MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5248d778a816ffaed27e465deec140f4d79478a4aca7c5968d6eb926ac7c94f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5248d778a816ffaed27e465deec140f4d79478a4aca7c5968d6eb926ac7c94f1
SHA3-384 hash: 2354079ad6411916c81b7e74c48889b53e3854d10c4dc92c577ade2e57b62caa62630e2532e94c11a7c771f647423af4
SHA1 hash: 5e16eaa0a86f73f0a389f570555dbd10bf48c135
MD5 hash: a4806a7fffe5d04d7ccd764890bd4ef3
humanhash: harry-connecticut-sink-sixteen
File name:a4806a7fffe5d04d7ccd764890bd4ef3.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:7'037'724 bytes
First seen:2021-09-18 11:15:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:ye2xCzUElUJc9/rXT/Qo4zVZcCJuB8HUzcb:ygz9//6BWCJyQycb
Threatray 552 similar samples on MalwareBazaar
TLSH T1A566334CDED58F9AF9330130069AB86A1C06C627C575E3703762E6EC76A51DF978CE88
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://194.180.174.94/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.94/ https://threatfox.abuse.ch/ioc/223292/

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a4806a7fffe5d04d7ccd764890bd4ef3.exe
Verdict:
No threats detected
Analysis date:
2021-09-18 11:16:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0ecde3f5-9c18-4aa7-bbc9-e297149ff3c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLineDropperAHK
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188925/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad01dcc6-7a7c-42d6-bfd0-2e134d048a85
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853179
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 485610 Sample: EGwLzrLJaT.exe Startdate: 18/09/2021 Architecture: WINDOWS Score: 100 100 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->100 102 172.67.140.150 CLOUDFLARENETUS United States 2->102 104 4 other IPs or domains 2->104 130 Antivirus detection for URL or domain 2->130 132 Antivirus detection for dropped file 2->132 134 Multi AV Scanner detection for dropped file 2->134 136 17 other signatures 2->136 11 EGwLzrLJaT.exe 10 2->11         started        14 svchost.exe 2->14         started        18 svchost.exe 1 2->18         started        signatures3 process4 dnsIp5 98 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->98 dropped 20 setup_installer.exe 20 11->20         started        126 23.211.4.86 AKAMAI-ASUS United States 14->126 168 Sets debug register (to hijack the execution of another thread) 14->168 170 Modifies the context of a thread in another process (thread injection) 14->170 file6 signatures7 process8 file9 60 C:\Users\user\AppData\...\setup_install.exe, PE32 20->60 dropped 62 C:\Users\user\...\Wed22d29285f2462824d.exe, PE32 20->62 dropped 64 C:\Users\user\AppData\...\Wed229825989c.exe, PE32 20->64 dropped 66 15 other files (10 malicious) 20->66 dropped 23 setup_install.exe 1 20->23         started        process10 dnsIp11 120 172.67.142.91 CLOUDFLARENETUS United States 23->120 122 127.0.0.1 unknown unknown 23->122 166 Adds a directory exclusion to Windows Defender 23->166 27 cmd.exe 23->27         started        29 cmd.exe 23->29         started        31 cmd.exe 1 23->31         started        33 11 other processes 23->33 signatures12 process13 signatures14 36 Wed2236d9fce9bd29d13.exe 27->36         started        41 Wed229825989c.exe 29->41         started        43 Wed22214190470.exe 31->43         started        128 Adds a directory exclusion to Windows Defender 33->128 45 Wed226b6e8b18c18b003.exe 33->45         started        47 Wed2246f9dc6f4f9.exe 33->47         started        49 Wed2260b25c317.exe 33->49         started        51 7 other processes 33->51 process15 dnsIp16 110 2 other IPs or domains 36->110 68 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 36->68 dropped 138 Antivirus detection for dropped file 36->138 140 Multi AV Scanner detection for dropped file 36->140 142 Machine Learning detection for dropped file 36->142 53 LzmwAqmV.exe 36->53         started        106 37.0.10.214 WKD-ASIE Netherlands 41->106 108 37.0.10.244 WKD-ASIE Netherlands 41->108 112 3 other IPs or domains 41->112 70 C:\Users\...\YGAorp4fJUWywTg8x5hQcjuT.exe, PE32 41->70 dropped 72 C:\Users\...\QhPVkak7tDMdRUQa_yzh3YC1.exe, PE32+ 41->72 dropped 74 C:\Users\user\AppData\...\Service[1].bmp, PE32 41->74 dropped 76 C:\Users\user\...76iceProcessX64[1].bmp, PE32+ 41->76 dropped 144 Detected unpacking (creates a PE file in dynamic memory) 41->144 146 Drops PE files to the document folder of the user 41->146 148 Tries to harvest and steal browser information (history, passwords, etc) 41->148 150 Disable Windows Defender real time protection (registry) 41->150 114 3 other IPs or domains 43->114 152 Detected unpacking (changes PE section rights) 43->152 154 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->154 160 2 other signatures 45->160 116 2 other IPs or domains 47->116 156 Tries to detect virtualization through RDTSC time measurements 47->156 158 Injects a PE file into a foreign processes 49->158 118 5 other IPs or domains 51->118 78 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 51->78 dropped 80 C:\Users\user\...\Wed221ce23cd2c4a6.tmp, PE32 51->80 dropped 162 2 other signatures 51->162 57 Wed221ce23cd2c4a6.tmp 51->57         started        file17 signatures18 process19 dnsIp20 82 C:\Users\user\...\LivelyScreenRecMa14.exe, PE32 53->82 dropped 84 C:\Users\user\AppData\Local\...\Chrome 5.exe, PE32+ 53->84 dropped 86 C:\Users\user\AppData\Local\...\BearVpn 3.exe, PE32 53->86 dropped 96 8 other files (3 malicious) 53->96 dropped 164 Machine Learning detection for dropped file 53->164 124 162.0.214.42 ACPCA Canada 57->124 88 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 57->88 dropped 90 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 57->90 dropped 92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 57->92 dropped 94 C:\Users\user\AppData\Local\...\___YHDG34.exe, PE32 57->94 dropped file21 signatures22
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5248d778a816ffaed27e465deec140f4d79478a4aca7c5968d6eb926ac7c94f1/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 19:02:55 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kjeno6fic3725ut6izo65qka6tlzi6fevst4lfunn24snld4styq._file
Verdict:
unknown
Similar samples:
1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0
RaccoonStealer
3cf08993fa4866df41dc37cec849e5a5e9d0bcb6ea6660c30130d9e2fd2f623d
RaccoonStealer
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
RaccoonStealer
547cc534323bdd58f2fb30611e0cae63dea9c2583cb8932ef5e6063b2a08fbcc
RaccoonStealer
7ec88d4baa0a97362a026cf6e0f46422379a99be6d9bfe19034152f3d47cc0ed
RaccoonStealer
8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
RaccoonStealer
95070ee5eadc35fc22ec5818a4406261a776a28292576024bd58102126e2cb30
RaccoonStealer
a5f4eb3b915bcfdd72cb81b7d89c0c0fd6b190b637db6ffad25604d24985f9e8
RaccoonStealer
b566e04e4dde55640065fa942fcfa35ec3cb5f0c8b6057bfd0039ac4ebbc65f7
RaccoonStealer
+ 542 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:icedid family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:ani botnet:matthew14 campaign:3162718704 aspackv2 backdoor banker discovery evasion infostealer ransomware stealer suricata trojan vmprotect
Link:
https://tria.ge/reports/210918-nc5e4acack/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Modifies file permissions
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
IcedID, BokBot
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/Tnega Activity (GET)
Malware Config
C2 Extraction:
https://dimonbk83.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
limerugaf.top
45.142.215.47:27643
193.188.21.209:41939
Dropper Extraction:
http://shellloader.com/welcome
Unpacked files
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
da6e2470414935131c3a094758be78605ec1c1ba8ddc755d175ac73763cc307a
MD5 hash:
03cd7541a32149209ecec14115466bc3
SHA1 hash:
bff67b407cffb1d3f3afbbcee15046e968204af3
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
64218a12dee5b7f3711d0c312cf9476ee09e8cd4db24f9e2972d6dc899bdcf40
MD5 hash:
9c06d096728e9b1527ee8c98dc55f08f
SHA1 hash:
af7885dc9d6deca6b5dcf196228c03732d7b4e8c
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
3ae4aa993ef004bd3033121150df055ee172d4f62513637017fd3ab5d52c05d1
MD5 hash:
f092907daaae4db5bd8fea63f6695b15
SHA1 hash:
a6ccb13d671526416a3fc703204c43260806c8bf
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
2b7eb600e8bd3c46d2dfd8757fda486a97fecb5ef93303fbe4d81d2427c2fc22
MD5 hash:
6e5de1974fe22762d1dece8772638834
SHA1 hash:
a42083cde7a1129a639b48bf4960604ca1178597
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
ff287a189995d0e71b843c26f826731a80fad5ac85682d5afc8114235564a389
MD5 hash:
5b667b0ba0b1b72cb5e4cc296dfb0d09
SHA1 hash:
95ac440dc0867a1220b027e27070381445408303
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
2d2e0ed0c472eb132c334f9cf23901ae66c913e5d1f86d461a8ffb77f4854529
MD5 hash:
de99989d9a96b92bc20cc345990b7c01
SHA1 hash:
5beec524930a6e004ee1f929bf410bdc71affc0b
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
67a2f1c7ca8473f6527421b458cb43d640a9b27fb943c1fb510bc9ee663d7263
MD5 hash:
3ecf1ac6cb46246471d15637af52e33f
SHA1 hash:
588c27f292ec0be461e6709dc357424980f10c85
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
b92ec71660a8c98057ac2aff16529c98a2bf9946b79e96288a97c908d76d610e
MD5 hash:
df6d58a49a2d23bea015913c899d8c08
SHA1 hash:
4769c4871b464bc66d876b41f650be21ad1a377a
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
c598a971f1d8bc58362396b10df4359654354e6c7b1b56741cea2a532e9bdd94
MD5 hash:
3367116dc59fc2b806bb5ec8c36bf2b6
SHA1 hash:
f4fb01a1efff6c7969383ccf7f64e4ac8cfc2c6f
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
Parent samples :
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
571002e8730d6a69ff1a06a544c219fb2de55ced00c59180612fddcfc0e6570d
MD5 hash:
732e144831f1e12f11146b0fa7e108ba
SHA1 hash:
cb3bda4c7e40fd8c1c98fdf5be9cacdc5402a613
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
851f1ae91f72208919bd94ab8fb4c312847449cedec0ff8fe0f7b6183f8a63e9
MD5 hash:
652f26055f9599848eb50d08578188eb
SHA1 hash:
97b29563204c469038d9e7c76ecbb82af48954e3
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
1918ed1782dc2f45a299f4ddb948d1f780046e912a7eaecf12821cbb83d471fb
MD5 hash:
3e4f1e199f5382d9b25702c0d817e685
SHA1 hash:
db93d8eb3428e47b6684c79c983cb165ff9cfef6
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
5cadb060ee5b82afc81f254d4a97c6e8df57588b313e2e5e5b7b85bd33d47c8b
MD5 hash:
1c46fbedb957d0c30a95e08cd31c6af9
SHA1 hash:
7cc5dad94e8d2300dfe8e459d1c27325f2242e85
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
65d0f0cca49f9d87020ecb69f7e08ff51b5c6d4a91127963c60a551073d01d35
MD5 hash:
6d68b68b67f7b33135cced88504b164a
SHA1 hash:
a5a6c99275190d2439adab0affa805955f9399ff
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
b522eb73badf4c4ffd853f167f762fdb6eeef2e508b5fe8d4b88eea3e18f7bbb
MD5 hash:
95f1095d74a50474255c5eff84a304ba
SHA1 hash:
f2929cc69695efdb57492caa75cae20ff3e12848
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
SH256 hash:
5248d778a816ffaed27e465deec140f4d79478a4aca7c5968d6eb926ac7c94f1
MD5 hash:
a4806a7fffe5d04d7ccd764890bd4ef3
SHA1 hash:
5e16eaa0a86f73f0a389f570555dbd10bf48c135
Link:
https://www.unpac.me/results/3393a2c7-a56a-4100-b3ad-31746739dea8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5248d778a816ffaed27e465deec140f4d79478a4aca7c5968d6eb926ac7c94f1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188925/

Comments