MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f327fd0a9151dfcbdfadd244a57d3cdb08e55f5ec3ced39497a39c2ff01d95ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f327fd0a9151dfcbdfadd244a57d3cdb08e55f5ec3ced39497a39c2ff01d95ce
SHA3-384 hash: 1cf696ff939d2ee6eebf387e72ee67d3ed280830685b8c3a5cc06e43e80159eaf8b4c05324a9d9baa1b91a00772e9a38
SHA1 hash: 2f2809646e6975ead89c03c68bcb5afcc6b13e9e
MD5 hash: 3e4fc0a2364bedd52d261bfd9af66da0
humanhash: winter-tennessee-oranges-delaware
File name:3e4fc0a2364bedd52d261bfd9af66da0.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:1'121'280 bytes
First seen:2021-01-11 07:20:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ca72ce6d234484eb31154fa1222265c (1 x RaccoonStealer)
ssdeep 6144:n9QSoLpPjk9AWDmVgVoTramaqbMMLxbf:9QhLFjnWqVgVona+bMs
Threatray 398 similar samples on MalwareBazaar
TLSH 5635BF0CB3C0D432E31114768661C7B28E6A7C7D3B26AEBBAFC81BB91F356D1A615345
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
https://havalpartsch.top

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3e4fc0a2364bedd52d261bfd9af66da0.exe
Verdict:
Malicious activity
Analysis date:
2021-01-11 07:21:10 UTC
Tags:
loader trojan amadey stealer hvnc
Link:
https://app.any.run/tasks/cbdecc8e-df81-46a8-9869-cef3e635cbbb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111198/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6524.21319.30548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Running batch commands
DNS request
Launching a process
Sending an HTTP GET request
Creating a file in the %temp% directory
Reading critical registry keys
Deleting a recently created file
Sending a custom TCP request
Moving a file to the %AppData% subdirectory
Launching the default Windows debugger (dwwin.exe)
Replacing files
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577622
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Amadey bot
Yara detected Amadey\'s stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337860 Sample: T0OF1cgtAR.exe Startdate: 11/01/2021 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Antivirus detection for dropped file 2->54 56 7 other signatures 2->56 8 T0OF1cgtAR.exe 4 2->8         started        process3 file4 30 C:\ProgramData\3094e75976\rween.exe, PE32 8->30 dropped 68 Detected unpacking (overwrites its own PE header) 8->68 70 Contains functionality to inject code into remote processes 8->70 12 rween.exe 20 8->12         started        signatures5 process6 dnsIp7 48 dustontail.top 45.143.136.43, 49707, 49708, 49709 GARANT-PARK-INTERNETRU Russian Federation 12->48 32 C:\Users\user\AppData\Local\...\scr[1].dll, PE32 12->32 dropped 34 C:\Users\user\AppData\Local\...\cred[1].dll, PE32 12->34 dropped 36 C:\ProgramData\2603f3488c41d3\scr.dll, PE32 12->36 dropped 38 C:\ProgramData\2603f3488c41d3\cred.dll, PE32 12->38 dropped 74 Antivirus detection for dropped file 12->74 76 Multi AV Scanner detection for dropped file 12->76 78 Detected unpacking (overwrites its own PE header) 12->78 80 Machine Learning detection for dropped file 12->80 17 rundll32.exe 12->17         started        21 rundll32.exe 1 12->21         started        23 cmd.exe 1 12->23         started        file8 signatures9 process10 dnsIp11 40 192.168.2.5, 443, 49231, 49675 unknown unknown 17->40 42 dustontail.top 17->42 44 192.168.2.1 unknown unknown 17->44 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->58 60 Tries to steal Instant Messenger accounts or passwords 17->60 62 Tries to steal Mail credentials (via file access) 17->62 64 Tries to harvest and steal ftp login credentials 17->64 46 dustontail.top 21->46 66 System process connects to network (likely due to code injection or exploit) 21->66 25 reg.exe 1 23->25         started        28 conhost.exe 23->28         started        signatures12 process13 signatures14 72 Creates an undocumented autostart registry key 25->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f327fd0a9151dfcbdfadd244a57d3cdb08e55f5ec3ced39497a39c2ff01d95ce/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-01-10 08:38:00 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mt72curkhp4xx5n2jckk7j43meokx26yphnhfexuooc74a5sxha._file
Verdict:
malicious
Similar samples:
07fd393e36e2519dda8edff80b6c629347586a628d70103d0cb425ba5c6cd0b9
RaccoonStealer
102309e3bb52f160ab298e054ca17e117fd602607121429fcd0275e99f1763da
RaccoonStealer
3785550afcc22a9c9cc82c4f6515f77eb9cc0984966aeb238d57e1ea3cb9d351
RaccoonStealer
3851673a8448fae896b14ae44ce35adf89113f914387fd8dce6ccaeff6f5b123
RaccoonStealer
3f5bc52dbad154f0693d28e459ff19c203c93ec58d6d99fa86631b049ba9746a
RaccoonStealer
50ca73e510646ea1534f248099ce844f7f6178adb93055f8459ec07645f48e79
RaccoonStealer
6641844eca61aba9bea60b2dee53da73541ec911b58363d78884c0c05aaef662
RaccoonStealer
777441ba67aa9043dac6a7d9ed97ac483935ac25b0781ca3494f72ea15119f50
RaccoonStealer
c87ccc80f1c070fec4033411d19cb2c12d6bfdcd723c1d97879d2dbae3690e17
RaccoonStealer
f22462a16e1e5b3eed3a84c6003aef25eb4ccdd78cb7064fdb39404528f3b9f0
RaccoonStealer
+ 388 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon discovery spyware stealer upx
Link:
https://tria.ge/reports/210111-xqy74qez8a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
ServiceHost packer
Raccoon
Unpacked files
SH256 hash:
f327fd0a9151dfcbdfadd244a57d3cdb08e55f5ec3ced39497a39c2ff01d95ce
MD5 hash:
3e4fc0a2364bedd52d261bfd9af66da0
SHA1 hash:
2f2809646e6975ead89c03c68bcb5afcc6b13e9e
Link:
https://www.unpac.me/results/99add55f-21b2-43d1-b7fe-82836162e27b/
SH256 hash:
21dcba3450a03df71054a29f55d4f3a2529ec3869569e7de31bb4a8c1a3fd42c
MD5 hash:
91db7d8a137269a6327c8cfe913da355
SHA1 hash:
5b7dd82e208428e6f10f9add2c71e6a0e11ad535
Link:
https://www.unpac.me/results/99add55f-21b2-43d1-b7fe-82836162e27b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Glupteba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f327fd0a9151dfcbdfadd244a57d3cdb08e55f5ec3ced39497a39c2ff01d95ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_DarkVNC
Create hunting rule
Author:abuse.ch
Description:Detects DarkVNC
Rule name:crime_win32_hvnc_banker_gen
Create hunting rule
Author:@VK_Intel
Description:Detects malware banker hidden VNC
Reference:https://twitter.com/VK_Intel/status/1247058432223477760
Rule name:crime_win32_hvnc_zloader1_hvnc_generic
Create hunting rule
Author:@VK_Intel
Description:Detects Zloader hidden VNC
Reference:https://twitter.com/malwrhunterteam/status/1240664014121828352
Rule name:HiddenVNC
Create hunting rule
Author:@bartblaze
Description:Identifies HiddenVNC, which can start remote sessions.
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:MALWARE_Win_Amadey
Create hunting rule
Author:ditekSHen
Description:Amadey downloader payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/111198/

Comments