MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb9087aa8cfed42c217de2206a95a9f320e4850625175e52b53ce51224ac52c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 2 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb9087aa8cfed42c217de2206a95a9f320e4850625175e52b53ce51224ac52c6
SHA3-384 hash: 0103bdc301efc70b1978ca8ee2987d2429d6591f760b9152d10d8323dcadcb023a414b151602d5ccfd7d05c1ed12e407
SHA1 hash: a547f48576b72566319ad76470fca8621eeb1878
MD5 hash: 512ec87d386678a1a55f51150ab3c9c6
humanhash: tennis-eight-lima-illinois
File name:512ec87d386678a1a55f51150ab3c9c6.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'429'504 bytes
First seen:2021-07-08 11:45:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d98bce45dab9a77041968f41ed47c4c3 (2 x RaccoonStealer, 2 x AZORult)
ssdeep 24576:u3302NcI0zQQUAuqJE6g330hlAYY/T330WE5oVCeLaY1nYIo:u33YtUPqJEl33DYYr33PE5oVuYhYJ
Threatray 3'249 similar samples on MalwareBazaar
TLSH T1D765BF253EEA901AF07A9E711FE475E7DA6AFA733506584F9341030B0453E82EDE163B
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://34.89.184.90/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://34.89.184.90/ https://threatfox.abuse.ch/ioc/158448/
http://erolbasa.ac.ug/ https://threatfox.abuse.ch/ioc/158601/

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
512ec87d386678a1a55f51150ab3c9c6.exe
Verdict:
Malicious activity
Analysis date:
2021-07-08 11:49:00 UTC
Tags:
trojan rat azorult stealer vidar raccoon loader
Link:
https://app.any.run/tasks/74e7d03c-928f-4f14-bd99-2059b92469b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170429/
Detection(s):
Win.Malware.Trojanx-9875328-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be477710-c5d6-4bf0-9a19-5dc910a0bb86
Result
Threat name:
Azorult Raccoon Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813445
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: Executable Used by PlugX in Uncommon Location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 445856 Sample: O2XgKEttC7.exe Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 84 cdn.discordapp.com 2->84 92 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->92 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 10 other signatures 2->98 10 O2XgKEttC7.exe 16 2->10         started        signatures3 process4 file5 76 C:\Users\user\AppData\...\dfgsrdtyggfe.exe, PE32 10->76 dropped 78 C:\Users\user\AppData\...\FDhgdfgfgrte.exe, PE32 10->78 dropped 112 Contains functionality to steal Internet Explorer form passwords 10->112 114 Maps a DLL or memory area into another process 10->114 14 FDhgdfgfgrte.exe 4 10->14         started        17 O2XgKEttC7.exe 88 10->17         started        21 dfgsrdtyggfe.exe 4 10->21         started        signatures6 process7 dnsIp8 116 Maps a DLL or memory area into another process 14->116 23 FDhgdfgfgrte.exe 68 14->23         started        80 tttttt.me 95.216.186.40, 443, 49701 HETZNER-ASDE Germany 17->80 82 34.89.184.90, 49702, 80 GOOGLEUS United States 17->82 52 C:\Users\user\AppData\...\wWBGgsGL3n.exe, PE32 17->52 dropped 54 C:\Users\user\AppData\...\sLS4gxVBob.exe, PE32 17->54 dropped 56 C:\Users\user\AppData\...\SgpAqQuUwk.exe, PE32 17->56 dropped 58 61 other files (none is malicious) 17->58 dropped 118 Tries to steal Mail credentials (via file access) 17->118 28 cmd.exe 17->28         started        30 SgpAqQuUwk.exe 17->30         started        32 sLS4gxVBob.exe 17->32         started        36 3 other processes 17->36 34 dfgsrdtyggfe.exe 188 21->34         started        file9 signatures10 process11 dnsIp12 86 erolbasa.ac.ug 185.215.113.77, 49699, 49705, 49709 WHOLESALECONNECTIONSNL Portugal 23->86 88 erolasa.ac.ug 23->88 60 C:\Users\user\AppData\Local\Temp\rc.exe, PE32 23->60 dropped 62 C:\Users\user\AppData\Local\Temp\ac.exe, PE32 23->62 dropped 64 C:\Users\user\AppData\...\vcruntime140.dll, PE32 23->64 dropped 72 47 other files (none is malicious) 23->72 dropped 100 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->100 102 Tries to steal Instant Messenger accounts or passwords 23->102 104 Tries to steal Mail credentials (via file access) 23->104 110 2 other signatures 23->110 38 ac.exe 23->38         started        40 rc.exe 23->40         started        42 conhost.exe 28->42         started        44 timeout.exe 28->44         started        90 192.168.2.1 unknown unknown 34->90 66 C:\ProgramData\vcruntime140.dll, PE32 34->66 dropped 68 C:\ProgramData\sqlite3.dll, PE32 34->68 dropped 70 C:\ProgramData\softokn3.dll, PE32 34->70 dropped 74 4 other files (none is malicious) 34->74 dropped 106 Tries to harvest and steal browser information (history, passwords, etc) 34->106 108 Tries to steal Crypto Currency Wallets 34->108 46 cmd.exe 34->46         started        file13 signatures14 process15 process16 48 conhost.exe 46->48         started        50 taskkill.exe 46->50         started       
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eb9087aa8cfed42c217de2206a95a9f320e4850625175e52b53ce51224ac52c6/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 11:46:06 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5oiipkum73kcyil54iqgvfnj6mqojbigeulv4uvvhtsrejfmklda._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
0b02739c5fd7a7fa53410bc2287c42cf66a3a6d51ecc9570e76e4f0f8129f2d7
RaccoonStealer
3ec3b418b0e06128ef80ff02866d30c8071ba54066411760b6f71cab0f4c24f9
RaccoonStealer
59dd63bc09da452ae3781f5570d0dfe344ff76df70419d89659ff73d7e691002
RaccoonStealer
5a4f75c16948eb90210b50a2af901dad431a231d5a4406ce55dad0cd943d5cd0
RaccoonStealer
69e75e57bc4a09c9a3d7726b28423d10df5b0224177ebfa43930668efd0af5da
RaccoonStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
RaccoonStealer
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
RaccoonStealer
8b1c960881fc789460b5b274abd43baddb1c92e1a942d3a1080a4adb1f545e50
RaccoonStealer
ceb40abe1bf14b26e4fc311c373a43770dfc67c8a9d0801d8ae7509e3507eebd
RaccoonStealer
d1621aa8dd1273a4b6e4f3e6b83188044af80c6ffe9aba2e7e191f159ce9b1eb
RaccoonStealer
+ 3'239 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:azorult family:oski family:raccoon discovery evasion infostealer persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/210708-7an2plmdln/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops desktop.ini file(s)
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Async RAT payload
AsyncRat
Azorult
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Oski
Raccoon
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
erolbasa.ac.ug
icando.ug:6970
icacxndo.ac.ug:6970
Unpacked files
SH256 hash:
af07bc9da2344e77006cd41475632ab1a030b7b6bee7e65de9fd4bb9ff24c276
MD5 hash:
f43a170130bf8fc3590c11475a7cf9cf
SHA1 hash:
3622845278bb65d7f2c08673ca99039de6909a56
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/4808181a-c05f-464a-bd5b-e70c61151d46/
Parent samples :
f353dc700a77a88665e2d6cb4f73396ba3b4437cc3ee9a6a7e095de5f77277c5
69e75e57bc4a09c9a3d7726b28423d10df5b0224177ebfa43930668efd0af5da
eb9087aa8cfed42c217de2206a95a9f320e4850625175e52b53ce51224ac52c6
83cca26268c671a45fb83a496b024c9a30944bae8afb4c3f70f0b47fb940ab25
SH256 hash:
2055e2d314e30e0d409425f9df47bcd9c884351212b7ff2f3da570c5dd530d13
MD5 hash:
b4b9cc1024fdb351bd36f06161a08170
SHA1 hash:
7b371172ddb53dd3db8e1622407e917c13ae600b
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/4808181a-c05f-464a-bd5b-e70c61151d46/
SH256 hash:
7999550c562b8b88411d4a8d7de628320ef4fe667952d3bbfff25a5a637f536c
MD5 hash:
d1e86a70b0627ac6b96ee19aa8a4bddb
SHA1 hash:
99d16440030b0ffa5452f60606eb20ea1da344b1
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/4808181a-c05f-464a-bd5b-e70c61151d46/
SH256 hash:
eb9087aa8cfed42c217de2206a95a9f320e4850625175e52b53ce51224ac52c6
MD5 hash:
512ec87d386678a1a55f51150ab3c9c6
SHA1 hash:
a547f48576b72566319ad76470fca8621eeb1878
Link:
https://www.unpac.me/results/4808181a-c05f-464a-bd5b-e70c61151d46/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb9087aa8cfed42c217de2206a95a9f320e4850625175e52b53ce51224ac52c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe eb9087aa8cfed42c217de2206a95a9f320e4850625175e52b53ce51224ac52c6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
Cape
Cape
https://www.capesandbox.com/analysis/170429/

Comments