MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6
SHA3-384 hash: 98f52e6d9b9728e764f19f19c1387fda3bd8060b24f99c4935795cd718acfb0281ac7199b5ca676a07819bdcd4e35fa4
SHA1 hash: 69a2df785f37d2d7d2d9a5f9120c679870ff3872
MD5 hash: 6966182dd20351152ea815d31e735067
humanhash: glucose-red-fifteen-march
File name:6966182dd20351152ea815d31e735067
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'123'328 bytes
First seen:2021-11-13 18:43:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:JAonVXGyMHv70mq0PgSErFqQSWjVtVYZ:SonVp7OgSErFqQtC
Threatray 4'834 similar samples on MalwareBazaar
TLSH T15235F107730B000BE428BBF69FB73B251754F6AA49318717D6E1762E506F2F93AA1712
File icon (PE):PE icon
dhash icon 546d0e364c694d35 (1 x RaccoonStealer)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.47.175/ https://threatfox.abuse.ch/ioc/247972/

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Azorult
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205476/
Detection(s):
Win.Dropper.Generic-7113183-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint obfuscated packed stealer
Link:
https://www.filescan.io/uploads/61900774a00afa9663a66fbc/reports/e042aa1d-1a67-4d0f-8e3a-f940965c76e0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bf6f55eb-448f-4190-a733-3d586b4d484f
Result
Threat name:
Azorult DBatLoader IPack Miner Raccoon V
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888585
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Costura Assembly Loader
Yara detected DBatLoader
Yara detected IPack Miner
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 521058 Sample: kUjSNBf8Rs Startdate: 13/11/2021 Architecture: WINDOWS Score: 100 124 cdn.discordapp.com 2->124 140 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->140 142 Multi AV Scanner detection for domain / URL 2->142 144 Malicious sample detected (through community Yara rule) 2->144 146 15 other signatures 2->146 13 kUjSNBf8Rs.exe 3 7 2->13         started        17 winda.exe 2->17         started        signatures3 process4 file5 114 C:\Users\user\AppData\...\kUjSNBf8Rs.exe, PE32 13->114 dropped 116 Tyjigybwjylnokuciz...wazconsoleapp18.exe, PE32 13->116 dropped 118 C:\Users\...\kUjSNBf8Rs.exe:Zone.Identifier, ASCII 13->118 dropped 120 2 other malicious files 13->120 dropped 172 Writes to foreign memory regions 13->172 174 Allocates memory in foreign processes 13->174 176 Injects a PE file into a foreign processes 13->176 19 wscript.exe 1 13->19         started        21 kUjSNBf8Rs.exe 85 13->21         started        26 conhost.exe 13->26         started        28 conhost.exe 17->28         started        signatures6 process7 dnsIp8 30 Tyjigybwjylnokucizpstzjwazconsoleapp18.exe 5 19->30         started        126 185.163.47.175, 49711, 49712, 80 MIVOCLOUDMD Moldova Republic of 21->126 128 t.me 149.154.167.99, 443, 49710 TELEGRAMRU United Kingdom 21->128 130 5 other IPs or domains 21->130 86 C:\Users\user\AppData\...\4jkFOXoGee.exe, PE32 21->86 dropped 88 C:\Users\user\AppData\...\38U0XOnie5.exe, PE32+ 21->88 dropped 90 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 21->90 dropped 92 58 other files (none is malicious) 21->92 dropped 148 Tries to steal Mail credentials (via file / registry access) 21->148 150 Self deletion via cmd delete 21->150 152 Contains functionality to steal Internet Explorer form passwords 21->152 34 cmd.exe 21->34         started        36 38U0XOnie5.exe 21->36         started        38 4jkFOXoGee.exe 21->38         started        file9 signatures10 process11 file12 122 C:\...\Vcinpeamqerjfxlsvutgosconsoleapp11.exe, PE32 30->122 dropped 178 Injects a PE file into a foreign processes 30->178 40 Tyjigybwjylnokucizpstzjwazconsoleapp18.exe 30->40         started        45 wscript.exe 30->45         started        47 conhost.exe 30->47         started        49 conhost.exe 34->49         started        51 timeout.exe 34->51         started        53 conhost.exe 36->53         started        signatures13 process14 dnsIp15 132 colonna.ac.ug 185.215.113.77, 49698, 49708, 49709 WHOLESALECONNECTIONSNL Portugal 40->132 134 colonna.ug 40->134 98 C:\Users\user\AppData\Local\Temp\pm.exe, PE32+ 40->98 dropped 100 C:\Users\user\AppData\Local\Temp\cc.exe, PE32 40->100 dropped 102 C:\Users\user\AppData\...\vcruntime140.dll, PE32 40->102 dropped 104 47 other files (none is malicious) 40->104 dropped 160 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->160 162 Tries to steal Instant Messenger accounts or passwords 40->162 164 Tries to steal Mail credentials (via file / registry access) 40->164 166 4 other signatures 40->166 55 pm.exe 40->55         started        59 cmd.exe 40->59         started        61 cc.exe 40->61         started        63 Vcinpeamqerjfxlsvutgosconsoleapp11.exe 45->63         started        file16 signatures17 process18 file19 94 C:\Users\user\AppData\...\aspnet_compiler.exe, PE32+ 55->94 dropped 96 C:\Users\user\AppData\Roaming\winda.exe, PE32+ 55->96 dropped 154 Writes to foreign memory regions 55->154 156 Modifies the context of a thread in another process (thread injection) 55->156 158 Injects a PE file into a foreign processes 55->158 65 conhost.exe 55->65         started        67 aspnet_compiler.exe 55->67         started        69 conhost.exe 59->69         started        71 timeout.exe 59->71         started        73 Vcinpeamqerjfxlsvutgosconsoleapp11.exe 63->73         started        78 conhost.exe 63->78         started        signatures20 process21 dnsIp22 136 192.168.2.1 unknown unknown 73->136 138 colonna.ac.ug 73->138 106 C:\ProgramData\vcruntime140.dll, PE32 73->106 dropped 108 C:\ProgramData\sqlite3.dll, PE32 73->108 dropped 110 C:\ProgramData\softokn3.dll, PE32 73->110 dropped 112 4 other files (none is malicious) 73->112 dropped 168 Tries to harvest and steal browser information (history, passwords, etc) 73->168 170 Tries to steal Crypto Currency Wallets 73->170 80 cmd.exe 73->80         started        file23 signatures24 process25 process26 82 conhost.exe 80->82         started        84 taskkill.exe 80->84         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-11-13 13:21:29 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t4mctutuozegf3f2ywfcthzag5we6xt4ojo6nc6jj2twq4sja33a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
14a0d25b4d33216e9110c9588fa3168105efdad28827e772c4798337544eb708
RaccoonStealer
1b9339d0a70cdef37f4827a81100f9e8158a5633dc8b7a2c3b616f070ce49b5d
RaccoonStealer
4da160dc1a5e5f2f2e0dee7ab9ccd3a522e34bbef2d602f35525b788f3afee2a
RaccoonStealer
7045ebc8901b28437b116f9ff37d6e16caf2b47e3b7986cc233add8410f1ec9f
RaccoonStealer
7982b6446285ca06d96a1bc1e0ac8a2618123664173bff105d02e22bf617c757
RaccoonStealer
93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c
RaccoonStealer
d0b7a458e09fd14ae8476200bd5acf2fc93ea0e2fea357079a88df80e720c23d
RaccoonStealer
e8e31ad00eb7d6e4124e0d9dcd2a2e4ca20afa68007c0e655ae8cc5ca4bfdad9
RaccoonStealer
fa40dc2c8055f953099d7d354ba97fbf3a5f3aa501ce95cb8cefa810b80ea5d4
RaccoonStealer
+ 4'824 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:7632dffeb03da57edca98c8bfb2611868e8eb0a7 collection discovery infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/211113-xdgvvsccgn/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
colonna.ac.ug
Unpacked files
SH256 hash:
dd321aae28033ade0769df766274b88ed14844afa81c499c998c2e3c13c7e4b5
MD5 hash:
afeb45adc979d75348af285a522d2cc0
SHA1 hash:
efb4e489363caee2ef25c0e0fe1e59b3d8888fd1
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/93b99c36-03a1-47dc-b37d-0779f6ccb324/
Parent samples :
d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255
9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6
SH256 hash:
2fc675fb2b0da66af09fcbf4c18cf5b540de7bdea87318e4b5960a90abd78998
MD5 hash:
002f6341423ceb71aa4b30ea574c5122
SHA1 hash:
54fe3b6d099bc7c22406b4ab6afa7e6bd2fbe66f
Link:
https://www.unpac.me/results/93b99c36-03a1-47dc-b37d-0779f6ccb324/
SH256 hash:
c6b8d28f291d63fb45415c896a56e0c9c3da4124b308dc3cb5bf5ca0712c615b
MD5 hash:
a97a5be12ee6604a1cc2e6026985776f
SHA1 hash:
e3e2a35882319ca6939964ca9bd3f014b2c53bc8
Link:
https://www.unpac.me/results/93b99c36-03a1-47dc-b37d-0779f6ccb324/
SH256 hash:
d262fbed9803de908040fb4e7d6bc446786acc95d207db1ba3800e85435d3a62
MD5 hash:
99e3b588033258cb52bdd0f56b58a2e7
SHA1 hash:
d4f14a37264f21522010bc2cd91cc2d81e7e9297
Link:
https://www.unpac.me/results/93b99c36-03a1-47dc-b37d-0779f6ccb324/
SH256 hash:
221fe863ab322c36b15bf3b4c6641258610bb746780277b1ffcc25d63004e036
MD5 hash:
c53711fdc2cd5585cd5910b6169f56b8
SHA1 hash:
c49462dde0cfde4471e53b639820967765c73958
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/93b99c36-03a1-47dc-b37d-0779f6ccb324/
Parent samples :
d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255
9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6
SH256 hash:
2181d40aaef863e586d67b777e022b8a92d5c7e1cbf5f12380f684ead91f466a
MD5 hash:
9bff31413f3861c402d31435fc1058ec
SHA1 hash:
db033689d83200566e50a7b795eab3025cc9963a
Link:
https://www.unpac.me/results/93b99c36-03a1-47dc-b37d-0779f6ccb324/
SH256 hash:
93f69c33885982dcb34ca9b1567f45a57133700b8a751598d27accda73af8cd7
MD5 hash:
9c5bf4c9d899e500faa2f62d74015c9d
SHA1 hash:
390ecacc60dc9bbb277986b3abbfcb8f196e3bd7
Link:
https://www.unpac.me/results/93b99c36-03a1-47dc-b37d-0779f6ccb324/
SH256 hash:
4acfde54e2434bf24274d261fca413da9add6370e6f5b44cac84686e62da4dc2
MD5 hash:
efea80259558bc1341214c08ad137b7f
SHA1 hash:
3259c60bb7be918f53c22b5cea3e4f388f943699
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/93b99c36-03a1-47dc-b37d-0779f6ccb324/
Parent samples :
e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221
9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6
SH256 hash:
9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6
MD5 hash:
6966182dd20351152ea815d31e735067
SHA1 hash:
69a2df785f37d2d7d2d9a5f9120c679870ff3872
Link:
https://www.unpac.me/results/93b99c36-03a1-47dc-b37d-0779f6ccb324/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9f1829d27476/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 9f1829d274764862ecbac58a299f20376c4f5e7c725de68bc94ea768724906f6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/1746803/
  
URLhaus
https://urlhaus.abuse.ch/url/1746812/
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/1746802/
  
URLhaus
https://urlhaus.abuse.ch/url/1322752/
  
URLhaus
https://urlhaus.abuse.ch/url/1746810/
Cape
Cape
https://www.capesandbox.com/analysis/205476/
  
URLhaus
https://urlhaus.abuse.ch/url/1783705/

Comments


Avatar
zbet commented on 2021-11-13 18:43:38 UTC

url : hxxp://matisaas.ac.ug/asdfg.exe