MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aec46d1dcd8856f0fafccca65665fb836cf4d031157414fc11d08af9923e9545. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aec46d1dcd8856f0fafccca65665fb836cf4d031157414fc11d08af9923e9545
SHA3-384 hash: 4fb7967f01bf9a3794b042784bd55ae7fceabce248f6267c30b47520ea52d8e770ac048c27bdb527ed5f141ff8342c97
SHA1 hash: a676ee57ff0eae3a73b370196ac3ad51fcb45f8f
MD5 hash: a961693763f627dc8b4c030f69ce751d
humanhash: wolfram-coffee-virginia-solar
File name:a961693763f627dc8b4c030f69ce751d.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:815'104 bytes
First seen:2021-09-14 13:45:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ca357d1c9b605d95e9d31e67e1c53033 (6 x AZORult, 2 x RaccoonStealer, 1 x NetWire)
ssdeep 12288:qvq0sFeXeVzXOYVLvuWOOJ1iFjbrp4NplXz2U3IpeUa6URfQ4AmFPTbFNbD:qvq01XMOYCiTipbtsp6IQ4AET5Nn
TLSH T17805020679650992F41509B10BE588F40B7EBD33B582AA1FB785BE090CF36DB5CD0BB6
dhash icon 01e6e6e6dcd81823 (2 x AZORult, 1 x RaccoonStealer, 1 x Worm.Ramnit)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://94.158.245.117/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.158.245.117/ https://threatfox.abuse.ch/ioc/221022/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Meteorite
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187833/
Detection(s):
Win.Trojan.Barys-9890423-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Connection attempt to an infection source
DNS request
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Sending an HTTP POST request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware obfuscated packed
Link:
https://www.filescan.io/uploads/61750fd0db358dd15ed92281/reports/7899201b-cbd2-462b-b5da-0f410e1dc37b/overview
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c39103b5-99f3-43aa-adbd-64505fb46bc8
Result
Threat name:
Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850734
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to resolve many domain names, but no domain seems valid
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Generic Patcher
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483165 Sample: xrm4z50ja9.exe Startdate: 14/09/2021 Architecture: WINDOWS Score: 100 51 mazoyer.ac.ug 2->51 53 mazooyaar.ac.ug 2->53 55 2 other IPs or domains 2->55 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 72 14 other signatures 2->72 10 xrm4z50ja9.exe 15 2->10         started        signatures3 70 Tries to resolve many domain names, but no domain seems valid 51->70 process4 file5 49 C:\Users\user\AppData\Local\...\cxvrame.exe, PE32 10->49 dropped 82 Maps a DLL or memory area into another process 10->82 14 cxvrame.exe 4 10->14         started        17 xrm4z50ja9.exe 2 10->17         started        signatures6 process7 file8 84 Antivirus detection for dropped file 14->84 86 Multi AV Scanner detection for dropped file 14->86 88 Performs DNS queries to domains with low reputation 14->88 90 2 other signatures 14->90 20 cxvrame.exe 23 14->20         started        35 C:\Users\user\AppData\...\dup2patcher.dll, PE32 17->35 dropped signatures9 process10 dnsIp11 57 wishamag.ac.ug 20->57 60 tuekisa.ac.ug 20->60 62 21 other IPs or domains 20->62 37 C:\Users\user\AppData\Local\...\Dropkxa.exe, PE32 20->37 dropped 39 C:\Users\user\AppData\Local\...\Dropakxa.exe, PE32 20->39 dropped 41 C:\Users\user\AppData\Local\...\ghjk[1].exe, PE32 20->41 dropped 43 C:\Users\user\AppData\Local\...\ghjkl[1].exe, PE32 20->43 dropped 24 Dropakxa.exe 7 20->24         started        28 Dropkxa.exe 2 20->28         started        file12 80 Tries to resolve many domain names, but no domain seems valid 60->80 signatures13 process14 file15 45 C:\Users\user\AppData\Local\Temp\vcabnv.exe, PE32 24->45 dropped 47 C:\Users\user\AppData\Local\Temp\fdBas.exe, PE32 24->47 dropped 74 Antivirus detection for dropped file 24->74 76 Multi AV Scanner detection for dropped file 24->76 78 Machine Learning detection for dropped file 24->78 30 vcabnv.exe 4 24->30         started        33 fdBas.exe 4 24->33         started        signatures16 process17 signatures18 92 Antivirus detection for dropped file 30->92 94 Multi AV Scanner detection for dropped file 30->94 96 Machine Learning detection for dropped file 30->96
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aec46d1dcd8856f0fafccca65665fb836cf4d031157414fc11d08af9923e9545/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-09-11 02:12:45 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v3cg2honrblpb6x4zstfmzp3qnwpjubrcv2bj7ar2cfpter6svcq._file
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/210914-q2zbgsfgg7/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
mazooyaar.ac.ug
Unpacked files
SH256 hash:
a5ba16c923f87b38066c559b69ab5f2360f10f5a348192e082477b5b4cf018bd
MD5 hash:
1219e078b229230b034ce2cba1037b2e
SHA1 hash:
4473e6a4d09254335527b687e42945c77047f504
Link:
https://www.unpac.me/results/4c28c63a-e464-49a7-af08-0c22aaeb4f21/
SH256 hash:
5f338e06c2abb1445863f4a54471450f5c5d125fb17ed7a9e2b6621244c11923
MD5 hash:
4ae5adb207609e8a0b4643fbfffe29aa
SHA1 hash:
8ac49d2ec4f13b73efaef4bd87dee438c48fd2a2
Link:
https://www.unpac.me/results/4c28c63a-e464-49a7-af08-0c22aaeb4f21/
SH256 hash:
e026d6403ad30bc2fa2ec9fdec5d10cebab912bc0e51fbd2286e7a6e5ae08cd7
MD5 hash:
a54108584fb28c0778dc275291cfcf75
SHA1 hash:
f50c8c9764333087bde9dff721ec9829f469b5ab
Link:
https://www.unpac.me/results/4c28c63a-e464-49a7-af08-0c22aaeb4f21/
SH256 hash:
d2c38b81b1f94eb3590a1a1366e1ae074f0d8652edde58ade4d44067b49b4203
MD5 hash:
0ddb158983e40453338177ae111adbbb
SHA1 hash:
8e0365977b3070511c5abc829ac03ec9b4093a4d
Link:
https://www.unpac.me/results/4c28c63a-e464-49a7-af08-0c22aaeb4f21/
SH256 hash:
aec46d1dcd8856f0fafccca65665fb836cf4d031157414fc11d08af9923e9545
MD5 hash:
a961693763f627dc8b4c030f69ce751d
SHA1 hash:
a676ee57ff0eae3a73b370196ac3ad51fcb45f8f
Link:
https://www.unpac.me/results/4c28c63a-e464-49a7-af08-0c22aaeb4f21/
Malware family:
Mal/HTMLGen-A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/aec46d1dcd88/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aec46d1dcd8856f0fafccca65665fb836cf4d031157414fc11d08af9923e9545

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187833/

Comments