MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec602e5151e622f2f47d79575dc42aacf84681c7f4f901b146a5edb85507f788. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 2 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec602e5151e622f2f47d79575dc42aacf84681c7f4f901b146a5edb85507f788
SHA3-384 hash: c70ca898c18c078fabc0bef6f31dc6054efc8de15dd62569aa20540bd7b51b0d79b3cedb69c37134004b3f95673a0b9f
SHA1 hash: be839bfca14bf92aed92083fd118afd1c7919f96
MD5 hash: 1fecb6eb98e8ee72bb5f006dd79c6f2f
humanhash: mountain-red-finch-nine
File name:be839bfca14bf92aed92083fd118afd1c7919f96.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'498'301 bytes
First seen:2021-06-08 07:06:48 UTC
Last seen:2021-12-16 23:24:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (293 x GuLoader, 51 x VIPKeylogger, 48 x RemcosRAT)
ssdeep 98304:Jr5Pi396Hjee/ATcUEuclRuPUSp6pPsklZnhNCv8Q6H6cI/nR:Jr509Gqe/AIUEuclR0USgpPsklZnev84
Threatray 37 similar samples on MalwareBazaar
TLSH 482633D4911095FACAF10A3DB4C95F97906344B2C43BB9BDFEA4B7CA7E06C20A516E13
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
195.133.47.9:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.133.47.9:80 https://threatfox.abuse.ch/ioc/67395/
80.92.206.22:80 https://threatfox.abuse.ch/ioc/68028/

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
60b632_FL-Studio-20832.zip
Verdict:
Malicious activity
Analysis date:
2021-06-01 13:23:08 UTC
Tags:
trojan evasion opendir loader stealer vidar ficker rat redline danabot phishing
Link:
https://app.any.run/tasks/516d38cc-ebf1-429d-b39d-4de7fed44702

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165186/
Detection(s):
Win.Malware.Generic-9863888-0
Create hunting rule

Win.Malware.Jaik-9865288-0
Create hunting rule

Win.Malware.Jaik-9865606-0
Create hunting rule

Win.Malware.Jaik-9865607-0
Create hunting rule

Win.Malware.Jaik-9865618-0
Create hunting rule

Win.Trojan.Jaik-9865627-0
Create hunting rule

Win.Malware.Jaik-9865787-0
Create hunting rule

Win.Malware.Jaik-9866077-0
Create hunting rule

Win.Malware.Jaik-9867479-0
Create hunting rule

Win.Malware.Jaik-9867547-0
Create hunting rule

Win.Malware.Jaik-9867553-0
Create hunting rule

Win.Trojan.Jaik-9867734-0
Create hunting rule

Win.Malware.Jaik-9868089-0
Create hunting rule

Win.Malware.Jaik-9868133-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Creating a file
Searching for the window
Sending a custom TCP request
DNS request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/798640
Signature
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 431037 Sample: tdPUyfLaN3.exe Startdate: 08/06/2021 Architecture: WINDOWS Score: 84 36 Multi AV Scanner detection for domain / URL 2->36 38 Antivirus detection for dropped file 2->38 40 Multi AV Scanner detection for dropped file 2->40 42 3 other signatures 2->42 8 tdPUyfLaN3.exe 9 2->8         started        process3 file4 22 C:\Users\user\AppData\...\setup_installer.exe, PE32 8->22 dropped 11 setup_installer.exe 16 8->11         started        process5 file6 24 C:\Users\user\AppData\...\setup_install.exe, PE32 11->24 dropped 26 C:\Users\user\AppData\Local\...\metina_7.exe, PE32 11->26 dropped 28 C:\Users\user\AppData\Local\...\metina_5.exe, PE32 11->28 dropped 30 11 other files (5 malicious) 11->30 dropped 14 setup_install.exe 1 11->14         started        process7 dnsIp8 32 estrix.xyz 14->32 34 127.0.0.1 unknown unknown 14->34 44 Performs DNS queries to domains with low reputation 14->44 18 WerFault.exe 23 9 14->18         started        20 conhost.exe 14->20         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec602e5151e622f2f47d79575dc42aacf84681c7f4f901b146a5edb85507f788/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-02 10:46:55 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5rqc4ukr4yrpf5d5pflv3rbkvt4enaoh6t4qdmkguxw3qvih66ea._file
Verdict:
unknown
Similar samples:
2d69fb4a5141f6bd961fa7dbe92bbc30f8a7448b437df16fa960ff30ec009429
RaccoonStealer
2e32799ea160a52100d3e33de1b9b6fd33c38452a86d0b77cb7d17bdeb4f71f7
RaccoonStealer
59c98f1846f03efaa1a594b76b320e3f35ecd53e9ed640bb360bdcf0a41f3c2d
RaccoonStealer
5b73fe2b2388fcd2b0f2c71f8499221e5ccd1bcfc4e31d2140d5eca1c3a45414
RaccoonStealer
a7380ab000584685bb2bba25704046915d0bdaaf3a809bf80c84bbe27f765e49
RaccoonStealer
cc03001bc0a55b5ae872d210e94470745edb6d9465a87ea276a414c16ae6080a
RaccoonStealer
e7c3cea59ec83faa8886c1a5d0b0eabd00cf68ae8491ad6a985f3b6e422c0d19
RaccoonStealer
f1eef3e9a10cda6ba7e4a9608579631d42b429bb49ff1f4f4f5c8ea2ef60eddf
RaccoonStealer
f3b3bf03f311300ba76f4de3376ff21b3b1971ccbc90e24638ab15c2b42ef79b
RaccoonStealer
f8b69bd4d7c6a8c131c5f9cd93ca7d0a3645f9cf1f207608bf8d209f3bcaa3b3
RaccoonStealer
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
aspackv2
Link:
https://tria.ge/reports/210608-w4lrsfxydj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Unpacked files
SH256 hash:
e0bd25d03f1259364e23d3a10055b0f1911221ada29bdac572d599f86a64819f
MD5 hash:
5176d056098051cdfcf90c37e59359cb
SHA1 hash:
fbfaa6ef8d4576f1dbcfe8f573bf32808a4dc4b6
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
Parent samples :
0c8ad3a0485e2edad4d5cdde99d34434d79233c131edd06e6efa25f8bc86037e
ec602e5151e622f2f47d79575dc42aacf84681c7f4f901b146a5edb85507f788
14c363745d3c4020052fff93521851d3fedbed4b55832373729e2c4cec5b2bc7
9ab3974177adbac89ee70f9ca1eb8d9a1db104243bb87e41245c26518177613b
08e74804dbce755393239ab96ac551ef5ebd854f1061fea263ad3282c860b0fa
8c4e6da28813ff6350d719e9080fa2720c61037f641f4f49d585c12e0b2a7e87
SH256 hash:
fcb8d43635aa485c8b25f1140ba4e56f6f0cbf3054d5dedc96a851d4731a2a6f
MD5 hash:
695c2eff3b7705b6a2d4d25a2692c132
SHA1 hash:
73c2dffcf2e7170d8bfda8cc7282b2bf7bb5f199
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
Parent samples :
1dcab4cdffdf269ea33719990ac81c515345b50fe1c60a3fe7e47d1a59fb7cc0
1a27e7943700b31774ab4347b5d2f92be9a50b8a7daeab5b066a0af53c11cdec
3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d
c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d
a62e5c321acf5b890bd7a235ea62b8a4061e9ceb1273310ac5ccae57d583cc5e
7a4df2fc82c0b553d0b703f51635fd62cf02553706f942c66d752c1d8fae207b
e79f148128e425bd5353039f515bd64a9b562ac0897306d81dad0b529ffbea3a
SH256 hash:
0edfac6be11732ddd99db66821ee47408c2dc1e9bed68e5ef9a8e130c565b79b
MD5 hash:
cbd6029abaa8e977d3b7435c6f70dd0e
SHA1 hash:
ebb89d4d7659ef77b658a86ad00dba0ead869f4c
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
9a9a50f91b2ae885d01b95069442f1e220c2a2a8d01e8f7c9747378b4a8f5cfc
MD5 hash:
957460132c11b2b5ea57964138453b00
SHA1 hash:
12e46d4c46feff30071bf8b0b6e13eabba22237f
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
7704c4712c432db0c9b9e57ca1c15a3b5d2072cf3ede04b671a92c196f46172e
MD5 hash:
a7e4bfacf721b725d39fa023e0130200
SHA1 hash:
682718ecdbad703fa5f132b57c6f6da87f7eaf42
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
fced8a5ad324b478f3ca1de3a1f7c67847851aed64e7e2576b2ab49aecdc22a7
MD5 hash:
46845a914d94a9beeba2415561c4a690
SHA1 hash:
0d1f8347f1ef8df415e2a1ff70f79bbbafd39a38
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
6c7ea7f08800653f81344656f8d6969d0783d9cb066807d6da9b246a7676875b
MD5 hash:
763a13ea55eb1702cb15190b6e123799
SHA1 hash:
fa55c3047a9bda3c39d49e6db0ed1c400f729b24
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
eb3691d3a707c8b1d5b45402ef3344d7e6388eaac64065a13cf5c9afa53a2b01
MD5 hash:
3038ae600c1657fad2fdc1a3072820d2
SHA1 hash:
6a855667f0219302dbe1ab2c80feb56c8822051b
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
f6b8b44e47658ee410c33a86b340ba0e6eadeae1b276feb947406b50c1ac804c
MD5 hash:
ea2b9402fa612abd3cc1418cad0a4644
SHA1 hash:
3ea4426b7dbc47063ab6eee8a6c6b22762c30ace
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
28020c8e7fccc47fcf37896f6828b3f978fc946764fc8b416a088b65ff166860
MD5 hash:
f9aa38507c2fe82e4186b7bc25e1b093
SHA1 hash:
3021547606460a99fe8391ff0a932d8df8601842
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
16475b2a669b3861115e4d166097006d9a523b4e73be8446efc166fdee8174f3
MD5 hash:
6024b3fd3069c2492fdc0b22626cf78c
SHA1 hash:
2e2ca98c9e2f9f8b41557c1bda11fc27ff8f5804
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
48dcd9dd2293c0eb836460916be8bcf08d20191e1af9851ff5bc75b7344eb905
MD5 hash:
2db518688116cdd0bf10081244f4dc66
SHA1 hash:
26f13e8c836ed665440547a5053583a4d20185cf
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
08e7bd0f28b7ce09922bf6551be3475075594da2343352dfa547b2dc601603e5
MD5 hash:
86e3a2e9d9bf3df4d5fec1f0b7074b02
SHA1 hash:
2315e22fe1fe767a29f4e98844c9307019075803
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7
MD5 hash:
5e6df381ce1c9102799350b7033e41df
SHA1 hash:
f8a4012c9547d9bb2faecfba75fc69407aaec288
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
b26d99296cc1f38ad735c36a305eb206b8a9022e92b463886ed918f42dee0b04
MD5 hash:
9decb9ebf19e4e45bd75f175140e1018
SHA1 hash:
c9d35d2bc78dd37270dbe17f2555324c6f560d11
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
35d970ddc304328a2408d39cc56803cf0b7f532387e23594b8b2fb82185b546a
MD5 hash:
04498c94e0c929b3aba33c29d459b593
SHA1 hash:
f9f3fd7a4f694b117f6c897c65b57a64a9ef9847
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
362e9911976a10b0091c7b28e43345d1c2f78fd2c4670e56b668a480d32f2942
MD5 hash:
29210d8751dd24b12366ac06baa97ee5
SHA1 hash:
9937394e97a5bce4904bc41fe95f971370893640
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
8a5be0a28e8c0ad3cff0ce13de83911091d1b6d4b733ddd70191ef253b2edb37
MD5 hash:
a7016bace5a536b9d71f34c066280ea6
SHA1 hash:
0279af46eed19fca7c7926cb19621a01698e8b7b
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
257712315b2c3c893b5a0da7ba51d7ad5ec399ff8eca458960f80809fa32e902
MD5 hash:
780234e32dcdbab85fea637b348757bc
SHA1 hash:
aad25b4d4822befa2a1c35935bdc99b79ddedd91
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
09c0739b58b147eb0d045993b9a787e74a5cee986f7eeb4bf76aa8bc886a8390
MD5 hash:
6e0a7335ca7b5718572a1d43479106b3
SHA1 hash:
5ddaece86f5639e68841dc230d8de52f7d1d0f2f
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
17eba5a8fc60b5e62fbbea29e971691988da98a98db3a2c2bf9aad00b1b72dc4
MD5 hash:
e74d9b73743dfbb9f025a7908c85da37
SHA1 hash:
8a5b323b090cb0d2c4ff59f0ef520d323dd86097
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
1df502484dc5f87c4919ff6bd67f78f7625e82af83ee685bc8a8b156f0d372cb
MD5 hash:
a079641832418c150364e59abdcc478e
SHA1 hash:
372177b007a6ebe253452ccfb6ec2b87d5f45893
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
43efd6beeee156464ec3f063dab2c36d7ecf16fccd4d031fe9923adedc6cb12a
MD5 hash:
a79136f04d3b963ebec35c883183c698
SHA1 hash:
542bbf5c9dd61acf76b8bc9e35a40507b2ff3c20
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
SH256 hash:
ec602e5151e622f2f47d79575dc42aacf84681c7f4f901b146a5edb85507f788
MD5 hash:
1fecb6eb98e8ee72bb5f006dd79c6f2f
SHA1 hash:
be839bfca14bf92aed92083fd118afd1c7919f96
Link:
https://www.unpac.me/results/1a58757f-6949-4ee6-a9e3-97f0fc915c31/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec602e5151e622f2f47d79575dc42aacf84681c7f4f901b146a5edb85507f788

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165186/

Comments