MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d88640b60a99a39f22a11731d0fc886fd2c9fdfb094f42886e6ba419025e69ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d88640b60a99a39f22a11731d0fc886fd2c9fdfb094f42886e6ba419025e69ec
SHA3-384 hash: 18cb96761fff87d11a19cc981d295a175ef29030fa577eb00408418e40d267f2bda89f216060d81240b65035f950cbaa
SHA1 hash: b3101df9e1c686d2c92814106c414eef586e7589
MD5 hash: e1acbd5a6f99723b593c01d66db26b8d
humanhash: april-jupiter-monkey-idaho
File name:e1acbd5a6f99723b593c01d66db26b8d
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'117'696 bytes
First seen:2021-10-22 00:12:53 UTC
Last seen:2021-10-22 01:16:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:w06qmrWqPh8mEa3H1WG+34OJ0CFpD0Yn+511xRZ8q2XoHWwb:8rWI8jYH1m4OJ0gpD0Y+rY
Threatray 4'938 similar samples on MalwareBazaar
TLSH T14635232F9BB43160D66A9176F542AC005781DF42BC6CFE707297AF0D6626BDBC702E81
File icon (PE):PE icon
dhash icon cc33a86955c403c4 (3 x AZORult, 2 x AsyncRAT, 1 x RaccoonStealer)
Reporter zbetcheckin
Tags:32 exe RaccoonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199226/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.28650.24940.308.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint obfuscated packed raccoonstealer stealer
Link:
https://www.filescan.io/uploads/61720210db358dd15ed0f3b5/reports/61b7e18d-c6b2-4c64-baec-747934ae51e6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6ed690d-bfa1-46cd-a653-56699a41b947
Result
Threat name:
Azorult Clipboard Hijacker DBatLoader IP
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/874948
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Clipboard Hijacker
Yara detected Costura Assembly Loader
Yara detected DBatLoader
Yara detected IPack Miner
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 507376 Sample: UrpNykvzpb Startdate: 22/10/2021 Architecture: WINDOWS Score: 100 80 162.159.130.233, 443, 49806 CLOUDFLARENETUS United States 2->80 82 www.google.com 2->82 84 5 other IPs or domains 2->84 102 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Antivirus detection for URL or domain 2->106 108 16 other signatures 2->108 13 UrpNykvzpb.exe 3 6 2->13         started        signatures3 process4 file5 64 C:\Users\user\AppData\...\UrpNykvzpb.exe, PE32 13->64 dropped 66 C:\Users\user\...behaviorgraphpbwrbwuaconsoleapp17.exe, PE32 13->66 dropped 68 C:\Users\...\UrpNykvzpb.exe:Zone.Identifier, ASCII 13->68 dropped 70 2 other malicious files 13->70 dropped 120 Writes to foreign memory regions 13->120 122 Allocates memory in foreign processes 13->122 124 Injects a PE file into a foreign processes 13->124 17 wscript.exe 1 13->17         started        19 UrpNykvzpb.exe 13->19         started        signatures6 process7 dnsIp8 23 Gpbwrbwuaconsoleapp17.exe 4 17->23         started        86 91.219.236.49, 49754, 80 SERVERASTRA-ASHU Hungary 19->86 88 telegin.top 104.21.57.122, 49752, 49753, 80 CLOUDFLARENETUS United States 19->88 90 telegka.top 19->90 110 Contains functionality to steal Internet Explorer form passwords 19->110 26 WerFault.exe 19->26         started        signatures9 process10 file11 52 C:\Users\user\...\Wrygpxuoiconsoleapp4.exe, PE32 23->52 dropped 28 Gpbwrbwuaconsoleapp17.exe 69 23->28         started        33 wscript.exe 1 23->33         started        54 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 26->54 dropped process12 dnsIp13 96 scarsa.ac.ug 185.215.113.77, 49748, 49749, 49757 WHOLESALECONNECTIONSNL Portugal 28->96 98 192.168.2.1 unknown unknown 28->98 100 milsom.ac.ug 28->100 72 C:\Users\user\AppData\Local\Temp\cc.exe, PE32 28->72 dropped 74 C:\Users\user\AppData\Local\Temp\pm.exe, PE32+ 28->74 dropped 76 C:\Users\user\AppData\...\vcruntime140.dll, PE32 28->76 dropped 78 47 other files (none is malicious) 28->78 dropped 126 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->126 128 Tries to steal Instant Messenger accounts or passwords 28->128 130 Tries to steal Mail credentials (via file access) 28->130 132 4 other signatures 28->132 35 cc.exe 28->35         started        39 Wrygpxuoiconsoleapp4.exe 33->39         started        file14 signatures15 process16 dnsIp17 92 cdn.discordapp.com 162.159.135.233, 443, 49759, 49761 CLOUDFLARENETUS United States 35->92 112 Uses schtasks.exe or at.exe to add and modify task schedules 35->112 114 Injects a PE file into a foreign processes 39->114 41 Wrygpxuoiconsoleapp4.exe 39->41         started        signatures18 process19 dnsIp20 94 scarsa.ac.ug 41->94 56 C:\ProgramData\vcruntime140.dll, PE32 41->56 dropped 58 C:\ProgramData\sqlite3.dll, PE32 41->58 dropped 60 C:\ProgramData\softokn3.dll, PE32 41->60 dropped 62 4 other files (none is malicious) 41->62 dropped 116 Tries to harvest and steal browser information (history, passwords, etc) 41->116 118 Tries to steal Crypto Currency Wallets 41->118 46 cmd.exe 41->46         started        file21 signatures22 process23 process24 48 conhost.exe 46->48         started        50 taskkill.exe 46->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d88640b60a99a39f22a11731d0fc886fd2c9fdfb094f42886e6ba419025e69ec/
Threat name:
ByteCode-MSIL.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-20 18:32:33 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3cdebnqktgrz6ivbc4y5b7ein7jmt7p3bfhufcdonosbsas6nhwa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
raccoon
Create hunting rule
Similar samples:
14a0d25b4d33216e9110c9588fa3168105efdad28827e772c4798337544eb708
RaccoonStealer
314afbf4a221c8ce6f8d2674277a3c2fb119c34222b5c3ed83afd79005e352f4
RaccoonStealer
394c61c695af669dcfe4d3dcf73de5099ed8e7fea036dd25f45ff6d234f9547a
RaccoonStealer
63cff2624610c0ba77145f4ca69ca649dd063e5da23b6f9534ffc643fe30b203
RaccoonStealer
7b8ffb495d71939d9dfb9b4f4b0bd9bd9d3fad675aa487e2b20129c33f877c50
RaccoonStealer
a60bebe1f77523c999022885b6d6ba4c2e96e930d21b26f2254f113e179c48cc
RaccoonStealer
c676489a5be0d3bd669d9593af8cca317cd10ffd478a6ad63dbb5a18c6c10454
RaccoonStealer
d3d844bca757cfac2bc5cd8cc9bd9d806358eb3af100fdecddb5d0848cd706af
RaccoonStealer
e80d7de90473de5e1d9fb140d2537896872f7a7ca665e9342514426604f4f708
RaccoonStealer
+ 4'928 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:b76017a227a0d879dec7c76613918569d03892fb discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211022-ahr53abaa2/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
scarsa.ac.ug
Unpacked files
SH256 hash:
a9b217d2ca68d775529d30ed7d4d080e621844a3814cafa801312c40789d3819
MD5 hash:
8dc4dba7fb2d5354fe7a6234159919f2
SHA1 hash:
d14073ac164f59809d24378418f0fcda083137e4
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/1617857f-411c-4120-967c-3ba54c496c5f/
SH256 hash:
3f6205d72de5c90bd0884741506345e06af1a3b7b4caad182f79ed201687f126
MD5 hash:
4b0cf0e6db402ca01340eaa0bba9f440
SHA1 hash:
107a99e0c3486f2599cfe3a967fa9889b49f2cb4
Link:
https://www.unpac.me/results/1617857f-411c-4120-967c-3ba54c496c5f/
SH256 hash:
6dc2daaea3e07046bf164f0dccdd34fddeacc09452285adaa4ddf69b2f12f4c3
MD5 hash:
75caaab68dd320f32cee6063aeb74bd5
SHA1 hash:
e242d9bfc47c8ffe49da850b430a419a56917c77
Link:
https://www.unpac.me/results/1617857f-411c-4120-967c-3ba54c496c5f/
SH256 hash:
f2ff3b992c2681c9b655c7752fbf873fe3b1d3d64e9414b5e052173f5f614b5d
MD5 hash:
6b4aca368d247d3ee1e9069263656be8
SHA1 hash:
b5f3ca8ff3acca548d2d2419b4d671b8629122a3
Link:
https://www.unpac.me/results/1617857f-411c-4120-967c-3ba54c496c5f/
SH256 hash:
6b496ab097a31e2adb5e33e8fb86908aad060249e760e24deb3594976ff1ac36
MD5 hash:
135b817fe351fd15bfc89e0b46d4a4eb
SHA1 hash:
83dd80152fa28d67c8714fd7fc98a3ee0d1c5d1f
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/1617857f-411c-4120-967c-3ba54c496c5f/
Parent samples :
618c78fbf67d014137470a93c49571272e7777ce49ab31ccbf47ec11739ef822
d88640b60a99a39f22a11731d0fc886fd2c9fdfb094f42886e6ba419025e69ec
SH256 hash:
92e2cc7980fc342c59860a0e6a16c73f10ee3b0caac53530121e89448933d305
MD5 hash:
960586bdf44ca1fcb8e80cd5846a77b6
SHA1 hash:
50d76e219c07a9dc6d7fd827c9fe9f3ef050cfcb
Link:
https://www.unpac.me/results/1617857f-411c-4120-967c-3ba54c496c5f/
SH256 hash:
1e6e895ff1a31391853de10808decbe9ca6e9a804ca18c76b64167b91536dc6f
MD5 hash:
f4acac7d4d3468d56280f87625d6477e
SHA1 hash:
d484aad961ed08d6ec06b4400e20d6da7984a3de
Link:
https://www.unpac.me/results/1617857f-411c-4120-967c-3ba54c496c5f/
SH256 hash:
ba02b2d15ec8693a3ea56722a67f7513516c94003bb89a95500357aa171046c3
MD5 hash:
ab9655a9a05b2b4d020dfe51c6e5bfe1
SHA1 hash:
3a385087ba3fbf7ceae09c9eaac85058d0454d32
Link:
https://www.unpac.me/results/1617857f-411c-4120-967c-3ba54c496c5f/
SH256 hash:
f8d9a903437f400e966400dc39a29766c4ec5bdda653df26f38223a60cf9d8fd
MD5 hash:
3150064402f36329ddf08cd2fbfa304b
SHA1 hash:
09c64f292f17a325f16eb6a0a9681a8fed47f406
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/1617857f-411c-4120-967c-3ba54c496c5f/
SH256 hash:
d88640b60a99a39f22a11731d0fc886fd2c9fdfb094f42886e6ba419025e69ec
MD5 hash:
e1acbd5a6f99723b593c01d66db26b8d
SHA1 hash:
b3101df9e1c686d2c92814106c414eef586e7589
Link:
https://www.unpac.me/results/1617857f-411c-4120-967c-3ba54c496c5f/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d88640b60a99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d88640b60a99a39f22a11731d0fc886fd2c9fdfb094f42886e6ba419025e69ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe d88640b60a99a39f22a11731d0fc886fd2c9fdfb094f42886e6ba419025e69ec

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/399076/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/1322752/
  
URLhaus
https://urlhaus.abuse.ch/url/422736/
Cape
Cape
https://www.capesandbox.com/analysis/199226/

Comments


Avatar
zbet commented on 2021-10-22 00:12:54 UTC

url : hxxp://backgrounds.pk/zxcvb.exe