MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6a6ff46eafb272d4a37b1f943adde3e1406540277a0a4f1bc18e00e124922bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 6 File information Comments

SHA256 hash:	a6a6ff46eafb272d4a37b1f943adde3e1406540277a0a4f1bc18e00e124922bf
SHA3-384 hash:	9b9f2a42167056505273b2e099924281fd750c1f8c3213a97ea89085c2d54fe5f63aeb8bb296ec4ded80dfdb8519d230
SHA1 hash:	ba2d9ed5e6d023472ba8d8cb47e5c5b0e81055ad
MD5 hash:	8f9135f3800d725baed20a9cb56e4d8b
humanhash:	ohio-eight-single-mirror
File name:	8f9135f3800d725baed20a9cb56e4d8b.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	1'515'520 bytes
First seen:	2020-06-28 16:22:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c48c98d8d11cf51c73b194502a508be7 (4 x RaccoonStealer, 3 x AZORult, 1 x AgentTesla)
ssdeep	24576:Sfl2F0JI52+CKCYMjau6ApvxgsaDKa/uESJv++7lLBu6SjcNQT:Sfl2F0JI52+CvYGaqxMT/uESJv+cLBu/
Threatray	519 similar samples on MalwareBazaar
TLSH	FF652372A7A45232C71F15B5ADB1395109AE3B3694CA2D2BEF542E88BF43DC61943333
Reporter	abuse_ch
Tags:	exe RaccoonStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Azorult

Link:

https://www.capesandbox.com/analysis/15229/

Detection(s):

Win.Trojan.VBGeneric-8264807-0

Win.Dropper.NetWire-8264833-0

Detection:

azorult

Link:

https://mwdb.cert.pl/sample/a6a6ff46eafb272d4a37b1f943adde3e1406540277a0a4f1bc18e00e124922bf/

Threat name:

Win32.Ransomware.Locky

Status:

Malicious

First seen:

2020-06-28 12:33:39 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u2tp6rxk7mts2srxwh4uhlo6hykamvaco6qkj4n4ddqa4esjek7q._file

Verdict:

malicious

Label(s):

azorult

netwirerc

RaccoonStealer

3e9f05acde528ea5fd7ca9d0c2af0e82d29e343d2f61420290e6f660630cd25f

RaccoonStealer

682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6

RaccoonStealer

6fa66f7851bea577cc6adfda11d3225a69b7c6554f028851eddd4d23ea074a59

RaccoonStealer

7dd09a71615dc2a60ba9dd906aebcff010f8442f4db392e4feb88baa01f8c999

RaccoonStealer

8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464

RaccoonStealer

934609a4e6bbf6eda68c1a09fbd0d5e331229f974148c21aa99add9f94171ec1

RaccoonStealer

b30f264fda73db6970c313776095289e5fc0ee77f6be19010e2f9e125205e845

RaccoonStealer

df2688f6f88ea0e66b46d856e514adf25f8456cb4e45c849233799e17b1171e3

RaccoonStealer

f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb

RaccoonStealer

+ 509 additional samples on MalwareBazaar

Result

Malware family:

azorult

Score:

10/10

Tags:

ransomware evasion trojan spyware stealer family:raccoon infostealer family:oski family:azorult discovery

Link:

https://tria.ge/reports/200628-tlxhy97676/

Behaviour

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Checks for installed software on the system

Modifies system certificate store

Accesses cryptocurrency wallets, possible credential harvesting

Reads user/profile data of local email clients

Loads dropped DLL

Reads user/profile data of web browsers

Deletes itself

Windows security modification

Executes dropped EXE

Raccoon log file

Azorult

Modifies Windows Defender Real-time Protection settings

Contains code to disable Windows Defender

Raccoon

oski

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_asyncrat_j1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects AsyncRAT

Rule name:	win_netwire_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_oski_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_oski_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

Rule name:	win_raccoon_a0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

Rule name:	win_raccoon_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/15229/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample