MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03430361a6d2fe6c89d6b237ca9b887cc6269187b305afc9ef3d8642533698c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 15


Intelligence 15 IOCs 3 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03430361a6d2fe6c89d6b237ca9b887cc6269187b305afc9ef3d8642533698c4
SHA3-384 hash: 0bd7591882620c117e4b03cc2f38f29d8dc8cf86d79f10752b349eb4a50b99947fc2104e45e6e71e8b5b34ef066bd06f
SHA1 hash: 89aba2fe3c8c7b73d95bde2cc0191caf89471627
MD5 hash: 5d941d663aa77335eebfc3769cbbe12c
humanhash: shade-magazine-chicken-dakota
File name:03430361A6D2FE6C89D6B237CA9B887CC6269187B305A.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'988'262 bytes
First seen:2021-12-23 19:35:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 98304:pAI+GeLcIbnLs9F3H+Hjf5gGckWU8tMxXuYFgQoDqlL41O3L7K2Cj:itGeLpgFXyL5gGck2dYFfSx24
TLSH T12636331841828139D1B30C3A899B41BF77377B1016A5D4CF62DD0A21DF176AA6BF63EE
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
23.88.114.184:9295

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.88.114.184:9295 https://threatfox.abuse.ch/ioc/282032/
http://185.215.113.42/f83jd823S/index.php https://threatfox.abuse.ch/ioc/283453/
45.9.20.144:23321 https://threatfox.abuse.ch/ioc/283454/

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://envima.tk
Verdict:
Malicious activity
Analysis date:
2021-08-18 11:26:13 UTC
Tags:
trojan evasion rat redline stealer vidar loader opendir phishing
Link:
https://app.any.run/tasks/a483b996-5ec9-43e6-b0c0-7db0673d74c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216017/
Detection(s):
Win.Malware.Passteal-9853623-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Modifying a system file
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Creating a file in the Windows subdirectories
DNS request
Creating a file
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Changing a file
Launching the default Windows debugger (dwwin.exe)
Possible injection to a system process
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Query of malicious DNS domain
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3035/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint greyware overlay packed
Link:
https://www.filescan.io/uploads/61c4cfa58991ba72b39427a8/reports/3020b4e3-a2d6-46fc-9a99-f40182c0ee5c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aaaf3e42-e812-48f5-9123-9958483163e9
Result
Threat name:
Nitol Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912176
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Nitol
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 544654 Sample: 03430361A6D2FE6C89D6B237CA9... Startdate: 23/12/2021 Architecture: WINDOWS Score: 100 124 paybiz.herokuapp.com 2->124 126 google.vrthcobj.com 2->126 144 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->144 146 Multi AV Scanner detection for domain / URL 2->146 148 Antivirus detection for URL or domain 2->148 150 18 other signatures 2->150 9 03430361A6D2FE6C89D6B237CA9B887CC6269187B305A.exe 14 16 2->9         started        12 rundll32.exe 2->12         started        14 msiexec.exe 2->14         started        signatures3 process4 file5 90 C:\Program Files (x86)\...\zhangfei.exe, PE32 9->90 dropped 92 C:\Program Files (x86)\...\xtect12.exe, PE32 9->92 dropped 94 C:\Program Files (x86)\...\runvd.exe, PE32 9->94 dropped 102 7 other files (6 malicious) 9->102 dropped 16 xtect12.exe 9->16         started        21 MediaBurner2.exe 2 9->21         started        23 note8876.exe 9->23         started        31 5 other processes 9->31 25 rundll32.exe 12->25         started        96 C:\Windows\Installer\MSI7BEA.tmp, PE32 14->96 dropped 98 C:\Windows\Installer\MSI6AF0.tmp, PE32 14->98 dropped 100 C:\Windows\Installer\MSI6764.tmp, PE32 14->100 dropped 104 7 other files (none is malicious) 14->104 dropped 27 msiexec.exe 14->27         started        29 msiexec.exe 14->29         started        process6 dnsIp7 106 2.56.59.42, 49770, 80 GBTCLOUDUS Netherlands 16->106 108 37.0.10.171, 80 WKD-ASIE Netherlands 16->108 112 7 other IPs or domains 16->112 58 C:\Users\user\...58iceProcessX64[1].bmp, PE32+ 16->58 dropped 60 C:\Users\...\PznFAA9qRspG6mdxE6bNU4QA.exe, PE32+ 16->60 dropped 132 Tries to harvest and steal browser information (history, passwords, etc) 16->132 134 Disable Windows Defender real time protection (registry) 16->134 62 C:\Users\user\AppData\...\MediaBurner2.tmp, PE32 21->62 dropped 136 Obfuscated command line found 21->136 33 MediaBurner2.tmp 3 18 21->33         started        114 2 other IPs or domains 23->114 64 C:\Users\user\Documents\...\note8876.exe, PE32 23->64 dropped 138 Writes to foreign memory regions 25->138 140 Allocates memory in foreign processes 25->140 142 Creates a thread in another existing process (thread injection) 25->142 37 svchost.exe 25->37 injected 40 svchost.exe 25->40 injected 42 svchost.exe 25->42 injected 110 download2388.mediafire.com 199.91.155.129, 443, 49764 MEDIAFIREUS United States 27->110 116 2 other IPs or domains 27->116 66 C:\Users\user\...\aipackagechainer.exe, PE32 27->66 dropped 68 C:\Users\...\Cleaner_Installation.exe.part, PE32 27->68 dropped 70 C:\Users\...\Cleaner_Installation.exe (copy), PE32 27->70 dropped 118 5 other IPs or domains 31->118 72 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 31->72 dropped 74 3 other files (none is malicious) 31->74 dropped 44 zhangfei.exe 31->44         started        46 WerFault.exe 31->46         started        48 conhost.exe 31->48         started        50 2 other processes 31->50 file8 signatures9 process10 dnsIp11 120 perfect-request-smart.com 33->120 122 most-fast-link-download.com 33->122 76 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 33->76 dropped 78 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 33->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 33->80 dropped 152 System process connects to network (likely due to code injection or exploit) 37->152 154 Sets debug register (to hijack the execution of another thread) 37->154 156 Modifies the context of a thread in another process (thread injection) 37->156 52 svchost.exe 37->52         started        82 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 44->82 dropped 84 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 44->84 dropped 86 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 44->86 dropped 56 conhost.exe 44->56         started        88 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 46->88 dropped file12 signatures13 process14 dnsIp15 128 google.vrthcobj.com 52->128 130 192.168.2.1 unknown unknown 52->130 158 Query firmware table information (likely to detect VMs) 52->158 signatures16 160 May check the online IP address of the machine 128->160
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/03430361a6d2fe6c89d6b237ca9b887cc6269187b305afc9ef3d8642533698c4/
Threat name:
Win32.Spyware.Socelars
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 19:02:00 UTC
File Type:
PE (Exe)
AV detection:
25 of 43 (58.14%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=anbqgyng2l7gzcowwi34vg4iptdcnemhwmc27spphwdeeuzwtdca._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:socelars family:vidar botnet:916 discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/211223-ya8pvabec2/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
https://lenak513.tumblr.com/
Unpacked files
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/fce9b29c-f6fc-43c2-9089-7e787ad6cc1d/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/fce9b29c-f6fc-43c2-9089-7e787ad6cc1d/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/fce9b29c-f6fc-43c2-9089-7e787ad6cc1d/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/fce9b29c-f6fc-43c2-9089-7e787ad6cc1d/
SH256 hash:
59d5e1b7c610b54f55da438fd1a0a7e3dd600fa1f4737eb448d35c173ae29c75
MD5 hash:
d7741bc3472d2269658d8ee374d282b6
SHA1 hash:
58e3e706550f1af3a5066893fc7ee2d82e527c84
Link:
https://www.unpac.me/results/fce9b29c-f6fc-43c2-9089-7e787ad6cc1d/
SH256 hash:
65f353ef1e15371f2f84995da14d9d4d26f21c4f27786b1e11b9d7d3ef73ab63
MD5 hash:
d214cd08287dcad86d6c915003e67cfe
SHA1 hash:
211ccf327307d3f21a534de3b373cdc5c107e9d2
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/fce9b29c-f6fc-43c2-9089-7e787ad6cc1d/
SH256 hash:
8a9349e87c60d60d9f071c09b0b2f5673fb6789fe3dcdb51146329812789ece0
MD5 hash:
36ba601b0261bc42b35ca00d70c61ca0
SHA1 hash:
98b053f7118bc67da7048e7113df97446c8704d8
Link:
https://www.unpac.me/results/fce9b29c-f6fc-43c2-9089-7e787ad6cc1d/
SH256 hash:
eb4fcbf5e671cf31549f0adb3eae178c555f85b9c571efdea9ad0e5ecc200c5a
MD5 hash:
192851210dc33940057f75b36ad9cdac
SHA1 hash:
ac3fc08024af1c8de0b99cd33d8f2aa1483fb078
Link:
https://www.unpac.me/results/fce9b29c-f6fc-43c2-9089-7e787ad6cc1d/
SH256 hash:
9e104c1aba8aa4bce2a770c87effbbd05582926fb1359ed9e8c5f4a3f85a2ef9
MD5 hash:
b580bb034d409226bd0f5523a82e8759
SHA1 hash:
77e0e04873ea7aa90e3e9baadec3b15de0f2a04d
Link:
https://www.unpac.me/results/fce9b29c-f6fc-43c2-9089-7e787ad6cc1d/
SH256 hash:
7d3f4f482a23e6656e39afe87395b0d55c29bf006ff36656274cc1dd42516147
MD5 hash:
b79dda68c52528bcce19c517ac985438
SHA1 hash:
3716f79228ab85aaeaa9391bf2985f8c7d5fd79b
Link:
https://www.unpac.me/results/fce9b29c-f6fc-43c2-9089-7e787ad6cc1d/
SH256 hash:
b7d332bcb82302fd76f8f4f9aabea6f95587386bf552606afac8baf8c36e0589
MD5 hash:
a9b77de6ed313d882e0b27037859fd69
SHA1 hash:
824dcfe830d02dabad6bd558100c88146b7bb93c
Link:
https://www.unpac.me/results/fce9b29c-f6fc-43c2-9089-7e787ad6cc1d/
SH256 hash:
87276253ac9cde79a5a067d376edb41f65698a0a591d14037ba7f716a192a2c5
MD5 hash:
3b2a4a18d86ebf12609d04486ce1e1e6
SHA1 hash:
1c29c93517c5fb43e2457b745fe1ca0d1fe193db
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/fce9b29c-f6fc-43c2-9089-7e787ad6cc1d/
SH256 hash:
03430361a6d2fe6c89d6b237ca9b887cc6269187b305afc9ef3d8642533698c4
MD5 hash:
5d941d663aa77335eebfc3769cbbe12c
SHA1 hash:
89aba2fe3c8c7b73d95bde2cc0191caf89471627
Link:
https://www.unpac.me/results/fce9b29c-f6fc-43c2-9089-7e787ad6cc1d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/03430361a6d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03430361a6d2fe6c89d6b237ca9b887cc6269187b305afc9ef3d8642533698c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216017/

Comments