MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08f22af3870c81cf0f903d784abecd650003adfff360ff0529540091f277d057. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 08f22af3870c81cf0f903d784abecd650003adfff360ff0529540091f277d057
SHA3-384 hash: 845eebe771d84fe022e1a0af890165f66cf5868faedf8f73b10126297b1d76d820f1f9ab0ad99e7c1e65d1b30bb38cbf
SHA1 hash: f55624f5eb95e153d73fdc45dee28108163b3ee1
MD5 hash: 4d7886532fdc4f621a15af99ec56f09a
humanhash: undress-massachusetts-east-video
File name:file
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'004'864 bytes
First seen:2023-01-24 21:05:44 UTC
Last seen:2023-01-25 07:49:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash acbbb57a9e219cbd48d9ce15a64944ff (4 x RedLineStealer, 1 x RecordBreaker, 1 x RaccoonStealer)
ssdeep 98304:S2GnWQErhYOKLqRBX6uqOU0vtr/bnBy9erPMBNBXgO:Jz7hCLqPqNOrV3Bs0ABXv
Threatray 1'799 similar samples on MalwareBazaar
TLSH T13206227366211781D1E6CCBD8937FDE571FA439F9B44983C79EAB8C428228E6D213943
TrID 43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe RaccoonStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc139074685_654917260?hash=zfmJziUGzDBQkapvZZc0lCQ1zavmC0ZsgT9XOkTCarD&dl=GEZTSMBXGQ3DQNI:1674594082:39tzWcUapedEDQJOo1Gf16k9DXtmB8UmPMdQhiEzDic&api=1&no_preview=1#build1

Intelligence

File Origin
# of uploads :
207
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-24 21:06:18 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/ca87bf6e-281d-4fa1-b486-ef62709cf0e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356541/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62849/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/63d0483b89bd67c10fd9d590/reports/7d3a1272-3790-4a10-bef1-f0f4b559c14e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4f89164-6596-443b-b2a8-ea627b55eaaa
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1158312
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 791051 Sample: file.exe Startdate: 24/01/2023 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Antivirus detection for URL or domain 2->59 61 7 other signatures 2->61 9 file.exe 1 2->9         started        process3 signatures4 71 Writes to foreign memory regions 9->71 73 Allocates memory in foreign processes 9->73 75 Tries to detect virtualization through RDTSC time measurements 9->75 77 Injects a PE file into a foreign processes 9->77 12 AppLaunch.exe 23 9->12         started        17 conhost.exe 9->17         started        process5 dnsIp6 49 95.217.16.127, 49699, 80 HETZNER-ASDE Germany 12->49 51 t.me 149.154.167.99, 443, 49698 TELEGRAMRU United Kingdom 12->51 53 dl.uploadgram.me 92.222.250.82, 443, 49700, 49701 OVHFR France 12->53 37 C:\Users\user\AppData\...\Starter[1].exe, PE32 12->37 dropped 39 C:\Users\user\AppData\...\5239890474[1].exe, PE32+ 12->39 dropped 41 C:\ProgramData\83365927635065458766.exe, PE32+ 12->41 dropped 43 C:\ProgramData\24082385418392430971.exe, PE32 12->43 dropped 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->79 81 Tries to harvest and steal browser information (history, passwords, etc) 12->81 83 Tries to steal Crypto Currency Wallets 12->83 85 Contains functionality to compare user and computer (likely to detect sandboxes) 12->85 19 24082385418392430971.exe 2 12->19         started        22 83365927635065458766.exe 12->22         started        25 cmd.exe 1 12->25         started        file7 signatures8 process9 dnsIp10 63 Antivirus detection for dropped file 19->63 65 Multi AV Scanner detection for dropped file 19->65 67 Machine Learning detection for dropped file 19->67 45 youtube-ui.l.google.com 172.217.168.14, 443, 49702 GOOGLEUS United States 22->45 47 www.youtube.com 22->47 69 Tries to harvest and steal browser information (history, passwords, etc) 22->69 27 cmd.exe 1 22->27         started        29 conhost.exe 25->29         started        31 timeout.exe 1 25->31         started        signatures11 process12 process13 33 conhost.exe 27->33         started        35 choice.exe 1 27->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/08f22af3870c81cf0f903d784abecd650003adfff360ff0529540091f277d057/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-01-24 21:20:31 UTC
File Type:
PE (Exe)
AV detection:
26 of 39 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bdzcv44hbsa46d4qhv4evpwnmuaahlp76nqp6bjjkqajd4tx2blq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
12567de24a8dbc6c0103aa263217ad240098d7545e32546f35fd5b791b1869fa
RaccoonStealer
2e205ecc398903361efb69b5790716a47b76301e7b8ad3be506fbde96ee6ffe7
RaccoonStealer
4b1338eceb20e531dca686256b82a8aa56e75aeb4b53f54d08900dd75fc0b19f
RaccoonStealer
4c98097c2e234a8cb19327c9ddaa9b8c8669dd0f0a95fd71912282e6f0cf50d5
RaccoonStealer
6e3f1055521e01bd967f22fd68b48410342264b62cf7b7998a6686a2141d4d67
RaccoonStealer
6fac6114554675dba7ba82a4da7076333bdf4dab4786d6632e71ad64fb3bdb35
RaccoonStealer
7f305167fdb6ae8a3781cd257ddef222ee6803f44115d2e1a133f7da67d4eaa0
RaccoonStealer
88dbf134cd4628fc8b97cc1adf5201cae875df1fa5280b3cbc0306478161e9f4
RaccoonStealer
b25c916108e990357c009d88c075fda55419b5a13da0a3b2dc5643b607bb6b0e
RaccoonStealer
+ 1'789 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:408 spyware stealer
Link:
https://tria.ge/reports/230124-zxqcfsfd9t/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar
Malware Config
C2 Extraction:
https://t.me/litlebey
https://steamcommunity.com/profiles/76561199472399815
Unpacked files
SH256 hash:
55a78733d182d6edbcd845cdca4da8824cf3975ac809e76c6abc60fca7265c00
MD5 hash:
28b8d35c3b6547cef10d749c22406096
SHA1 hash:
2f91428d9517774580a76dcf89da0e882a864f44
Link:
https://www.unpac.me/results/4127ab95-c439-4dcd-8192-d79f0fa1ab09/
SH256 hash:
cd108c7f55aa2329f88316ba4acd2faf24d47176edb6d99b984282c68521e3be
MD5 hash:
5d60e482eed8bb387e1085ecba6178e7
SHA1 hash:
9a639fea974dc79d0a01054cd00d156904685c5a
Link:
https://www.unpac.me/results/4127ab95-c439-4dcd-8192-d79f0fa1ab09/
SH256 hash:
08f22af3870c81cf0f903d784abecd650003adfff360ff0529540091f277d057
MD5 hash:
4d7886532fdc4f621a15af99ec56f09a
SHA1 hash:
f55624f5eb95e153d73fdc45dee28108163b3ee1
Link:
https://www.unpac.me/results/4127ab95-c439-4dcd-8192-d79f0fa1ab09/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/08f22af3870c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/08f22af3870c81cf0f903d784abecd650003adfff360ff0529540091f277d057

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/356541/

Comments