MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 16


Intelligence 16 IOCs 2 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1
SHA3-384 hash: 18cdfa1f817a3c2693f5fc9a6c3ce8392053ebec26bf0f4622452520ab729fc65c3207acc6105e335b4e85dabae25ab6
SHA1 hash: bef5209ae90a3bd3171e1e0be4e8148c4ccd8a6a
MD5 hash: 8f1c8b40c7be588389a8d382040b23bb
humanhash: angel-oxygen-fix-football
File name:8f1c8b40c7be588389a8d382040b23bb.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'241'088 bytes
First seen:2021-12-10 13:46:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1715d4e9b83d4067f1f68c3c4012c17 (1 x RaccoonStealer, 1 x AZORult)
ssdeep 24576:mMyMzC8+ovorlBtugg0uHqJkSkSZI7C8JaYRHwOwhNGWwQ58Xaj8rac:mMHF+lxuPHYkSfI77aYRQOayac
Threatray 11'646 similar samples on MalwareBazaar
TLSH T1C64501037A254403E1580A7249E697E53B3EBD17B6036E1FF788BE2D1CB27462DE057A
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://185.163.204.230/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.204.230/ https://threatfox.abuse.ch/ioc/273518/
http://prepepe.ac.ug/ https://threatfox.abuse.ch/ioc/273519/

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8f1c8b40c7be588389a8d382040b23bb.exe
Verdict:
Malicious activity
Analysis date:
2021-12-10 13:51:19 UTC
Tags:
trojan stealer vidar raccoon rat azorult
Link:
https://app.any.run/tasks/a4eaa7dc-4f35-4970-bd50-2ec4a4e26eb7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/213214/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1581/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
anti-debug anti-vm greyware hacktool obfuscated packed
Link:
https://www.filescan.io/uploads/61b35a564d8e6f3a5e1f8b4f/reports/c2613f47-1afd-49b4-aae2-832457338cd9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed56213b-20d2-4090-9a1f-a0b39163f47c
Result
Threat name:
Azorult Clipboard Hijacker DBatLoader Ra
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/905381
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Clipboard Hijacker
Yara detected DBatLoader
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 537862 Sample: BQvbHU7WJb.exe Startdate: 10/12/2021 Architecture: WINDOWS Score: 100 95 www.uplooder.net 2->95 111 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Antivirus detection for URL or domain 2->115 117 10 other signatures 2->117 12 BQvbHU7WJb.exe 16 2->12         started        signatures3 process4 file5 87 C:\Users\user\AppData\...\FFDvbcrdfqs.exe, PE32 12->87 dropped 89 C:\Users\user\AppData\Local\...\Dcvxaamev.exe, PE32 12->89 dropped 131 Contains functionality to steal Internet Explorer form passwords 12->131 133 Maps a DLL or memory area into another process 12->133 16 FFDvbcrdfqs.exe 4 12->16         started        19 Dcvxaamev.exe 4 12->19         started        21 BQvbHU7WJb.exe 12->21         started        signatures6 process7 dnsIp8 105 Maps a DLL or memory area into another process 16->105 24 FFDvbcrdfqs.exe 69 16->24         started        29 Dcvxaamev.exe 191 19->29         started        97 185.225.19.55, 49752, 80 MIVOCLOUDMD Romania 21->97 99 194.180.174.53, 49751, 80 MIVOCLOUDMD unknown 21->99 31 WerFault.exe 23 9 21->31         started        signatures9 process10 dnsIp11 101 prepepe.ac.ug 185.215.113.77, 49750, 49753, 49756 WHOLESALECONNECTIONSNL Portugal 24->101 103 pretorian.ac.ug 24->103 65 C:\Users\user\AppData\Local\Temp\cc.exe, PE32 24->65 dropped 67 C:\Users\user\AppData\Local\Temp\pm.exe, PE32+ 24->67 dropped 69 C:\Users\user\AppData\...\vcruntime140.dll, PE32 24->69 dropped 79 47 other files (none is malicious) 24->79 dropped 119 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->119 121 Tries to steal Instant Messenger accounts or passwords 24->121 123 Tries to steal Mail credentials (via file / registry access) 24->123 129 2 other signatures 24->129 33 cc.exe 24->33         started        37 pm.exe 24->37         started        39 cmd.exe 24->39         started        71 C:\ProgramData\vcruntime140.dll, PE32 29->71 dropped 73 C:\ProgramData\sqlite3.dll, PE32 29->73 dropped 75 C:\ProgramData\softokn3.dll, PE32 29->75 dropped 81 4 other files (none is malicious) 29->81 dropped 125 Tries to harvest and steal browser information (history, passwords, etc) 29->125 127 Tries to steal Crypto Currency Wallets 29->127 41 cmd.exe 29->41         started        77 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 31->77 dropped file12 signatures13 process14 dnsIp15 91 www.uplooder.net 144.76.120.25, 443, 49757, 49758 HETZNER-ASDE Germany 33->91 107 Uses schtasks.exe or at.exe to add and modify task schedules 33->107 109 Injects a PE file into a foreign processes 33->109 43 cc.exe 33->43         started        93 192.168.2.1 unknown unknown 37->93 46 cmd.exe 37->46         started        48 conhost.exe 39->48         started        50 timeout.exe 39->50         started        52 conhost.exe 41->52         started        54 taskkill.exe 41->54         started        signatures16 process17 file18 85 C:\Users\user\AppData\...\fodhelper.exe, PE32 43->85 dropped 56 schtasks.exe 43->56         started        58 pm.exe 46->58         started        61 conhost.exe 46->61         started        process19 file20 63 conhost.exe 56->63         started        83 C:\Users\user\AppData\Roaming\winda.exe, PE32+ 58->83 dropped process21
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1/
Threat name:
Win32.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-12-10 13:47:12 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5vmp73sguwb4c56hsk2wzh6cbtgzkcorexzoh7eqyt2i3z7cykqq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
raccoon
Create hunting rule
Similar samples:
1b9339d0a70cdef37f4827a81100f9e8158a5633dc8b7a2c3b616f070ce49b5d
RaccoonStealer
1eb39c14abcac667ca35cf294bfda8ac6282b93028d830f1665afa2a87cff4ef
RaccoonStealer
314afbf4a221c8ce6f8d2674277a3c2fb119c34222b5c3ed83afd79005e352f4
RaccoonStealer
547bf6d6ed5ae181513ed653109514c73e5f50c3ea3a094bcd382fbd3c4b4bb0
RaccoonStealer
5e08ef6445c40ba0c1216c04291b0d9ef48f0983a9aebd25f214e6fc988daa53
RaccoonStealer
7982b6446285ca06d96a1bc1e0ac8a2618123664173bff105d02e22bf617c757
RaccoonStealer
9d4a0a8ffa11fc953750c07bd6997bcd23871fe277f65b4113e197b779aa24f0
RaccoonStealer
b594ae37dfb90a402bda0803680b455ababcc67e1add26f3c3f8f192d97dbe2a
RaccoonStealer
b7f7c6607354a0b83caccf57efef2d2447d212b7e0ee0f476abf069274cfd90c
RaccoonStealer
+ 11'636 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:oski family:raccoon botnet:5781468cedb3a203003fdf1f12e72fe98d6f1c0f collection discovery infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/211210-q3h1wsaadl/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Oski
Raccoon
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M16
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
Malware Config
C2 Extraction:
prepepe.ac.ug
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
ae7894c28cb6f9a1f55cffaf2594e68088973538026512b1d99826496a835ca2
MD5 hash:
54a71c5cb4767a604682643a505ae9be
SHA1 hash:
eb9c74a1a120204fdb3c8e75c0ff81ce1a0dfeae
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/f62a6538-65bb-4671-ab47-cc3e0f9834d9/
SH256 hash:
44e45f9e9753531c3c3f669d73b62f0acd2a0db965b4872fe54481de83cb1922
MD5 hash:
1e3449ee27b460c288ba094318a88282
SHA1 hash:
3d33ef593759cd1d81934296b2d2ce08efd2fb0d
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/f62a6538-65bb-4671-ab47-cc3e0f9834d9/
SH256 hash:
680d8a1401e7082a770e59e4c0c720f17313e9f0af7b200bb67f1f489ebcc33a
MD5 hash:
60a63b9099ea24350d789448f88c3b30
SHA1 hash:
6cf6e7b619f4e4213c4b54b46c188326da514725
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/f62a6538-65bb-4671-ab47-cc3e0f9834d9/
SH256 hash:
ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1
MD5 hash:
8f1c8b40c7be588389a8d382040b23bb
SHA1 hash:
bef5209ae90a3bd3171e1e0be4e8148c4ccd8a6a
Link:
https://www.unpac.me/results/f62a6538-65bb-4671-ab47-cc3e0f9834d9/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ed58ffee46a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe ed58ffee46a583c177c792b56c9fc20ccd9509d125f2e3fc90c4f48de7e2c2a1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1746814/
  
URLhaus
https://urlhaus.abuse.ch/url/1808366/
  
URLhaus
https://urlhaus.abuse.ch/url/1808367/
  
URLhaus
https://urlhaus.abuse.ch/url/1746806/
  
URLhaus
https://urlhaus.abuse.ch/url/1746813/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
URLhaus
https://urlhaus.abuse.ch/url/399075/
  
URLhaus
https://urlhaus.abuse.ch/url/1746815/
  
URLhaus
https://urlhaus.abuse.ch/url/1746807/
  
URLhaus
https://urlhaus.abuse.ch/url/446434/
  
URLhaus
https://urlhaus.abuse.ch/url/1746809/
Cape
Cape
https://www.capesandbox.com/analysis/213214/

Comments