MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0a50284a627570c96cf3ed3d05835bed9fe27d4732034c535a082f727db8660. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0a50284a627570c96cf3ed3d05835bed9fe27d4732034c535a082f727db8660
SHA3-384 hash: 21ac03334f59fd0c4f2dffcdd03d0a393085dd5f77331b2f640f978ed5b5b69c04e6934b7cbd5d7c31768ee8ae62550e
SHA1 hash: 74c3ea0f488e80ff45ae8f5bef7136811853fa2b
MD5 hash: 52694ed23823367cafc4b3d0dc49165c
humanhash: happy-quiet-lamp-wyoming
File name:SecuriteInfo.com.Trojan.Siggen12.41502.7197.24751
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:7'680 bytes
First seen:2021-03-16 18:34:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 96:YVCQtykV4I09RwPrOlEKrIVkPPgYKkYunYrB2wRfeu/dSutk8ktGa3tfzNto:5M4I/rEY9kYunYzmu/K/j9Ju
TLSH 85F1A60477F94326D7FB8BBC08B64341557AF7559C42CFAD54E0024E9D2AE808AA2FB7
Reporter SecuriteInfoCom
Tags:RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Siggen12.41502.7197.24751
Verdict:
Malicious activity
Analysis date:
2021-03-16 18:36:37 UTC
Tags:
evasion opendir loader trojan stealer raccoon
Link:
https://app.any.run/tasks/ee16bdb5-d1ee-4aca-a453-082fe097ddfb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/124371/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.41502.7197.24751.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Connecting to a non-recommended domain
Sending an HTTP GET request
Sending a custom TCP request
Creating a process from a recently created file
Creating a window
Sending a UDP request
Creating a process with a hidden window
Creating a file in the %AppData% directory
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Creating a file in the %temp% directory
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Launching a process
Deleting a recently created file
Changing a file
Sending an HTTP POST request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d659711-2e44-4c02-9605-abfe2cc61aaa
Result
Threat name:
Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/641183
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary contains a suspicious time stamp
Binary is likely a compiled AutoIt script file
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 369563 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 16/03/2021 Architecture: WINDOWS Score: 100 121 whatitis.site 2->121 123 lookluck.net 2->123 125 24 other IPs or domains 2->125 201 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->201 203 Multi AV Scanner detection for domain / URL 2->203 205 Antivirus detection for URL or domain 2->205 209 13 other signatures 2->209 10 SecuriteInfo.com.Trojan.Siggen12.41502.7197.exe 23 16 2->10         started        signatures3 207 May check the online IP address of the machine 123->207 process4 dnsIp5 139 gjaosihe.nmvhpedn.com 10->139 141 www.yzxjgr.com 103.155.92.70, 49724, 80 TWIDC-AS-APTWIDCLimitedHK unknown 10->141 143 13 other IPs or domains 10->143 77 C:\Users\...\ze90GDcYzyC9nDo7Y9fnAJbD.exe, PE32 10->77 dropped 79 C:\Users\...\vKVkEpiv7OaCvKBHCOognWUg.exe, PE32 10->79 dropped 81 C:\Users\...\oB8PIjG8ok5fgInmRAiEuEco.exe, PE32 10->81 dropped 83 4 other malicious files 10->83 dropped 211 Drops PE files to the document folder of the user 10->211 213 Creates multiple autostart registry keys 10->213 15 vKVkEpiv7OaCvKBHCOognWUg.exe 1 10->15         started        19 Mrl9XkOdL8gQkb4g4IGI2hAG.exe 7 10->19         started        21 dEOdcCiYVCKXerAnpcIlNzx8.exe 13 10->21         started        23 4 other processes 10->23 file6 215 May check the online IP address of the machine 139->215 signatures7 process8 dnsIp9 111 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 15->111 dropped 167 Detected unpacking (changes PE section rights) 15->167 169 Renames NTDLL to bypass HIPS 15->169 171 Maps a DLL or memory area into another process 15->171 183 2 other signatures 15->183 26 explorer.exe 15->26 injected 113 C:\Users\user\AppData\Roaming\...\23236.exe, PE32 19->113 dropped 115 C:\Users\user\AppData\Local\z_user\user.vbs, ASCII 19->115 dropped 117 C:\Users\user\AppData\Local\...\wallpaper.mp4, PE32 19->117 dropped 173 Drops PE files to the startup folder 19->173 175 Contains functionality to behave differently if execute on a Russian/Kazak computer 19->175 31 23236.exe 19->31         started        33 cmd.exe 19->33         started        177 Detected unpacking (overwrites its own PE header) 21->177 35 dEOdcCiYVCKXerAnpcIlNzx8.exe 21->35         started        127 ip-api.com 208.95.112.1, 49733, 80 TUT-ASUS United States 23->127 129 telete.in 195.201.225.248, 443, 49730 HETZNER-ASDE Germany 23->129 131 7 other IPs or domains 23->131 119 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 23->119 dropped 179 Tries to steal Mail credentials (via file access) 23->179 181 Tries to detect virtualization through RDTSC time measurements 23->181 37 cmd.exe 23->37         started        39 WerFault.exe 23->39         started        41 jfiag3g_gg.exe 23->41         started        43 3 other processes 23->43 file10 signatures11 process12 dnsIp13 145 funzel.info 37.75.52.162 VFM-ASVodafoneMaltaLtdASMT Malta 26->145 147 doeros.xyz 190.245.146.85 TelecomArgentinaSAAR Argentina 26->147 151 3 other IPs or domains 26->151 85 C:\Users\user\AppData\Roaming\aucbbtf, PE32 26->85 dropped 87 C:\Users\user\AppData\Local\Temp\2CAE.exe, PE32 26->87 dropped 217 System process connects to network (likely due to code injection or exploit) 26->217 219 Benign windows process drops PE files 26->219 221 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->221 45 SecuriteInfo.com.Trojan.Siggen12.41502.7197.exe 26->45         started        50 Ta3PMMEefTCq6IhdzQmaF5F0.exe 26->50         started        223 Writes to foreign memory regions 31->223 225 Allocates memory in foreign processes 31->225 227 Queues an APC in another process (thread injection) 31->227 229 Injects a PE file into a foreign processes 31->229 52 EhStorAuthn.exe 31->52         started        231 Uses ping.exe to sleep 33->231 233 Uses ping.exe to check the status of other devices and networks 33->233 54 PING.EXE 33->54         started        56 conhost.exe 33->56         started        58 cmd.exe 33->58         started        149 pc8xnmtg2pvabd8c89xvtdy.fun 31.31.196.115 AS-REGRU Russian Federation 35->149 89 C:\ProgramData\pmj2sUc9opUgaomHJvMENi65.tmp, PE32 35->89 dropped 91 C:\Users\user\...behaviorgraphIIRCXRU0NeLMp[1].exe, PE32 35->91 dropped 60 conhost.exe 37->60         started        62 timeout.exe 37->62         started        file14 signatures15 process16 dnsIp17 153 digitalassets.ams3.digitaloceanspaces.com 45->153 155 www.yzxjgr.com 45->155 161 10 other IPs or domains 45->161 93 C:\Users\...\yhcDLboMmK1upREQNDYUGL9j.exe, PE32 45->93 dropped 95 C:\Users\...\qjKxhigni3vYVau7xOs33S2e.exe, PE32 45->95 dropped 97 C:\Users\...\i4ZMS0wZnrrm4GAsfuzY052n.exe, PE32 45->97 dropped 107 4 other malicious files 45->107 dropped 235 Creates multiple autostart registry keys 45->235 64 yhcDLboMmK1upREQNDYUGL9j.exe 45->64         started        67 famFE4TO6bLFSjXRbHWB3ZOb.exe 45->67         started        69 qjKxhigni3vYVau7xOs33S2e.exe 45->69         started        71 4 other processes 45->71 163 2 other IPs or domains 50->163 109 59 other files (none is malicious) 50->109 dropped 237 Tries to steal Mail credentials (via file access) 50->237 239 Tries to harvest and steal browser information (history, passwords, etc) 50->239 157 203.159.80.228 LOVESERVERSGB Netherlands 52->157 165 2 other IPs or domains 52->165 99 C:\ProgramData\fileDL386.exe, PE32 52->99 dropped 101 C:\ProgramData\fileDL199.exe, PE32 52->101 dropped 103 C:\ProgramData\fileDL148.exe, PE32 52->103 dropped 105 C:\ProgramData\fileDL835.exe, PE32 52->105 dropped 241 Creates autostart registry keys with suspicious values (likely registry only malware) 52->241 159 192.168.2.1 unknown unknown 54->159 file18 243 May check the online IP address of the machine 153->243 signatures19 process20 dnsIp21 185 Detected unpacking (changes PE section rights) 64->185 187 Detected unpacking (overwrites its own PE header) 64->187 189 Renames NTDLL to bypass HIPS 67->189 191 Maps a DLL or memory area into another process 69->191 193 Sample uses process hollowing technique 69->193 133 uehge4g6gh.2ihsfa.com 71->133 135 www.facebook.com 71->135 137 4 other IPs or domains 71->137 75 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 71->75 dropped 195 Tries to detect virtualization through RDTSC time measurements 71->195 197 Injects a PE file into a foreign processes 71->197 file22 199 May check the online IP address of the machine 133->199 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0a50284a627570c96cf3ed3d05835bed9fe27d4732034c535a082f727db8660/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-03-16 17:24:10 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucsqfbfge5lqzfwph3j5awbvx3m74j6uomqdjrjvucbpoj63qzqa._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:smokeloader family:vidar botnet:32d5e6449b6744aa586038532e2d41d15ce4f201 backdoor bootkit discovery evasion persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210316-gr8nl73qfx/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Writes to the Master Boot Record (MBR)
Drops startup file
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Sets service image path in registry
UPX packed file
VMProtect packed file
Checks for common network interception software
Raccoon
SmokeLoader
Vidar
Malware Config
C2 Extraction:
http://funzel.info/upload/
http://doeros.xyz/upload/
http://vromus.com/upload/
http://hqans.com/upload/
http://vxeudy.com/upload/
http://poderoa.com/upload/
http://nezzzo.com/upload/
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Unpacked files
SH256 hash:
a0a50284a627570c96cf3ed3d05835bed9fe27d4732034c535a082f727db8660
MD5 hash:
52694ed23823367cafc4b3d0dc49165c
SHA1 hash:
74c3ea0f488e80ff45ae8f5bef7136811853fa2b
Link:
https://www.unpac.me/results/cd2c55f4-b4f3-44ba-b1be-53166b1b816f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
Link:
https://yomi.yoroi.company/submissions/a0a50284a627570c96cf3ed3d05835bed9fe27d4732034c535a082f727db8660

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe a0a50284a627570c96cf3ed3d05835bed9fe27d4732034c535a082f727db8660

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/124371/
  
URLhaus
https://urlhaus.abuse.ch/url/1071309/
  
Delivery method
Distributed via web download

Comments