MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e688db3d0be7a10fa8ddd79918265cac9ef0949d7d07072f82aff9ae43d6fadb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e688db3d0be7a10fa8ddd79918265cac9ef0949d7d07072f82aff9ae43d6fadb
SHA3-384 hash: d6bb37ec670ab757d269303fa1039a31b012da8973bbb86eac8e59282dbc60f167dc5e1d0055ee873a347be49c70f528
SHA1 hash: 719bd3259af48728d946ffd535d291a25d6a9eef
MD5 hash: 1d4043e95026d07137c5ea2205fcb854
humanhash: skylark-william-double-solar
File name:1d4043e95026d07137c5ea2205fcb854.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'323'008 bytes
First seen:2021-11-02 14:44:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 38bbd7b6af738c50eec8bb509ccc9556 (3 x RaccoonStealer, 1 x AZORult)
ssdeep 24576:L0ODLGuA/+jaeVPLoaMugPehxqFuNQwU0K+1In9Fk5sFodXdxg:LnDLGuA/+jRpL8iIqQ8KoI9GHNS
Threatray 7'047 similar samples on MalwareBazaar
TLSH T1E455122B6D3A0623E0150DB087F286F51B7EBD2371556C1FEB80F94508E2A4A75E1B7B
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1d4043e95026d07137c5ea2205fcb854.exe
Verdict:
Malicious activity
Analysis date:
2021-11-02 16:40:31 UTC
Tags:
trojan stealer vidar rat azorult
Link:
https://app.any.run/tasks/fb45b794-4e50-44ea-ba85-b4f24cbfa9ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201482/
Detection(s):
Win.Trojan.VBGeneric-9903884-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm greyware hacktool obfuscated packed
Link:
https://www.filescan.io/uploads/61814ef21c62c356607f1e98/reports/561b3e40-6dec-491e-9dab-45f36e214e9f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/93e3a4d5-c4b2-424f-b889-0f7d78a5f972
Result
Threat name:
Azorult DBatLoader IPack Miner Raccoon V
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/881436
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Costura Assembly Loader
Yara detected DBatLoader
Yara detected IPack Miner
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 513890 Sample: 6idzs246B6.exe Startdate: 02/11/2021 Architecture: WINDOWS Score: 100 84 www.uplooder.net 2->84 106 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->106 108 Multi AV Scanner detection for domain / URL 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 13 other signatures 2->112 10 6idzs246B6.exe 16 2->10         started        14 winda.exe 2->14         started        signatures3 process4 file5 64 C:\Users\user\AppData\Local\...\vbndfgame.exe, PE32 10->64 dropped 66 C:\Users\user\AppData\Local\...\cdvcxsdme.exe, PE32 10->66 dropped 114 Contains functionality to steal Internet Explorer form passwords 10->114 116 Maps a DLL or memory area into another process 10->116 16 cdvcxsdme.exe 4 10->16         started        19 6idzs246B6.exe 84 10->19         started        23 vbndfgame.exe 4 10->23         started        signatures6 process7 dnsIp8 96 Maps a DLL or memory area into another process 16->96 25 cdvcxsdme.exe 69 16->25         started        86 91.219.236.97, 49762, 49771, 80 SERVERASTRA-ASHU Hungary 19->86 88 t.me 149.154.167.99, 443, 49761 TELEGRAMRU United Kingdom 19->88 90 4 other IPs or domains 19->90 56 C:\Users\user\AppData\...\WgeKAeJhmv.exe, PE32 19->56 dropped 58 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 19->58 dropped 60 C:\Users\user\AppData\...\vcruntime140.dll, PE32 19->60 dropped 62 57 other files (none is malicious) 19->62 dropped 98 Tries to steal Mail credentials (via file / registry access) 19->98 30 vbndfgame.exe 191 23->30         started        file9 signatures10 process11 dnsIp12 92 colonna.ac.ug 185.215.113.77, 49737, 49756, 49759 WHOLESALECONNECTIONSNL Portugal 25->92 94 colonna.ug 25->94 68 C:\Users\user\AppData\Local\Temp\pm.exe, PE32+ 25->68 dropped 70 C:\Users\user\AppData\Local\Temp\cc.exe, PE32 25->70 dropped 72 C:\Users\user\AppData\...\vcruntime140.dll, PE32 25->72 dropped 80 47 other files (none is malicious) 25->80 dropped 118 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->118 120 Tries to steal Instant Messenger accounts or passwords 25->120 122 Tries to steal Mail credentials (via file / registry access) 25->122 128 2 other signatures 25->128 32 pm.exe 25->32         started        36 cmd.exe 25->36         started        38 cc.exe 25->38         started        74 C:\ProgramData\vcruntime140.dll, PE32 30->74 dropped 76 C:\ProgramData\sqlite3.dll, PE32 30->76 dropped 78 C:\ProgramData\softokn3.dll, PE32 30->78 dropped 82 4 other files (none is malicious) 30->82 dropped 124 Tries to harvest and steal browser information (history, passwords, etc) 30->124 126 Tries to steal Crypto Currency Wallets 30->126 40 cmd.exe 30->40         started        file13 signatures14 process15 file16 52 C:\Users\user\AppData\...\aspnet_compiler.exe, PE32+ 32->52 dropped 54 C:\Users\user\AppData\Roaming\winda.exe, PE32+ 32->54 dropped 100 Writes to foreign memory regions 32->100 102 Modifies the context of a thread in another process (thread injection) 32->102 104 Injects a PE file into a foreign processes 32->104 42 aspnet_compiler.exe 32->42         started        44 conhost.exe 36->44         started        46 timeout.exe 36->46         started        48 conhost.exe 40->48         started        50 taskkill.exe 40->50         started        signatures17 process18
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e688db3d0be7a10fa8ddd79918265cac9ef0949d7d07072f82aff9ae43d6fadb/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-11-02 14:45:06 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
06bc17a2517d3c471c978b342e512234a3f9a8eb16e938e7be57b1b67da99bea
RaccoonStealer
5edb1348236c7fa03dae6c9e2d3c9e4241c2eaa2a8721e5c4b78abc9b66075f8
RaccoonStealer
6950e762e655de299bce3dd06e0d7c70496e962ff41752b5741142dbedfcfba7
RaccoonStealer
98a95a5a51b25140ce1d02655bcdac7f820f1feee5606b41d9c94747aae570aa
RaccoonStealer
ccd5ab291113bf69fcbccee8ab889c9cf5a0d0240feed43b73785497ace3c467
RaccoonStealer
d3abda3195fac1ac78486e29fa82d05a3e3bbcba22aa29191dfc21926e027db7
RaccoonStealer
d3d844bca757cfac2bc5cd8cc9bd9d806358eb3af100fdecddb5d0848cd706af
RaccoonStealer
+ 7'037 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:32365171a31c4583d6e3b7aad1690e41cefc38eb collection discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/211102-r4qmsschf8/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
colonna.ac.ug
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
043bfb6bf60bfb03476fc98d5bbcfc45e25ca329180a0106cda13286474e5875
MD5 hash:
998595d89aa77aa32bbd7d1f4f3fa79b
SHA1 hash:
c81aac77379eb7d62a3ce634a30f0357025ff78a
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/674af73f-e21e-4875-88db-6b87e447a94f/
SH256 hash:
2f37f7944302ee85725875e649b86503e324b71c5e9220008b87ce11259ef927
MD5 hash:
2a362f67905c0ea9b1fb8c45a2324653
SHA1 hash:
a7baf62be4eea0b306b3757423930deed3aa791a
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/674af73f-e21e-4875-88db-6b87e447a94f/
SH256 hash:
cd8d561b73fbf587868bb47c6b20d6d6ee76f6bfeb20f4352f63dc45b887906b
MD5 hash:
65eddbb892f8ceca2734c3e18f12b760
SHA1 hash:
dbba491a9126fd37fe9ba4b62725d108c8978640
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/674af73f-e21e-4875-88db-6b87e447a94f/
SH256 hash:
e688db3d0be7a10fa8ddd79918265cac9ef0949d7d07072f82aff9ae43d6fadb
MD5 hash:
1d4043e95026d07137c5ea2205fcb854
SHA1 hash:
719bd3259af48728d946ffd535d291a25d6a9eef
Link:
https://www.unpac.me/results/674af73f-e21e-4875-88db-6b87e447a94f/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e688db3d0be7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e688db3d0be7a10fa8ddd79918265cac9ef0949d7d07072f82aff9ae43d6fadb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe e688db3d0be7a10fa8ddd79918265cac9ef0949d7d07072f82aff9ae43d6fadb

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/201482/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/

Comments