MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae841b1c3d0c1a0e490c21d6e373e75d0b66c63f88431b6e89f3d58e434abc91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae841b1c3d0c1a0e490c21d6e373e75d0b66c63f88431b6e89f3d58e434abc91
SHA3-384 hash: 40d298617b9f83b9ebfc9696df96d6d6935b0b2eafd9ada490d9b39273e51838836f0fef4231fadbd57b37268f206a93
SHA1 hash: a7382072a4729771dec5b10bcf2d4895da444176
MD5 hash: 196ff748cced551629a1683e3d9d9b37
humanhash: arizona-neptune-colorado-angel
File name:Sirus.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'293'744 bytes
First seen:2021-04-15 08:08:43 UTC
Last seen:2021-04-15 09:05:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:DmkXwPS9daEz9/pnIJI/WmyMMMMhxMMMMgV/swDjDtIbc5G79EAsE:DmkX3BB///CMMMMhxMMMMi/hQKZE
Threatray 922 similar samples on MalwareBazaar
TLSH 74B502E87640F8EFC52BC832C868AC209961B5AA4317C107F0173F98796E793DE559E7
Reporter Anonymous
Tags:RaccoonStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://smtp.omplcement.com/ https://threatfox.abuse.ch/ioc/8624/

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Sirus.bin
Verdict:
Malicious activity
Analysis date:
2021-04-15 06:17:45 UTC
Tags:
trojan stealer raccoon loader rat redline unwanted netsupport evasion
Link:
https://app.any.run/tasks/b7d87155-f071-4a83-8675-af2f73fc7fe4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/134683/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.601.19236.16679.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
DNS request
Sending a custom TCP request
Deleting a recently created file
Reading critical registry keys
Delayed reading of the file
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a recently created process
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ficker Stealer Raccoon RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/677071
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected Ficker Stealer
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 387487 Sample: Sirus.exe Startdate: 15/04/2021 Architecture: WINDOWS Score: 100 40 panenewak.xyz 2->40 42 iplogger.org 2->42 44 3 other IPs or domains 2->44 58 Found malware configuration 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 10 other signatures 2->64 9 Sirus.exe 3 2->9         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\Sirus.exe.log, ASCII 9->30 dropped 78 Detected unpacking (changes PE section rights) 9->78 80 Detected unpacking (overwrites its own PE header) 9->80 82 Contains functionality to steal Internet Explorer form passwords 9->82 84 Injects a PE file into a foreign processes 9->84 13 Sirus.exe 85 9->13         started        signatures6 process7 dnsIp8 52 tttttt.me 95.216.186.40, 443, 49733 HETZNER-ASDE Germany 13->52 54 download-cheat.com 13->54 56 2 other IPs or domains 13->56 32 C:\Users\user\AppData\...\JHSVsugLFI.exe, PE32 13->32 dropped 34 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 13->34 dropped 36 C:\Users\user\AppData\...\vcruntime140.dll, PE32 13->36 dropped 38 57 other files (none is malicious) 13->38 dropped 86 Tries to steal Mail credentials (via file access) 13->86 88 Tries to harvest and steal browser information (history, passwords, etc) 13->88 18 JHSVsugLFI.exe 3 13->18         started        file9 signatures10 process11 file12 28 C:\Users\user\AppData\...\JHSVsugLFI.exe.log, ASCII 18->28 dropped 66 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->66 68 Performs DNS queries to domains with low reputation 18->68 70 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->70 72 Injects a PE file into a foreign processes 18->72 22 JHSVsugLFI.exe 15 30 18->22         started        26 JHSVsugLFI.exe 18->26         started        signatures13 process14 dnsIp15 46 panenewak.xyz 5.149.255.204, 49754, 49756, 49758 HZ-NL-ASGB United Kingdom 22->46 48 api.ip.sb 22->48 50 4 other IPs or domains 22->50 74 Tries to harvest and steal browser information (history, passwords, etc) 22->74 76 Tries to steal Crypto Currency Wallets 22->76 signatures16
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ae841b1c3d0c1a0e490c21d6e373e75d0b66c63f88431b6e89f3d58e434abc91/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-13 01:07:29 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2cbwhb5bqna4simehlog47hlufwnrr7rbbrw3uj6pky4q2kxsiq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ae02edbc714dfd70bc71151c585d12d35b407c831ea5c9abf5c32376ce14a45
RaccoonStealer
2c2d88dbff1f9196148cc3c7501d4c45b05ef51887651b3bcdbb111fcc7a2ba2
RaccoonStealer
4aab4b2fb6223ec40fe0fbf7e03d6a008ff688c61049744f69ba56d6068aa8b5
RaccoonStealer
68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345
RaccoonStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RaccoonStealer
86fc3e58537ac903356866de03df56baaba69b2641f90da283560a08fc60786b
RaccoonStealer
cc693d1a82022a4cd51053b34035613174eb71b4ba079ac829c90ec5558c3f07
RaccoonStealer
f24bd8c22941fdf06881f9e4ee40b44db08dcc8323b81aad6cd2e2aadb5ffb93
RaccoonStealer
fd8d8b2d1513fe8e59d21e96e5f66695bbca33b6f4f9b1561136196db97b9bde
RaccoonStealer
fe271b4266e4d1da6cd411a99f35ef14bba6e93354d43f4b790008d9222e0ba7
RaccoonStealer
+ 912 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline botnet:1a329a10c40d1d7de968ac01620072546be15062 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210415-y41dc644ya/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Raccoon
RedLine
Unpacked files
SH256 hash:
69f5ef02cac362b7cd9cfbdf0438ed46aa81eb1bcb476bf3735988ae9d6b00d0
MD5 hash:
507e98d6fa3557a2528be82cde757633
SHA1 hash:
f9904ab7367d36bb43d299e0375e80a8de26f2f9
Link:
https://www.unpac.me/results/e69adcc0-6c21-4aa5-912b-8b6a42887369/
SH256 hash:
f7fa55cf817838ac785a777c17036eeee7a81544c444041d1748ece450f62943
MD5 hash:
0474d34454ae5eb6029d17636505667a
SHA1 hash:
810d6b2accd24a7cc044606951da2c8a23273771
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/e69adcc0-6c21-4aa5-912b-8b6a42887369/
Parent samples :
ae841b1c3d0c1a0e490c21d6e373e75d0b66c63f88431b6e89f3d58e434abc91
a8fb61732f9696d24e02dda47d2f12abe0d8968e130f05d2381bb7b5a93f3ec0
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/e69adcc0-6c21-4aa5-912b-8b6a42887369/
SH256 hash:
ae841b1c3d0c1a0e490c21d6e373e75d0b66c63f88431b6e89f3d58e434abc91
MD5 hash:
196ff748cced551629a1683e3d9d9b37
SHA1 hash:
a7382072a4729771dec5b10bcf2d4895da444176
Link:
https://www.unpac.me/results/e69adcc0-6c21-4aa5-912b-8b6a42887369/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae841b1c3d0c1a0e490c21d6e373e75d0b66c63f88431b6e89f3d58e434abc91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_07f9d80b85ceff7ee3f58dc594fe66b6
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_KB_CERT_0f9d91c6aba86f4e54cbb9ef57e68346
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/134683/

Comments