MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2ee06af075bcc9cb66e685417684c91df5cea6679a8ccf6608857dab0a46b50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 2 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2ee06af075bcc9cb66e685417684c91df5cea6679a8ccf6608857dab0a46b50
SHA3-384 hash: 1976f2e02003bb50e498d38cbca1eb32c767a0d9df42a4336c1bf4ba20c76e6def88d0476288bd463e96c8f73f2d2c79
SHA1 hash: b669f111c898e2d026056d1c97633c6f3b24f70e
MD5 hash: a6113645cfa8015d222751357883c337
humanhash: wolfram-fish-two-florida
File name:a6113645cfa8015d222751357883c337.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:418'816 bytes
First seen:2021-07-04 05:10:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cc652b98d99a86a80e16f2ea69ad54e (3 x RaccoonStealer)
ssdeep 6144:Tk+8ZyV+MWUXEpSjPpTcrmH6WferjC7BfGzQl58ZAk5B3X0CemOOLQ9BkuBjgM:Tk+OyDp6SjPpTj6WECthCKgUCQHuuB
TLSH E0947C00E650C039F5F326F59EBAA778652DBEE15B2460CB63D92EDE56356E0AC30307
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://morksu06.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://morksu06.top/index.php https://threatfox.abuse.ch/ioc/157365/
http://xeidor62.top/index.php https://threatfox.abuse.ch/ioc/157400/

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a6113645cfa8015d222751357883c337.exe
Verdict:
Malicious activity
Analysis date:
2021-07-04 05:11:22 UTC
Tags:
trojan loader stealer raccoon evasion
Link:
https://app.any.run/tasks/2f4a8dbe-c5a8-40fb-9b65-dedaaa29fb03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169540/
Detection(s):
Win.Packed.Generic-9874984-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4c22969-24aa-466d-888d-c42811aba249
Result
Threat name:
Clipboard Hijacker Cryptbot Raccoon RedL
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811497
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sample or dropped binary is a compiled AutoHotkey binary
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Yara detected Evader
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 443908 Sample: 5tvkRMhaj2.exe Startdate: 04/07/2021 Architecture: WINDOWS Score: 100 142 kCDsxsOcfhTlMjafabHRMsCYusl.kCDsxsOcfhTlMjafabHRMsCYusl 2->142 160 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->160 162 Multi AV Scanner detection for domain / URL 2->162 164 Found malware configuration 2->164 166 15 other signatures 2->166 15 5tvkRMhaj2.exe 29 2->15         started        20 SmartClock.exe 2->20         started        22 SmartClock.exe 2->22         started        signatures3 process4 dnsIp5 148 g-partners.top 159.65.63.164, 49717, 49718, 49719 DIGITALOCEAN-ASNUS United States 15->148 150 lopevh09.top 47.243.129.23, 49723, 49725, 49726 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 15->150 152 2 other IPs or domains 15->152 98 C:\Users\user\AppData\...\96820101128.exe, PE32 15->98 dropped 100 C:\Users\user\AppData\...\74228852863.exe, PE32 15->100 dropped 102 C:\Users\user\AppData\...\47511264286.exe, PE32 15->102 dropped 104 6 other files (none is malicious) 15->104 dropped 154 Detected unpacking (changes PE section rights) 15->154 156 Detected unpacking (overwrites its own PE header) 15->156 158 May check the online IP address of the machine 15->158 24 cmd.exe 1 15->24         started        27 cmd.exe 1 15->27         started        29 cmd.exe 1 15->29         started        31 cmd.exe 15->31         started        file6 signatures7 process8 signatures9 190 Submitted sample is a known malware sample 24->190 192 Obfuscated command line found 24->192 194 Uses ping.exe to sleep 24->194 196 Uses ping.exe to check the status of other devices and networks 24->196 33 96820101128.exe 80 24->33         started        38 conhost.exe 24->38         started        40 47511264286.exe 8 27->40         started        42 conhost.exe 27->42         started        44 74228852863.exe 48 29->44         started        46 conhost.exe 29->46         started        48 conhost.exe 31->48         started        50 taskkill.exe 31->50         started        process10 dnsIp11 128 tttttt.me 95.216.186.40, 443, 49724 HETZNER-ASDE Germany 33->128 130 35.205.249.65, 49738, 80 GOOGLEUS United States 33->130 106 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 33->106 dropped 108 C:\Users\user\AppData\...\vcruntime140.dll, PE32 33->108 dropped 110 C:\Users\user\AppData\...\ucrtbase.dll, PE32 33->110 dropped 116 56 other files (none is malicious) 33->116 dropped 168 Tries to steal Mail credentials (via file access) 33->168 170 Contains functionality to steal Internet Explorer form passwords 33->170 52 cmd.exe 33->52         started        132 nailedpizza.top 40->132 134 iplogger.org 40->134 112 C:\Users\user\AppData\...\edspolishpp.exe, PE32 40->112 dropped 172 Detected unpacking (changes PE section rights) 40->172 174 Detected unpacking (overwrites its own PE header) 40->174 176 May check the online IP address of the machine 40->176 180 2 other signatures 40->180 54 edspolishpp.exe 40->54         started        136 morksu06.top 178.62.84.251, 49745, 80 DIGITALOCEAN-ASNUS European Union 44->136 138 xeidor62.top 143.110.219.141, 49740, 80 COLLEGE-OF-ST-SCHOLASTICAUS United States 44->138 140 lopywn08.top 44->140 114 C:\Users\user\AppData\Local\...\lgTNZHQ.exe, PE32 44->114 dropped 178 Tries to harvest and steal browser information (history, passwords, etc) 44->178 58 cmd.exe 44->58         started        60 cmd.exe 44->60         started        file12 signatures13 process14 dnsIp15 62 conhost.exe 52->62         started        64 timeout.exe 52->64         started        144 185.215.113.17, 18597, 49739 WHOLESALECONNECTIONSNL Portugal 54->144 186 Detected unpacking (changes PE section rights) 54->186 188 Detected unpacking (overwrites its own PE header) 54->188 66 lgTNZHQ.exe 58->66         started        69 conhost.exe 58->69         started        71 conhost.exe 60->71         started        73 timeout.exe 60->73         started        signatures16 process17 file18 118 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 66->118 dropped 120 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 66->120 dropped 122 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 66->122 dropped 124 3 other files (none is malicious) 66->124 dropped 75 vpn.exe 66->75         started        77 4.exe 66->77         started        process19 file20 80 cmd.exe 75->80         started        126 C:\Users\user\AppData\...\SmartClock.exe, PE32 77->126 dropped 82 SmartClock.exe 77->82         started        process21 process22 84 cmd.exe 80->84         started        87 conhost.exe 80->87         started        signatures23 182 Obfuscated command line found 84->182 184 Uses ping.exe to sleep 84->184 89 PING.EXE 84->89         started        92 Declinante.exe.com 84->92         started        94 findstr.exe 84->94         started        process24 dnsIp25 146 127.0.0.1 unknown unknown 89->146 96 Declinante.exe.com 92->96         started        process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2ee06af075bcc9cb66e685417684c91df5cea6679a8ccf6608857dab0a46b50/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-29 10:13:34 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wlxanlyhlpgjzntonbkbo2cmshpvz2tgpgumz5tarbl5vmfennia._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:raccoon family:redline family:vidar botnet:mix 04.07 discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210704-l9v1c398ys/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
CryptBot
CryptBot Payload
Raccoon
RedLine
RedLine Payload
Vidar
Malware Config
C2 Extraction:
xeidor62.top
morksu06.top
185.215.113.17:18597
Unpacked files
SH256 hash:
5ae7ee8f894b4acf5f4c841bc85ccd53ca04cc79a73fd84cec8ee5381ac94aff
MD5 hash:
c3931474ded1e643d4f47ad1773d4a58
SHA1 hash:
584254fe35335371cec0fbd5471322af569893f6
Link:
https://www.unpac.me/results/7f08e112-0179-4f10-b8a1-f4eaa8427355/
SH256 hash:
b2ee06af075bcc9cb66e685417684c91df5cea6679a8ccf6608857dab0a46b50
MD5 hash:
a6113645cfa8015d222751357883c337
SHA1 hash:
b669f111c898e2d026056d1c97633c6f3b24f70e
Link:
https://www.unpac.me/results/7f08e112-0179-4f10-b8a1-f4eaa8427355/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2ee06af075bcc9cb66e685417684c91df5cea6679a8ccf6608857dab0a46b50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon/Racealer infostealer
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169540/

Comments