MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3abda3195fac1ac78486e29fa82d05a3e3bbcba22aa29191dfc21926e027db7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3abda3195fac1ac78486e29fa82d05a3e3bbcba22aa29191dfc21926e027db7
SHA3-384 hash: 146b1e3faca152b22090d656f81164a9dc83e920e6231b18eee04973818f4fe84a92cdc17536959f73d0941c18dfb6d2
SHA1 hash: 9460cc91ae5c6acf8dcdbf57c4ad1f3d3210358d
MD5 hash: 1df12c42ef50621d6a80a8a48181fa78
humanhash: monkey-maryland-robin-white
File name:1df12c42ef50621d6a80a8a48181fa78.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'036'352 bytes
First seen:2021-10-28 23:07:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 38bbd7b6af738c50eec8bb509ccc9556 (3 x RaccoonStealer, 1 x AZORult)
ssdeep 12288:hxt6hRd3GUju9Al4QMe89d18EbVAXMJrQF0p4v9TH9yzsN2j33+RgshWtqU59d35:hxQhf3DcA78DbVAXWQF0p2hNIeQqU5wu
Threatray 6'917 similar samples on MalwareBazaar
TLSH T10025011A2D7B0563F0054DB10BF096F61BBDFC533492DC1F9B45AA4818E2B8A68D1B7B
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://194.180.174.181/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.181/ https://threatfox.abuse.ch/ioc/239344/

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.VBGeneric-9903884-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a19fdc0e-f472-4caa-91bf-88ccc26c0bb9
Result
Threat name:
Azorult Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878933
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 511367 Sample: dB8xqaf0Ec.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 100 51 telegin.top 2->51 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 9 other signatures 2->65 8 dB8xqaf0Ec.exe 16 2->8         started        signatures3 process4 file5 43 C:\Users\user\AppData\Local\...\Vtergfds.exe, PE32 8->43 dropped 45 C:\Users\user\AppData\Local\...\Vereransa.exe, PE32 8->45 dropped 71 Contains functionality to steal Internet Explorer form passwords 8->71 73 Maps a DLL or memory area into another process 8->73 12 Vtergfds.exe 4 8->12         started        15 Vereransa.exe 4 8->15         started        17 dB8xqaf0Ec.exe 8->17         started        signatures6 process7 dnsIp8 75 Maps a DLL or memory area into another process 12->75 20 Vtergfds.exe 54 12->20         started        24 Vereransa.exe 188 15->24         started        47 telegka.top 17->47 49 telegin.top 17->49 signatures9 process10 dnsIp11 53 scarsa.ac.ug 185.215.113.77, 49747, 49748, 80 WHOLESALECONNECTIONSNL Portugal 20->53 55 milsom.ac.ug 20->55 57 192.168.2.1 unknown unknown 20->57 27 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 20->27 dropped 29 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 20->29 dropped 31 C:\Users\user\AppData\Local\...\nssdbm3.dll, PE32 20->31 dropped 39 44 other files (none is malicious) 20->39 dropped 33 C:\ProgramData\vcruntime140.dll, PE32 24->33 dropped 35 C:\ProgramData\sqlite3.dll, PE32 24->35 dropped 37 C:\ProgramData\softokn3.dll, PE32 24->37 dropped 41 4 other files (none is malicious) 24->41 dropped 67 Tries to harvest and steal browser information (history, passwords, etc) 24->67 69 Tries to steal Crypto Currency Wallets 24->69 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3abda3195fac1ac78486e29fa82d05a3e3bbcba22aa29191dfc21926e027db7/
Threat name:
Win32.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-26 13:08:22 UTC
AV detection:
28 of 44 (63.64%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ov5ummv7la2y6cinyu7vawqli7dxpf2ekvcsgi57qqze3qcpw3q._file
Verdict:
malicious
Similar samples:
06bc17a2517d3c471c978b342e512234a3f9a8eb16e938e7be57b1b67da99bea
RaccoonStealer
84a40405e621a10c9259ff45e052fab0789a6ff956eb95985a12d715d64e5b72
RaccoonStealer
98a95a5a51b25140ce1d02655bcdac7f820f1feee5606b41d9c94747aae570aa
RaccoonStealer
9d4a0a8ffa11fc953750c07bd6997bcd23871fe277f65b4113e197b779aa24f0
RaccoonStealer
a85ef03cd5003b5aa6f886fcf1ee608f913ce08f5d0d3d3bb64fa41201df8502
RaccoonStealer
ccd5ab291113bf69fcbccee8ab889c9cf5a0d0240feed43b73785497ace3c467
RaccoonStealer
d3d844bca757cfac2bc5cd8cc9bd9d806358eb3af100fdecddb5d0848cd706af
RaccoonStealer
+ 6'907 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:b76017a227a0d879dec7c76613918569d03892fb discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211028-24jvcsccf8/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
scarsa.ac.ug
Unpacked files
SH256 hash:
f53d7ccac769286e829b9c88987bd89bebdd50ecff09544431f82d120b2f862e
MD5 hash:
aaed5f83a3497b0d0b1b71a2efd6d33c
SHA1 hash:
5fd2a23499fb18ef988d2f9c176eacca0af8b413
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/9c943ff5-ebfd-4cd5-bcee-5b83039e42d5/
Parent samples :
f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346
d3abda3195fac1ac78486e29fa82d05a3e3bbcba22aa29191dfc21926e027db7
SH256 hash:
972b23f366462e812425f04d9a40b945f6586bb3cab4cc837fadc175ae8c291f
MD5 hash:
d23ac98d814747fcc6979244b4b495e8
SHA1 hash:
8a59b008b40f9f8cab6a5f1662c7b6fde008e892
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/9c943ff5-ebfd-4cd5-bcee-5b83039e42d5/
SH256 hash:
117a0d3a8cfac2853fc02d97fdc31ba4ec1d22a72f1189c5bc787bf04b415e2e
MD5 hash:
b95690a2a5cc375424e5cd65a0a7bcd2
SHA1 hash:
0a761a689a2b028de35a774c3c8b760ac407f83d
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/9c943ff5-ebfd-4cd5-bcee-5b83039e42d5/
Parent samples :
f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346
d3abda3195fac1ac78486e29fa82d05a3e3bbcba22aa29191dfc21926e027db7
SH256 hash:
d3abda3195fac1ac78486e29fa82d05a3e3bbcba22aa29191dfc21926e027db7
MD5 hash:
1df12c42ef50621d6a80a8a48181fa78
SHA1 hash:
9460cc91ae5c6acf8dcdbf57c4ad1f3d3210358d
Link:
https://www.unpac.me/results/9c943ff5-ebfd-4cd5-bcee-5b83039e42d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3abda3195fac1ac78486e29fa82d05a3e3bbcba22aa29191dfc21926e027db7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments