MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3637e86adb20ccee0c96ac838cbba3f61cc1ac0e27fa04766957f7ef28825461. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 2 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3637e86adb20ccee0c96ac838cbba3f61cc1ac0e27fa04766957f7ef28825461
SHA3-384 hash: 9a3a1fb299e794d8b29a69a4d6280f7f4c8a7ad96db3fce2959d5104202485e6683f5350172b1106e968c0a2c6ecd779
SHA1 hash: 8ae7918611354ad85951080e6de324d3b1dc6325
MD5 hash: b57b6c5d8f1cb3f7ad5d492028b957ef
humanhash: harry-sweet-spaghetti-river
File name:b57b6c5d8f1cb3f7ad5d492028b957ef.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:18'831'671 bytes
First seen:2021-12-07 13:15:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 393216:xzdgoPPGhPdeem+oY+Db4s0Vq+qezSoZ70g34xB3OAPkuoSAo+Ou3y:5dgo2OeTv6b4s0IGZQxB3zPkFPo+Ou3y
Threatray 796 similar samples on MalwareBazaar
TLSH T17E1733563BC4D3FFEE49413B76C8B7AA0E7F858418B2A4D30A91C4B82395189F42DE57
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://ad-postback.biz/check.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ad-postback.biz/check.php https://threatfox.abuse.ch/ioc/261055/
109.234.38.101:25717 https://threatfox.abuse.ch/ioc/261184/

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b57b6c5d8f1cb3f7ad5d492028b957ef.exe
Verdict:
No threats detected
Analysis date:
2021-12-07 13:19:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/27c8f563-08d9-4960-9304-5c662c66c349

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
DNS request
Launching a process
Creating a window
Searching for synchronization primitives
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed socelars
Link:
https://www.filescan.io/uploads/61af5e964d8e6f3a5e1702e4/reports/acb28a10-11a0-4857-bc47-bfa366ec53ef/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Raccoon RedLine SmokeLoader Socelars Vid
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/903065
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Found strings related to Crypto-Mining
Found Tor onion address
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara detected Xmrig cryptocurrency miner
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 535542 Sample: bGX13BNfM5.exe Startdate: 07/12/2021 Architecture: WINDOWS Score: 100 68 208.95.112.1 TUT-ASUS United States 2->68 70 151.115.10.1 OnlineSASFR United Kingdom 2->70 72 4 other IPs or domains 2->72 94 Antivirus detection for URL or domain 2->94 96 Antivirus detection for dropped file 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 25 other signatures 2->100 10 bGX13BNfM5.exe 28 2->10         started        signatures3 process4 file5 60 C:\Users\user\AppData\...\setup_install.exe, PE32 10->60 dropped 62 C:\Users\user\...\Sat13e690182762c.exe, PE32+ 10->62 dropped 64 C:\Users\user\AppData\...\Sat13bc5f584ab.exe, PE32 10->64 dropped 66 23 other files (12 malicious) 10->66 dropped 13 setup_install.exe 1 10->13         started        process6 signatures7 122 Adds a directory exclusion to Windows Defender 13->122 124 Disables Windows Defender (via service or powershell) 13->124 16 cmd.exe 13->16         started        18 cmd.exe 1 13->18         started        21 cmd.exe 1 13->21         started        23 11 other processes 13->23 process8 signatures9 25 Sat13b3a0ce2194cd.exe 16->25         started        86 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->86 88 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->88 90 Adds a directory exclusion to Windows Defender 18->90 92 Disables Windows Defender (via service or powershell) 18->92 29 powershell.exe 8 18->29         started        31 Sat138d16b81d0.exe 14 5 21->31         started        34 Sat131ff1c0a050c.exe 23->34         started        36 Sat132dd859257d8d3d1.exe 45 23->36         started        38 Sat13bc5f584ab.exe 23->38         started        40 5 other processes 23->40 process10 dnsIp11 44 9b92a9b433b0c0d63d...6889c51e4ca0(1).exe, PE32 25->44 dropped 46 C:\Users\user\AppData\...\RaptorMiner.exe, PE32 25->46 dropped 102 Antivirus detection for dropped file 25->102 104 Detected unpacking (changes PE section rights) 25->104 106 Machine Learning detection for dropped file 25->106 120 2 other signatures 25->120 74 5.9.162.45 HETZNER-ASDE Germany 31->74 76 162.159.133.233 CLOUDFLARENETUS United States 31->76 48 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 31->48 dropped 108 Detected unpacking (overwrites its own PE header) 31->108 110 Query firmware table information (likely to detect VMs) 34->110 112 Tries to detect sandboxes / dynamic malware analysis system (registry check) 34->112 78 51.91.13.105 OVHFR France 36->78 80 159.69.92.223 HETZNER-ASDE Germany 36->80 84 2 other IPs or domains 36->84 50 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 36->50 dropped 52 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 36->52 dropped 54 C:\Users\user\AppData\...\freebl3[1].dll, PE32 36->54 dropped 58 9 other files (none is malicious) 36->58 dropped 114 Tries to harvest and steal browser information (history, passwords, etc) 36->114 56 C:\Users\user\AppData\...\Sat13bc5f584ab.tmp, PE32 38->56 dropped 116 Obfuscated command line found 38->116 82 212.193.30.45 SPD-NETTR Russian Federation 40->82 118 Sample uses process hollowing technique 40->118 42 mshta.exe 40->42         started        file12 signatures13 process14
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3637e86adb20ccee0c96ac838cbba3f61cc1ac0e27fa04766957f7ef28825461/
Threat name:
Win32.Trojan.Antiloadr
Create hunting rule
Status:
Malicious
First seen:
2021-12-05 00:58:14 UTC
File Type:
PE (Exe)
Extracted files:
224
AV detection:
30 of 45 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gy36q2w3edgo4dewvsbyzo5d6yomdlaoe75ai5tjk7366keckrqq._file
Verdict:
malicious
Similar samples:
3d956bd7b7e1c1e253b997de0d325abeba7be7d75626d751fad5a28ec3c464a5
RaccoonStealer
5248d778a816ffaed27e465deec140f4d79478a4aca7c5968d6eb926ac7c94f1
RaccoonStealer
63d15995aabfa7357c195576884d9ac6b6c1f9f92dea19d7eb0bc58f75f88ceb
RaccoonStealer
79d1a0d0bd8b5672374ab7c97365a6b0276efc6755900cdbdcdb77019e69457a
RaccoonStealer
7ec88d4baa0a97362a026cf6e0f46422379a99be6d9bfe19034152f3d47cc0ed
RaccoonStealer
8e2a3c9ab42314166d930089fbf7ff245d528394fea1ad413bb8362b2aa6cbd5
RaccoonStealer
8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
RaccoonStealer
e6080d51c23ff3825d6dda3280757ba1ce88be4b06d10bf9960a0d79973b43e3
RaccoonStealer
+ 786 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:loaderbot family:redline family:socelars family:vidar botnet:915 aspackv2 evasion infostealer loader miner stealer suricata trojan
Link:
https://tria.ge/reports/211207-qhs1cshedm/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
LoaderBot executable
NirSoft WebBrowserPassView
Nirsoft
Vidar Stealer
Amadey
LoaderBot
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE CerberTear Ransomware CnC Checkin
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
http://www.wgqpw.com/
https://qoto.org/@mniami
https://noc.social/@menaomi
185.215.113.35/d2VxjasuwS/index.php
Unpacked files
SH256 hash:
db51913dcbd74a51e46f4d8dca34ddaf44a928fd5250b34858b9d165dd68eca4
MD5 hash:
74f0d39f05f13a059791497a61471842
SHA1 hash:
f5c39e3b0429cba32f009b191d12b590378aa51e
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
ee821f8bf24cec68cced8a322129e322a9e5a20f2d92dd2f0b0827aff4711343
MD5 hash:
5eda69604c85537ab3fbaf77da60b2cb
SHA1 hash:
5d0a8f3efa0b26f52fe36eac2583ac419b6dd11d
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
654cd18c377ee8b0078c79061a2f8951c24befc00b7822e9e94a297e784d75dd
MD5 hash:
e88bb230bc10e3912b99308399790ecf
SHA1 hash:
122b7472f94a649d6d27d4dc3cab8a78490cb8e7
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
a24a3b28aca382ecc66d7c5d2b77fd97346f39c1ceb8484e3afdc5207e270aa9
MD5 hash:
08814372b48d9bc730d1612765776c91
SHA1 hash:
ff55b096f7355bcdff42ff469aaa6035d8a7c842
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
fef7035989f56b8ab573adb9d3d91363668af7b0b71d4cb44d52f941fde3ad4f
MD5 hash:
b712d9cd25656a5f61990a394dc71c8e
SHA1 hash:
f981a7bb6085d3b893e140e85f7df96291683dd6
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
68438b5b12499a79557e02df597d048e2ba561c0f67835b2c06d0c55b5917022
MD5 hash:
9af9f89fc6cd5b6528eb3f86f6beea65
SHA1 hash:
f8eac1eb8505dd848d0689900443396d1802ad9b
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
1081910b3eb52b806629d9fe9aa079c5c77986ffadd1520cc2c1c1079874d576
MD5 hash:
c3641c3246e0fa4270941b60078f095e
SHA1 hash:
f0c7b15e3701652a4fbfcb7fdfe0f8b363aa4af3
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
30757909f144945e214ab73afbf382eac64784263a8d43ae147e02cb9468c9e4
MD5 hash:
c7f6347af8222a38deb7461f82cfa75d
SHA1 hash:
eac3ebf6bc96353ab6acb3076e871068f4df6fa9
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
ee2cc85a8e1972a29ce67ab0218d5daa8fc9b67f36111c71eccaf6da05219d19
MD5 hash:
f6271f82a952f96ba9271a4a27c9f22f
SHA1 hash:
d12708b9e39a0cd06add96316b65f1668d6a1246
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
451c693481de62b1a2768050df0e7aba4d7eaa2c70ef924ccc5992f947d27b70
MD5 hash:
2fa2b1760a549b8a8988fbf66c0204ab
SHA1 hash:
cf0a32127dd6d688fbebd56f6c2b672455b5683d
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
8a7e5e3c8f93bb1e9a79ed55dd1a59aa46e290bbc8204ff58b9f9e2efbf3460c
MD5 hash:
73bd30709cf50a12a1375916e488fa48
SHA1 hash:
8e7536643e3b8d8f993145518047095317eb100d
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
64f55d5e15b9dbbb0d6e16ffb9aceaee91ee440beef80e4cd1b74b0ded11c7c1
MD5 hash:
1404f942070e57b2ef0b6b3693f730be
SHA1 hash:
7ef83b925afb34c52627b66ad960400fbc1bf776
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
f8db63187c22c5295eb59c00e6288479f5ce7416b61a07dd17ffce556905533e
MD5 hash:
8a9a7861748bf289ea0f22f514699351
SHA1 hash:
721ad5ec9ad96bf3b7adcdfdaee8fb0826be0892
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
0d6ed1c681ff5499566d77bafec736df397e0bda0c073ff2d9e5f4109b29dc6d
MD5 hash:
acc8397e9adfbe58d6a2153ad4227ceb
SHA1 hash:
693f6f30c97a1912306a7440446fa789eaf2f041
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
53a13d9b85c62c225f80677e7e84f0e4b3980c0695a7606212176326f2ee72e0
MD5 hash:
ba4548a88c431f3b9e3777e165a62f60
SHA1 hash:
412ca7d19a5bbc44fe0382a59f1bbae0eb1be44d
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
85fccd726ac070ce89c0ad34ba0e282c8f013381ab9b01d63f802b34e1de38f0
MD5 hash:
1911f8fb9d620247c33a5fdd52018c2f
SHA1 hash:
2ba0fd24d4757b52fc9228b114decc1dea41bd29
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
32003c7e5625a458c5a8ae7d95cd5ceb2f480070caef23bd7dd0a5e9ed253287
MD5 hash:
2204b3394618855ee4bdf56d0e78fa9d
SHA1 hash:
158cf5ffd362143d64d8bbd696974e93c708ec61
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
fb8dc0272a15b72acb0e9e4836ef4db6b888baae8ee9c40340284cbf802f3675
MD5 hash:
87a1f1791f691c79ccfee34459131f5b
SHA1 hash:
0d3e3375456dc80a57707be394e5facb3d9537bd
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
744638a70184ed1184534f11e6fdb92302e8d33b82f0b34fb00b3c8208fb698b
MD5 hash:
43bd78bade50c3f109233d2c7c5dc3cb
SHA1 hash:
079955d1c87dec9a21703b84240941479c3e7a5d
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
d1c351cb812296eb57229d7457642a58245e17f5f80bdc1731c31e245ed23558
MD5 hash:
071f0adc2721cfd1472868a572a52050
SHA1 hash:
daff31cdaf918c7685f0b4ff828211bdd7364589
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
Parent samples :
e15eca7be72dec23df207af8366166fdd6e4bc2b878477c5aaaba5e2a9b4330d
22ebb950592ccc987fd1dab9ddcd34c4fc519975dc1b82e4a793dc038d2d8e41
3637e86adb20ccee0c96ac838cbba3f61cc1ac0e27fa04766957f7ef28825461
f7ea17d6aa49172752b69d2b1b63f8d22cf064c4f2ea2c3dc97c6b815b324cf0
89c7c028a7e7f95a3595dade72ac1f48da3c71fa3e482347a5a61a714dd57d0c
4e1a1db6d3dc39b67666d1e0304a7477fac814e1fbb7068560abc5eab2168c20
e88ecbbe677d8cfb97ba9a42db6f8b038aa96526b283b9de8635a80dd25790dd
a048547702aaf89637813c4cdc925cf25ab7a3710bfc95f21046be931c1cae63
fd21e7dddc8ed426971983f819be29e6fa123dcdfb19d87fbbbffa12c147188e
74bb6b2e6e0fb719237cb58c1ed17a91032ff3c8a3c11da92011b8e0ba5a1179
523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd
738bc607c1a64d1867103f3f4b6558c89401c539c34422d1e7a20fe634828cea
6e004cb6c3f1c0338a20692c375de17324c45e5176e80c6602ae2b1bed2bd4c8
SH256 hash:
b56b333218590e42264e3c569891875e6e2c9955d322f2a1a940c53a09cefb63
MD5 hash:
d01a52c156a6a80dd6c12fa897159f94
SHA1 hash:
173411cd147973b6366c11bbbbf87bafcfa4403a
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b
MD5 hash:
a6865d7dffcc927d975be63b76147e20
SHA1 hash:
28e7edab84163cc2d0c864820bef89bae6f56bf8
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
6ecaba189f108ba0dc83214fa41e43307fdc79147717f2ac68cd832181db9666
MD5 hash:
70768beb1a282fc79ecf19a0a73286f5
SHA1 hash:
e40e4b259715e740c83e3cc27a5654ea3c7bfa37
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
9c00e935a41bb1dc0b2b65ac18c0a1be05bdc555676e7eb8a830590b52e55436
MD5 hash:
e7526d8f9a8f888b75b85f9a1ebae3dc
SHA1 hash:
79ca1cbf3184302db8defa924c43295106021c7e
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
1a5f9451bccecf8e6f70d83189750155cd31abe2ae8ac636d3a14f9e4ea7ad01
MD5 hash:
3cfd7ab3713b18d039fabc806ff15826
SHA1 hash:
5869ac4c01a5378263451acafd4cc44bd4e4ec32
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
2d8909c0ebd9fc8f9e958a50e52a2a93cb417a4aa072c3d7b69bc7948f1859d3
MD5 hash:
76b71ce0f69e1a24c97e2b57ca90df4e
SHA1 hash:
e4a3761dedd990afe08b2f43125fb1ec69b7e049
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
6ac437e4861c9e73f0d0162047ff862bbdac065fc9bacaf5080134733a480e59
MD5 hash:
c726506ccd55ec7c1a6ca232dee41f30
SHA1 hash:
fa2f8465a3170c50464fd3b00f5fd627441e79a7
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
cbdd1e8749b4a70cd7a2713431d11802e2d6aae107d5d356393e9af8e8c9f4fe
MD5 hash:
deedc96dc67b63fb06f130e17d728b87
SHA1 hash:
31de456113a2f5328fa6f5fbd3d611f365a6a646
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
3892643fb78c48f21fa20f3d6956b8d1e5464a27189baa31f44c6bf3be61c6a8
MD5 hash:
25436e23e9ca8c4e5153755b39124feb
SHA1 hash:
69a48a2bb3d5d08d0b66cae48f006cee7ce8af18
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
71601c80ff2fcfebf5c2e26a65c47355fafcf1e008cfa3f90d221a7ef0adfe08
MD5 hash:
9c2a1303cc77f396a4461835a04d3567
SHA1 hash:
597d1d5969c4f56c61d2f9642e2eb7d7276dd076
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
1b4802e943897b7632f2ba131cd18a369d5cc50dc19f8b2874f0fc9990bcfdb6
MD5 hash:
e3bcd6fb0f220bcd48ba9029b4524f00
SHA1 hash:
0e4ffc48258582dc2ccb84b004f65cf8fa802280
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
SH256 hash:
3637e86adb20ccee0c96ac838cbba3f61cc1ac0e27fa04766957f7ef28825461
MD5 hash:
b57b6c5d8f1cb3f7ad5d492028b957ef
SHA1 hash:
8ae7918611354ad85951080e6de324d3b1dc6325
Link:
https://www.unpac.me/results/4bd1462c-c80d-4217-8f50-fd322191b8a6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3637e86adb20/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3637e86adb20ccee0c96ac838cbba3f61cc1ac0e27fa04766957f7ef28825461

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments