MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 3 YARA 16 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154
SHA3-384 hash: 1b6b5ea5ed7786a78a138d902a4e3f3c64b9747c7a2c734cc6a31b39e378b50156cfd5969d11d3bfd3027d40012f20f4
SHA1 hash: 79b31f9e33db670b0fe23a427d2a7964cd42c570
MD5 hash: 85f8144cf55f7e208b04daf30a0e753c
humanhash: apart-burger-uranus-minnesota
File name:85f8144cf55f7e208b04daf30a0e753c.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'191'936 bytes
First seen:2021-04-30 14:41:30 UTC
Last seen:2021-04-30 15:02:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7bfd5d688dd539b059ca876a58652218 (2 x RaccoonStealer)
ssdeep 24576:oGILFCTvIol22DNQq5aXo2nmEFE8wNP2f2px:oSIA2Cz5aXowFONPWCx
Threatray 1'879 similar samples on MalwareBazaar
TLSH C245CF2E37BE4436F0560E715BD576E086BDFD37A756140BE3402B1A19E2E81AC8273B
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
194.5.98.107:6970

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.107:6970 https://threatfox.abuse.ch/ioc/26722/
http://macakslcaq.ug/index.php https://threatfox.abuse.ch/ioc/26723/
http://malcacnba.ac.ug/ https://threatfox.abuse.ch/ioc/26724/

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/147513/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Azorult Raccoon Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/705048
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 401451 Sample: BhTxt5BUvy.exe Startdate: 30/04/2021 Architecture: WINDOWS Score: 100 105 nothinglike.ac.ug 2->105 107 icacxndo.ac.ug 2->107 109 3 other IPs or domains 2->109 131 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->131 133 Found malware configuration 2->133 135 Malicious sample detected (through community Yara rule) 2->135 137 11 other signatures 2->137 11 BhTxt5BUvy.exe 16 2->11         started        signatures3 process4 file5 97 C:\Users\user\AppData\...\VDFgrdbvcdsf.exe, PE32 11->97 dropped 99 C:\Users\user\AppData\...\FDfgbtgwssdf.exe, PE32 11->99 dropped 157 Detected unpacking (changes PE section rights) 11->157 159 Detected unpacking (overwrites its own PE header) 11->159 161 Contains functionality to steal Internet Explorer form passwords 11->161 163 Maps a DLL or memory area into another process 11->163 15 VDFgrdbvcdsf.exe 4 11->15         started        18 BhTxt5BUvy.exe 87 11->18         started        22 FDfgbtgwssdf.exe 4 11->22         started        signatures6 process7 dnsIp8 165 Maps a DLL or memory area into another process 15->165 24 VDFgrdbvcdsf.exe 71 15->24         started        111 81.2.253.71, 49722, 80 INTERNET-CZKtis238403KtisCZ Czech Republic 18->111 113 tttttt.me 95.216.186.40, 443, 49720 HETZNER-ASDE Germany 18->113 71 C:\Users\user\AppData\...\OuVJpr2mPh.exe, PE32 18->71 dropped 73 C:\Users\user\AppData\...\4JRCISBvae.exe, PE32 18->73 dropped 75 C:\Users\user\AppData\...\yZ2MSTsHV9.exe, PE32 18->75 dropped 77 60 other files (none is malicious) 18->77 dropped 167 Tries to steal Mail credentials (via file access) 18->167 29 4JRCISBvae.exe 18->29         started        31 OuVJpr2mPh.exe 18->31         started        33 cmd.exe 18->33         started        37 2 other processes 18->37 169 Detected unpacking (changes PE section rights) 22->169 171 Detected unpacking (overwrites its own PE header) 22->171 35 FDfgbtgwssdf.exe 188 22->35         started        file9 signatures10 process11 dnsIp12 121 malcacnba.ac.ug 185.215.113.77, 49721, 49724, 49729 WHOLESALECONNECTIONSNL Portugal 24->121 123 macakslcaq.ug 24->123 79 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 24->79 dropped 81 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 24->81 dropped 83 C:\Users\user\AppData\Local\Temp\ds1.exe, PE32 24->83 dropped 93 49 other files (none is malicious) 24->93 dropped 141 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->141 143 Tries to steal Instant Messenger accounts or passwords 24->143 145 Tries to steal Mail credentials (via file access) 24->145 155 2 other signatures 24->155 39 rc.exe 24->39         started        43 ac.exe 24->43         started        45 ds2.exe 24->45         started        47 ds1.exe 24->47         started        125 cdn.discordapp.com 162.159.133.233, 443, 49731, 49732 CLOUDFLARENETUS United States 29->125 85 C:\Users\Public85etplwiz.exe, PE32+ 29->85 dropped 87 C:\Users\Public87ETUTILS.dll, PE32+ 29->87 dropped 89 C:\Users\Public\Libraries\Yzsmfc\Yzsmfc.exe, PE32 29->89 dropped 147 Drops PE files to the user root directory 29->147 149 Injects a PE file into a foreign processes 29->149 49 4JRCISBvae.exe 29->49         started        51 cmd.exe 29->51         started        53 conhost.exe 33->53         started        55 timeout.exe 33->55         started        127 192.168.2.1 unknown unknown 35->127 95 7 other files (none is malicious) 35->95 dropped 151 Tries to harvest and steal browser information (history, passwords, etc) 35->151 153 Tries to steal Crypto Currency Wallets 35->153 57 cmd.exe 35->57         started        91 C:\Users\user\AppData\...\cfgjShmvTZXcKv.exe, PE32 37->91 dropped file13 signatures14 process15 dnsIp16 115 cdn.discordapp.com 39->115 139 Sample uses process hollowing technique 39->139 117 nothinglike.ac.ug 79.134.225.25 FINK-TELECOM-SERVICESCH Switzerland 49->117 119 brudfascaqezd.ac.ug 49->119 59 cmd.exe 51->59         started        62 conhost.exe 51->62         started        64 taskkill.exe 57->64         started        67 conhost.exe 57->67         started        signatures17 process18 file19 101 C:\Windows \System32101etplwiz.exe, PE32+ 59->101 dropped 103 C:\Windows \System32103ETUTILS.dll, PE32+ 59->103 dropped 69 conhost.exe 59->69         started        129 DLL side loading technique detected 64->129 signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 14:42:14 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgykcs7kyv52csnjpdepbglkj5hhbyadxaggpzrrsr6j3q2zafka._file
Verdict:
malicious
Similar samples:
0b02739c5fd7a7fa53410bc2287c42cf66a3a6d51ecc9570e76e4f0f8129f2d7
RaccoonStealer
0f0eb4a8a538f339214f86a8b084d685a4fb51d54f258f5718393003ab1ff35b
RaccoonStealer
50cae11649a917039a3fadf933dcf5d724ce0db6fbe4d29cb0aa590896849ca6
RaccoonStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RaccoonStealer
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
RaccoonStealer
a8fb61732f9696d24e02dda47d2f12abe0d8968e130f05d2381bb7b5a93f3ec0
RaccoonStealer
ac8a0b325adca9cc88fc6ee32c912024adfe5228024712e1c757183c51260d16
RaccoonStealer
b7b5a82b1c9b3c2ffeedcc57b2bef35f61c7e93ec2d5ae784f667e4d8d534009
RaccoonStealer
cc4c6be7a609aaaabf82ae1cd164c567ff7f7cc1ebdb59175d0ae1ecbac74b5c
RaccoonStealer
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
RaccoonStealer
+ 1'869 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:azorult family:oski family:raccoon botnet:67a1a4d96e0af06ab629d8d5c048c516a37dbc35 discovery evasion infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210430-yjk5lfcs72/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops desktop.ini file(s)
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Async RAT payload
AsyncRat
Azorult
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Oski
Raccoon
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
42d7ff7d320791f272c50898d2daa754126ab5489c1ab65ef7c333fa9261794f
MD5 hash:
7747706ae48a4d3548bf25d19a7cf10f
SHA1 hash:
0358f560b55ae305a0c0e6181d28b7473ffca8e7
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/e3f6d53e-07a0-4eef-8941-f5e9c2c223c1/
Parent samples :
a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154
9528962252a217d88d24e372be0b977639c7d00f6777687adec8054eb8480784
5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0
SH256 hash:
29b249425b61c63302c155aa439cdc5fdc5335808891fb94d3bc1a7b22252042
MD5 hash:
b2a0e388ddd46ac25293d621780dcbf2
SHA1 hash:
2d6243ff65fd0383ce13f57591f0f627e8c724dd
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/e3f6d53e-07a0-4eef-8941-f5e9c2c223c1/
SH256 hash:
a639596a3aa2c49a18e1a4c5b56d7ea8da0044563bd4b22f4a12364f357196d7
MD5 hash:
10d235f3475aa517f2adc8c5cba5701b
SHA1 hash:
8ddfbf477abd18f929bf5beec6d0a4f6d626df8f
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/e3f6d53e-07a0-4eef-8941-f5e9c2c223c1/
SH256 hash:
a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154
MD5 hash:
85f8144cf55f7e208b04daf30a0e753c
SHA1 hash:
79b31f9e33db670b0fe23a427d2a7964cd42c570
Link:
https://www.unpac.me/results/e3f6d53e-07a0-4eef-8941-f5e9c2c223c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/791257/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/836469/
  
URLhaus
https://urlhaus.abuse.ch/url/615226/
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
URLhaus
https://urlhaus.abuse.ch/url/791302/
  
URLhaus
https://urlhaus.abuse.ch/url/584190/
  
URLhaus
https://urlhaus.abuse.ch/url/446434/
Cape
Cape
https://www.capesandbox.com/analysis/147513/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-30 15:00:23 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.035] Anti-Behavioral Analysis::Process Environment Block BeingDebugged
1) [B0001.036] Anti-Behavioral Analysis::Process Environment Block NtGlobalFlag
2) [C0031] Cryptography Micro-objective::Decrypt Data
3) [C0027.001] Cryptography Micro-objective::AES::Encrypt Data
4) [C0027] Cryptography Micro-objective::Encrypt Data
5) [C0026.002] Data Micro-objective::XOR::Encode Data
8) [B0023] Execution::Install Additional Program
9) [C0052] File System Micro-objective::Writes File
10) [C0007] Memory Micro-objective::Allocate Memory
11) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
12) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry