MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a85ef03cd5003b5aa6f886fcf1ee608f913ce08f5d0d3d3bb64fa41201df8502. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a85ef03cd5003b5aa6f886fcf1ee608f913ce08f5d0d3d3bb64fa41201df8502
SHA3-384 hash: ffc2827141842bf59cf01113c2383fc9e9140327373aa086ca0337462fdc30d055e844a89705532910e477f8772cbc2d
SHA1 hash: 5d069ac49940ff05fc36949d4129021f940b04c4
MD5 hash: e80bbda7c048cd9233c1c73f67c75bc1
humanhash: missouri-steak-mountain-black
File name:E80BBDA7C048CD9233C1C73F67C75BC1.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:139'328 bytes
First seen:2021-09-07 16:56:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f105b079e26a72f1e39b46e0f5f8ab23 (2 x AZORult, 1 x RaccoonStealer)
ssdeep 3072:slKmvMHwdF68nJi4Xz3R5mBROogsH6n9U5zr6HvkHU:0K+MnkJz7mAD9UdrQ
Threatray 8'973 similar samples on MalwareBazaar
TLSH T11AD3AF1365B40AA2F4560AB51AE198B85737FD718544CE07328ABF0D1DB3BC36DE1B2B
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://178.23.190.242/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://178.23.190.242/ https://threatfox.abuse.ch/ioc/216953/

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E80BBDA7C048CD9233C1C73F67C75BC1.exe
Verdict:
Malicious activity
Analysis date:
2021-09-07 16:59:02 UTC
Tags:
trojan stealer vidar rat azorult loader raccoon
Link:
https://app.any.run/tasks/21e51efa-b2d8-4bf3-ae6c-d608553fd4e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Meteorite
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186091/
Detection(s):
PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Win.Trojan.Barys-9890423-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b4b7ebb-18cd-41f8-bc57-bf83d0327ecf
Result
Threat name:
Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846815
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to resolve many domain names, but no domain seems valid
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 479246 Sample: vNbWo1NOKA.exe Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 39 mazooyaar.ac.ug 2->39 41 mazoyer.ac.ug 2->41 43 telete.in 2->43 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 68 13 other signatures 2->68 9 vNbWo1NOKA.exe 13 2->9         started        signatures3 66 Tries to resolve many domain names, but no domain seems valid 39->66 process4 signatures5 76 Performs DNS queries to domains with low reputation 9->76 78 Maps a DLL or memory area into another process 9->78 12 vNbWo1NOKA.exe 23 9->12         started        process6 dnsIp7 45 wishamag.ac.ug 12->45 48 tuekisa.ac.ug 12->48 50 22 other IPs or domains 12->50 31 C:\Users\user\AppData\Local\...\Dropkxa.exe, PE32 12->31 dropped 33 C:\Users\user\AppData\Local\...\Dropakxa.exe, PE32 12->33 dropped 35 C:\Users\user\AppData\Local\...\ghjk[1].exe, PE32 12->35 dropped 37 C:\Users\user\AppData\Local\...\ghjkl[1].exe, PE32 12->37 dropped 16 Dropakxa.exe 7 12->16         started        20 Dropkxa.exe 2 12->20         started        file8 80 Tries to resolve many domain names, but no domain seems valid 48->80 signatures9 process10 file11 27 C:\Users\user\AppData\Local\Temp\vcxfse.exe, PE32 16->27 dropped 29 C:\Users\user\AppData\Local\Temp\cbvjns.exe, PE32 16->29 dropped 52 Antivirus detection for dropped file 16->52 54 Multi AV Scanner detection for dropped file 16->54 56 Machine Learning detection for dropped file 16->56 58 Sample uses process hollowing technique 16->58 22 vcxfse.exe 4 16->22         started        25 cbvjns.exe 4 16->25         started        signatures12 process13 signatures14 70 Antivirus detection for dropped file 22->70 72 Multi AV Scanner detection for dropped file 22->72 74 Machine Learning detection for dropped file 22->74
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a85ef03cd5003b5aa6f886fcf1ee608f913ce08f5d0d3d3bb64fa41201df8502/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 20:43:00 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vbppapgvaa5vvjxyq36pd3tar6itzyeplugt2o5wj6sbeao7quba._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
raccoon
Create hunting rule
Similar samples:
06bc17a2517d3c471c978b342e512234a3f9a8eb16e938e7be57b1b67da99bea
RaccoonStealer
1b9339d0a70cdef37f4827a81100f9e8158a5633dc8b7a2c3b616f070ce49b5d
RaccoonStealer
4da160dc1a5e5f2f2e0dee7ab9ccd3a522e34bbef2d602f35525b788f3afee2a
RaccoonStealer
7982b6446285ca06d96a1bc1e0ac8a2618123664173bff105d02e22bf617c757
RaccoonStealer
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a
RaccoonStealer
bd3cefcbb135df48caee6888747542a304c4706e24e93492c481201c556bf334
RaccoonStealer
ccd5ab291113bf69fcbccee8ab889c9cf5a0d0240feed43b73785497ace3c467
RaccoonStealer
+ 8'963 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3 discovery infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/210907-vf9bsagbhp/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M2
Malware Config
C2 Extraction:
mazooyaar.ac.ug
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
a7e409631b6ea686af282eea3412bf07ef13303bdc9235aae8525b45945388b7
MD5 hash:
c81689483f642ec0f5606403613294e4
SHA1 hash:
7626d76070716bab61f4541e4033629c60f152be
Link:
https://www.unpac.me/results/5ff49051-ce6e-4df6-8c87-4a921d231d00/
SH256 hash:
83e5fbb202740ce8251c4a982496ab6640d2c12e44c648adbb09eb59be8a6ab8
MD5 hash:
556b78399e6670691cee456744a479a0
SHA1 hash:
978ef8ebabdcec8ec99bda3c334af81bc5584a8a
Link:
https://www.unpac.me/results/5ff49051-ce6e-4df6-8c87-4a921d231d00/
SH256 hash:
a85ef03cd5003b5aa6f886fcf1ee608f913ce08f5d0d3d3bb64fa41201df8502
MD5 hash:
e80bbda7c048cd9233c1c73f67c75bc1
SHA1 hash:
5d069ac49940ff05fc36949d4129021f940b04c4
Link:
https://www.unpac.me/results/5ff49051-ce6e-4df6-8c87-4a921d231d00/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a85ef03cd500/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a85ef03cd5003b5aa6f886fcf1ee608f913ce08f5d0d3d3bb64fa41201df8502

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186091/

Comments