MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd95c8709b9a82ab2af9d1454996fbdbd3a7da4e8335bf8481bd567430130184. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd95c8709b9a82ab2af9d1454996fbdbd3a7da4e8335bf8481bd567430130184
SHA3-384 hash: 798f792be5e7b5ec70a8584eecdd323e03de5c1a4ec90eef5a7a3f98b7b2eda61bdb5d839e220e4b7f1c17cab1b565f8
SHA1 hash: 56e830b1cd6126e1495fdfffef3fd907d2eeb89e
MD5 hash: 1fb060d7141deadc6675723d6dd905fc
humanhash: red-red-july-red
File name:1fb060d7141deadc6675723d6dd905fc.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:674'304 bytes
First seen:2020-11-29 07:21:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d88d597200c0081784c27940d743ec5 (6 x AZORult, 3 x RaccoonStealer, 1 x MBRLocker)
ssdeep 12288:tivlI1n+cWJZap6uwTr9io6dB+9mH6T8OwaTNxp55ZJ0tfuFtGtLOtHoS:tQ2+Sp2TrcoCB+9xhzhxp55ZJArt
Threatray 640 similar samples on MalwareBazaar
TLSH 4BE4231E760A456BFB53C6768BD362020128DC7DBDCD029602ABF6632D739647C98E73
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105963/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
Creating a file
Deleting a recently created file
DNS request
Connecting to a non-recommended domain
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AsyncRAT Azorult Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/550450
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Connects to a URL shortener service
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected BatToExe compiled binary
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324340 Sample: vHQYvz88iw.exe Startdate: 29/11/2020 Architecture: WINDOWS Score: 100 142 agentpurple.ac.ug 2->142 144 agentpapple.ac.ug 2->144 146 4 other IPs or domains 2->146 176 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->176 178 Multi AV Scanner detection for domain / URL 2->178 180 Found malware configuration 2->180 182 17 other signatures 2->182 14 vHQYvz88iw.exe 6 2->14         started        signatures3 process4 file5 126 C:\Users\user\AppData\Local\Temp\...\kgen.exe, PE32 14->126 dropped 128 C:\Users\...\adobe.snr.patch.v2.0-painter.exe, MS-DOS 14->128 dropped 17 cmd.exe 1 14->17         started        19 conhost.exe 14->19         started        process6 process7 21 kgen.exe 13 17->21         started        24 adobe.snr.patch.v2.0-painter.exe 1 3 17->24         started        file8 208 Detected unpacking (overwrites its own PE header) 21->208 210 Creates HTML files with .exe extension (expired dropper behavior) 21->210 212 Maps a DLL or memory area into another process 21->212 27 kgen.exe 29 21->27         started        98 C:\Users\user\AppData\...\vgm_player.dll, PE32 24->98 dropped signatures9 process10 dnsIp11 162 taenaiaa.ac.ug 217.8.117.77, 49720, 49722, 49733 CREXFEXPEX-RUSSIARU Russian Federation 27->162 164 karimgouss.ug 27->164 166 5 other IPs or domains 27->166 118 C:\Users\user\AppData\...\CcmfdgsaYsd.exe, PE32 27->118 dropped 120 C:\Users\user\AppData\...\CHmfdgaYsHsd.exe, PE32 27->120 dropped 122 C:\Users\user\AppData\Local\...\zxcv[1].EXE, PE32 27->122 dropped 124 C:\Users\user\AppData\Local\...\zxcvb[1].exe, PE32 27->124 dropped 31 CcmfdgsaYsd.exe 7 27->31         started        35 CHmfdgaYsHsd.exe 15 5 27->35         started        file12 process13 file14 138 C:\Users\user\AppData\Local\...\FGbfttrev.exe, PE32 31->138 dropped 170 Detected unpacking (changes PE section rights) 31->170 172 Detected unpacking (overwrites its own PE header) 31->172 174 Maps a DLL or memory area into another process 31->174 37 FGbfttrev.exe 4 31->37         started        40 CcmfdgsaYsd.exe 31->40         started        44 FDvbcgfert.exe 31->44         started        140 C:\Users\user\AppData\Local\...\azchgftrq.exe, PE32 35->140 dropped 46 CHmfdgaYsHsd.exe 35->46         started        48 azchgftrq.exe 35->48         started        signatures15 process16 dnsIp17 214 Detected unpacking (changes PE section rights) 37->214 216 Maps a DLL or memory area into another process 37->216 50 FGbfttrev.exe 37->50         started        156 puffpuff423.top 104.27.132.115, 443, 49732 CLOUDFLARENETUS United States 40->156 158 telete.in 195.201.225.248, 443, 49731, 49741 HETZNER-ASDE Germany 40->158 100 C:\Users\user\AppData\...\kwduvAuOu4.exe, PE32 40->100 dropped 102 C:\Users\user\AppData\...\hL0AKUWVaf.exe, PE32 40->102 dropped 104 C:\Users\user\AppData\...\ovQrEoX7bu.exe, PE32 40->104 dropped 106 C:\Users\user\AppData\...\mfqTFwVbZZ.exe, PE32 40->106 dropped 218 Tries to steal Mail credentials (via file access) 40->218 220 Hides threads from debuggers 40->220 55 hL0AKUWVaf.exe 40->55         started        57 kwduvAuOu4.exe 40->57         started        59 cmd.exe 40->59         started        67 2 other processes 40->67 222 Detected unpacking (overwrites its own PE header) 44->222 61 FDvbcgfert.exe 44->61         started        160 104.27.133.115, 443, 49748 CLOUDFLARENETUS United States 46->160 108 C:\Users\user\AppData\...\mFzY8kQWLN.exe, PE32 46->108 dropped 110 C:\Users\user\AppData\...110pdV6iu2vi.exe, PE32 46->110 dropped 112 C:\Users\user\AppData\...\6ZZZTgLxsR.exe, PE32 46->112 dropped 116 60 other files (none is malicious) 46->116 dropped 224 Tries to harvest and steal browser information (history, passwords, etc) 46->224 114 C:\Users\user\AppData\Local\...\ozchgftrq.exe, PE32 48->114 dropped 226 Injects a PE file into a foreign processes 48->226 63 ozchgftrq.exe 48->63         started        65 azchgftrq.exe 48->65         started        file18 signatures19 process20 dnsIp21 148 morasergiox.ac.ug 50->148 86 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 50->86 dropped 88 C:\Users\user\AppData\Local\Temp\ds2.exe, PE32 50->88 dropped 90 C:\Users\user\AppData\Local\Temp\ds1.exe, PE32 50->90 dropped 96 49 other files (none is malicious) 50->96 dropped 184 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 50->184 186 Tries to steal Instant Messenger accounts or passwords 50->186 188 Tries to steal Mail credentials (via file access) 50->188 206 2 other signatures 50->206 150 cdn.discordapp.com 162.159.133.233, 443, 49740 CLOUDFLARENETUS United States 55->150 152 discord.com 162.159.137.232, 443, 49739 CLOUDFLARENETUS United States 55->152 92 C:\Users\user\AppData\Local\...\Opqhdrv.exe, PE32 55->92 dropped 190 Detected unpacking (creates a PE file in dynamic memory) 55->190 192 Writes to foreign memory regions 55->192 194 Allocates memory in foreign processes 55->194 196 Creates a thread in another existing process (thread injection) 55->196 69 svchost.exe 55->69         started        94 C:\Users\user\AppData\Roaming\...\cavlc.exe, PE32 57->94 dropped 198 Creates an undocumented autostart registry key 57->198 200 Injects a PE file into a foreign processes 57->200 71 conhost.exe 59->71         started        73 timeout.exe 59->73         started        154 taenaiaa.ac.ug 61->154 202 Tries to steal Crypto Currency Wallets 61->202 204 Hides threads from debuggers 61->204 75 cmd.exe 61->75         started        77 ozchgftrq.exe 63->77         started        file22 signatures23 process24 dnsIp25 82 conhost.exe 75->82         started        84 taskkill.exe 75->84         started        168 taenaiaa.ac.ug 77->168 130 C:\ProgramData\vcruntime140.dll, PE32 77->130 dropped 132 C:\ProgramData\sqlite3.dll, PE32 77->132 dropped 134 C:\ProgramData\softokn3.dll, PE32 77->134 dropped 136 4 other files (none is malicious) 77->136 dropped 228 Tries to harvest and steal browser information (history, passwords, etc) 77->228 230 Tries to steal Crypto Currency Wallets 77->230 file26 signatures27 process28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd95c8709b9a82ab2af9d1454996fbdbd3a7da4e8335bf8481bd567430130184/
Threat name:
Win32.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-06-21 12:47:18 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xwk4q4e3tkbkwkxz2fcutfx33pj2pwsoqm237bebxvlhimatagca._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
azorult
Create hunting rule
Similar samples:
081ed36d1d39e9ab29d11a45874073129921d52429ab9ccb9c2fcca62b9e89fb
RaccoonStealer
708ba499db884070420f378523658870927c31654d03d24cdac303b5d60b0ac4
RaccoonStealer
815e7085a1cf084e05f86a972b0d91b4e5555577f8d47528d79d85dcbb45bc4a
RaccoonStealer
9b9f13a8e3663e2b05e3af0b00abec4bc662b823a7fde9447164b9031bc59fe7
RaccoonStealer
9be04012b4927a7e93498068acaaac6e157192df66509a20079fa39084735247
RaccoonStealer
a3074419485db4ee08451afe2693184a89c031b3237e0a51b7627eb33eddc342
RaccoonStealer
a5070eb90ed3f49ab78fb3413f4f5e3e63f241194fa6ca3e525806ea9e2a1585
RaccoonStealer
dcaf6810871062a1a5a292c8e46667a8b7de908d292513ef1c443929ce8897c5
RaccoonStealer
e08520cbaa7f802d4a753c16f61150c37505a844768c22f1d779ff1bc598ad3a
RaccoonStealer
e65f3e7d58650711f81d06e50e53ced4b636f08df0eed8019d7927e17fec9580
RaccoonStealer
+ 630 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:azorult family:modiloader family:oski family:raccoon discovery evasion infostealer persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/201129-d3t7rplgv6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops desktop.ini file(s)
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Async RAT payload
AsyncRat
Azorult
Contains code to disable Windows Defender
ModiLoader, DBatLoader
Modifies Windows Defender Real-time Protection settings
Oski
Raccoon
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
agentttt.ac.ug:6970
agentpurple.ac.ug:6970
Unpacked files
SH256 hash:
a15aed8d744abb73e47450d899fa0df436c77fd5014ed0dfef47d630127f5b1e
MD5 hash:
31c6067396df6a5b5b7deeb0385b87cf
SHA1 hash:
7196e4bfc58d0980c1bf6de8ead334028597aeb5
Link:
https://www.unpac.me/results/b9fd5074-8607-4840-8fb7-c415268d4d4b/
SH256 hash:
c5f76741a5b02c7373a05c13f44b47af60d130f2b2d1a510e7df270bd2e4d62a
MD5 hash:
47361f2e1ce562953c36c1e3e4509c06
SHA1 hash:
84031b61e761160040c0f02fcdbf5149afa4ce1c
Link:
https://www.unpac.me/results/b9fd5074-8607-4840-8fb7-c415268d4d4b/
SH256 hash:
21e2d0ba0eb08a76e21deb0b995119892236c18c4e7865329adfe7fd26f5ed06
MD5 hash:
3147c763afd20b9105f14ee97149de59
SHA1 hash:
d200e830b9a5f78536e2d1197a24022a2cca83b2
Link:
https://www.unpac.me/results/b9fd5074-8607-4840-8fb7-c415268d4d4b/
SH256 hash:
70a9fcd8bf66d953703af0c52e02873faf2243addbf9618e3c532a9646bf419d
MD5 hash:
48f2ac00fc37df5c8f17bf86210f5521
SHA1 hash:
ca2bc2e206c29aeea33133f875adc5a8f3e0fbb1
Link:
https://www.unpac.me/results/b9fd5074-8607-4840-8fb7-c415268d4d4b/
SH256 hash:
b32daae503ccc37bff765291ce5a19d6aeb938ca9a9cfa8f321cf01e7f16200a
MD5 hash:
7c96bb38060b242a25571fa463076034
SHA1 hash:
da2e9114acc23a0590306c0fffe31d0ae22f7fa2
Link:
https://www.unpac.me/results/b9fd5074-8607-4840-8fb7-c415268d4d4b/
SH256 hash:
ab68aff4fa72799d4f83bb5f9ff2a9028bd142cec36717c11786eb4737cdb160
MD5 hash:
c26ccb747f3cb6f78d5d494a75e3bf76
SHA1 hash:
49e13dee4bfd0a4aa2621fdd11f6449ec7ffa9d5
Link:
https://www.unpac.me/results/b9fd5074-8607-4840-8fb7-c415268d4d4b/
SH256 hash:
bd95c8709b9a82ab2af9d1454996fbdbd3a7da4e8335bf8481bd567430130184
MD5 hash:
1fb060d7141deadc6675723d6dd905fc
SHA1 hash:
56e830b1cd6126e1495fdfffef3fd907d2eeb89e
Link:
https://www.unpac.me/results/b9fd5074-8607-4840-8fb7-c415268d4d4b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
QHost
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd95c8709b9a82ab2af9d1454996fbdbd3a7da4e8335bf8481bd567430130184

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105963/

Comments