MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a3597141950b71eb9654410762a615fa75349a8330ab6efd16a77b79e16f0fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a3597141950b71eb9654410762a615fa75349a8330ab6efd16a77b79e16f0fe
SHA3-384 hash: 4b026700e68b1524801d104b0f74ad18293644b83f7bca09adce37901479f369e108b6984eee33ec93d68d973bf9cc17
SHA1 hash: 06ca301399be3e2cb98bb92daab0843285101751
MD5 hash: 6a792cb55ea84b39eaf4a142a994aef6
humanhash: aspen-vegan-lake-yellow
File name:6A792CB55EA84B39EAF4A142A994AEF6.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:762'119 bytes
First seen:2021-06-28 00:35:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'501 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:d/QiQXCE55m+ksmpk3U9j0I6KBsoxvjFEOTb9WmZX/8shzdsY4CpHPhnPyNpuyU:VQi3E5c6m6UR0IJp1hf39Wkv8xwJPIU
Threatray 65 similar samples on MalwareBazaar
TLSH E1F4E046BF8AD132D55245384CA5C47666333D301ABA5C89BBC93F6F3B72660C10B7AB
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://35.246.76.29/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://35.246.76.29/ https://threatfox.abuse.ch/ioc/154454/

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
main_setup_x86x64.exe
Verdict:
Malicious activity
Analysis date:
2021-06-27 15:37:49 UTC
Tags:
trojan loader stealer vidar evasion rat redline
Link:
https://app.any.run/tasks/451fd08e-ada3-414a-bd02-56756993bc7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168507/
Detection(s):
Win.Malware.Passteal-9853623-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/197f4ae6-9515-4a03-bc46-40df3546ba52
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808634
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample is protected by VMProtect
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 441045 Sample: vNiyRd4GcH.exe Startdate: 28/06/2021 Architecture: WINDOWS Score: 100 138 www.cloud-security.xyz 2->138 140 www.directdexchange.com 2->140 142 31 other IPs or domains 2->142 195 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->195 197 Multi AV Scanner detection for domain / URL 2->197 199 Antivirus detection for URL or domain 2->199 203 8 other signatures 2->203 11 vNiyRd4GcH.exe 2 2->11         started        14 Kovywijaejy.exe 2->14         started        signatures3 201 Performs DNS queries to domains with low reputation 140->201 process4 dnsIp5 124 C:\Users\user\AppData\...\vNiyRd4GcH.tmp, PE32 11->124 dropped 17 vNiyRd4GcH.tmp 3 19 11->17         started        179 idowload.com 14->179 126 C:\Program Files (x86)\...\Windows Update.exe, PE32 14->126 dropped 128 C:\...\Windows Update.exe.config, XML 14->128 dropped 21 Windows Update.exe 14->21         started        file6 process7 dnsIp8 130 idowload.com 185.227.110.219, 49713, 49722, 49735 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 17->130 86 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 17->86 dropped 88 C:\Users\user\AppData\Local\...\bkhgb _ -.exe, PE32 17->88 dropped 90 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 17->90 dropped 92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->92 dropped 23 bkhgb _ -.exe 20 20 17->23         started        132 192.168.2.1 unknown unknown 21->132 134 privateinvestig8tor.com 21->134 136 connectini.net 21->136 94 C:\Program Files (x86)\...\Kovywijaejy.exe, PE32 21->94 dropped 96 C:\Users\user\AppData\...\VCFUDWIDNF.exe, PE32 21->96 dropped 27 Cewulufaedae.exe 21->27         started        29 VCFUDWIDNF.exe 21->29         started        file9 process10 dnsIp11 158 connectini.net 162.0.210.44, 443, 49716, 49729 ACPCA Canada 23->158 160 privateinvestig8tor.com 162.0.220.187, 49728, 49763, 49811 ACPCA Canada 23->160 162 idowload.com 23->162 116 C:\...\Kovywijaejy.exe.config, XML 23->116 dropped 118 C:\Users\user\AppData\...\Cewulufaedae.exe, PE32 23->118 dropped 120 C:\Users\user\AppData\...\Qaesaehidace.exe, PE32 23->120 dropped 122 C:\Program Files\windows nt\...\prolab.exe, PE32 23->122 dropped 31 Cewulufaedae.exe 14 5 23->31         started        34 Qaesaehidace.exe 23->34         started        37 prolab.exe 2 23->37         started        39 iexplore.exe 27->39         started        41 iexplore.exe 27->41         started        43 iexplore.exe 27->43         started        45 15 other processes 27->45 file12 process13 dnsIp14 181 connectini.net 31->181 63 53 other processes 31->63 183 egsa.pw 111.90.146.149, 49817, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 34->183 189 11 other IPs or domains 34->189 98 C:\Users\user\AppData\Local\...\md6_6ydj.exe, PE32 34->98 dropped 100 C:\Users\user\AppData\Local\...\ebook.exe, PE32 34->100 dropped 47 cmd.exe 34->47         started        49 cmd.exe 34->49         started        51 cmd.exe 34->51         started        102 C:\Users\user\AppData\Local\...\prolab.tmp, PE32 37->102 dropped 53 prolab.tmp 27 26 37->53         started        191 2 other IPs or domains 39->191 56 iexplore.exe 39->56         started        185 www.profitabletrustednetwork.com 41->185 59 iexplore.exe 41->59         started        187 vexacion.com 43->187 61 iexplore.exe 43->61         started        193 4 other IPs or domains 45->193 65 3 other processes 45->65 file15 process16 dnsIp17 67 md6_6ydj.exe 47->67         started        72 conhost.exe 47->72         started        74 ebook.exe 49->74         started        76 conhost.exe 49->76         started        108 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 53->108 dropped 110 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 53->110 dropped 112 C:\Program Files (x86)\...\is-V0ANV.tmp, PE32 53->112 dropped 114 8 other files (none is malicious) 53->114 dropped 164 www.adsaro.net 56->164 173 6 other IPs or domains 56->173 167 www.profitabletrustednetwork.com 59->167 169 vexacion.com 61->169 171 www.cloud-security.xyz 63->171 175 44 other IPs or domains 63->175 78 iexplore.exe 63->78         started        80 iexplore.exe 63->80         started        82 iexplore.exe 63->82         started        84 21 other processes 63->84 177 3 other IPs or domains 65->177 file18 205 Performs DNS queries to domains with low reputation 164->205 signatures19 process20 dnsIp21 148 2 other IPs or domains 67->148 104 C:\Users\user\Documents\...\md6_6ydj.exe, PE32 67->104 dropped 207 Drops PE files to the document folder of the user 67->207 209 Tries to harvest and steal browser information (history, passwords, etc) 67->209 106 C:\Users\user\AppData\Local\...\ebook.exe.tmp, PE32 74->106 dropped 211 Detected unpacking (changes PE section rights) 74->211 213 Detected unpacking (overwrites its own PE header) 74->213 150 34 other IPs or domains 78->150 144 adsaro.net 161.35.179.108, 443, 49821, 49822 DIGITALOCEAN-ASNUS United States 80->144 152 10 other IPs or domains 80->152 154 16 other IPs or domains 82->154 146 vexacion.com 139.45.197.236, 443, 49733, 49734 RETN-ASEU Netherlands 84->146 156 36 other IPs or domains 84->156 file22 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a3597141950b71eb9654410762a615fa75349a8330ab6efd16a77b79e16f0fe/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-25 01:01:56 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=li2zofazkc3r5olfiqihmktbl6tvgsnigmfln36rnj33phqw6d7a._file
Verdict:
unknown
Similar samples:
11fde3c052cc436dae10fa4c0b1821406d091cebb227a832a4f4c4101f21ffb4
RaccoonStealer
149a77617331e9e1ac97571ab85ff42dd11d2cc02e2463dbf15ef0830b9e08f4
RaccoonStealer
20593dd40ac0559ee48756078596dc482d5c1ee417518988777e34c174c01d3c
RaccoonStealer
2c5bcf3f88a6848053f57223363adb22e49f41b1c8a54f8ddc370508c3043e70
RaccoonStealer
5b976ede72eb87c6027fa7cd4aa7d8f0bd46c9105ca955bfb94d86a721f73ed6
RaccoonStealer
64565f657fa253edfad53f3cc7ab519382c6250fe47c75512650d50b379c2dad
RaccoonStealer
738108e1651deb6c04e05a4a2680819283433189eff93426a56e834381b5e4b5
RaccoonStealer
8040940621af7b77ecbb66d16ca8fc924900960d48665247aa3f77d4de560c9a
RaccoonStealer
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
RaccoonStealer
d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e
RaccoonStealer
+ 55 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:plugx family:redline family:vidar botnet:servchloe backdoor discovery dropper evasion infostealer loader persistence stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210628-sn7ss3j7ka/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
PlugX
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
87.251.71.195:82
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/55a73d77-945d-4135-a6ad-3c9ba23cc2c8/
SH256 hash:
e172fdf14e3fd914a9d6fe8213637f87f9a0314ced31e1eb8a446fe21631d2f5
MD5 hash:
36f391266e7ad42014beb54d9dcc8359
SHA1 hash:
10cfea372b44d00ffba191e4e61d1b8be7b1fb30
Link:
https://www.unpac.me/results/55a73d77-945d-4135-a6ad-3c9ba23cc2c8/
SH256 hash:
5a3597141950b71eb9654410762a615fa75349a8330ab6efd16a77b79e16f0fe
MD5 hash:
6a792cb55ea84b39eaf4a142a994aef6
SHA1 hash:
06ca301399be3e2cb98bb92daab0843285101751
Link:
https://www.unpac.me/results/55a73d77-945d-4135-a6ad-3c9ba23cc2c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a3597141950b71eb9654410762a615fa75349a8330ab6efd16a77b79e16f0fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168507/

Comments