE32 59->109 dropped 71 cmstp.exe 59->71         started        73 powershell.exe 61->73         started        75 powershell.exe 61->75         started        file18 signatures19 process20 process21 77 conhost.exe 69->77         started        79 taskkill.exe 69->79         started        81 conhost.exe 73->81         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9b1328490717e1e3c97216a17bf36b67103a40dae3bbac6865487e51fea82b32/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-27 12:45:17 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
remcos
Create hunting rule
azorult
Create hunting rule
Similar samples:
07dd81aa4994d15fd4d26bb4b9a4aa5dff47d99da2ab76718f480f62cb4ddb93
RaccoonStealer
0c34d4763fc968ccbe9f33dec2ae9e3e132a61b40ffc93cc22f337a0758c0279
RaccoonStealer
286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
RaccoonStealer
3e9f05acde528ea5fd7ca9d0c2af0e82d29e343d2f61420290e6f660630cd25f
RaccoonStealer
682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6
RaccoonStealer
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
RaccoonStealer
7e9b9bbb673e25ab8ee790dbfd2a3e489c0d3a88ab73aafe671f68982f1b41da
RaccoonStealer
8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
RaccoonStealer
9c2978d525c68cceb114ea784ca6a6975dfee9ea7f2ac6aaebeb209a915524cb
RaccoonStealer
a486d1f0ad1fb2729dbbcd5d3606f30566f86abd3f2d5218c11077dfeac95f0e
RaccoonStealer
+ 258 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
ransomware trojan infostealer family:azorult stealer family:raccoon spyware evasion discovery
Link:
https://tria.ge/reports/200829-a5w7qc4ms6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
JavaScript code in executable
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Azorult
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Raccoon
Raccoon log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b1328490717e1e3c97216a17bf36b67103a40dae3bbac6865487e51fea82b32

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 9b1328490717e1e3c97216a17bf36b67103a40dae3bbac6865487e51fea82b32

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/52783/
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/446430/
  
URLhaus
https://urlhaus.abuse.ch/url/446435/
  
URLhaus
https://urlhaus.abuse.ch/url/446541/

Comments