MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bfb87691070668037df7a6bc1eac92bdb683ada3159b83c136146632835cb7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 4 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bfb87691070668037df7a6bc1eac92bdb683ada3159b83c136146632835cb7f
SHA3-384 hash: 965a1a4b644cd4f94de2a11d6516d56e5c3fddd67e3474b6f1ac0334837d954680d3b2775826ec8981af4c153019c6b8
SHA1 hash: 9b31d81aa541f473360574fdbdd86aca2201033a
MD5 hash: e4c99dcc117b45dbd02c49723df0e5da
humanhash: six-december-salami-zebra
File name:setup_x86_x64_install.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'078'457 bytes
First seen:2021-10-22 19:04:47 UTC
Last seen:2022-07-11 11:30:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:Jm5tMCL1IVwr6K1JbcJSAzjznJQP2mHIb5cDXLqA9Nrq:J47X6mcLz/nJZmob5cDJvq
Threatray 642 similar samples on MalwareBazaar
TLSH T12A1633C703464AE0EAC533B7373C76A17EA25B54D588CF470F16429738E7986CE66A23
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter JaffaCakes118
Tags:exe RaccoonStealer

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.150.103.37:29118 https://threatfox.abuse.ch/ioc/236641/
91.121.67.60:23325 https://threatfox.abuse.ch/ioc/236651/
135.181.79.37:32157 https://threatfox.abuse.ch/ioc/236652/
95.216.8.253:15940 https://threatfox.abuse.ch/ioc/236653/

Intelligence

File Origin
# of uploads :
4
# of downloads :
426
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-22 19:03:55 UTC
Tags:
trojan evasion rat redline loader opendir stealer kelihos vidar raccoon
Link:
https://app.any.run/tasks/029b5402-7cae-48c8-bbb6-be012824f0c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199512/
Detection(s):
Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed
Link:
https://www.filescan.io/uploads/61730b60a9d585e6d5356e4f/reports/298327ff-6309-428d-a1aa-37e1866915da/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7b01136-63db-4f51-a1fb-c57742407dbc
Result
Threat name:
SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875411
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 507843 Sample: setup_x86_x64_install.exe Startdate: 22/10/2021 Architecture: WINDOWS Score: 100 60 45.142.182.152 XSSERVERNL Germany 2->60 62 103.155.92.29 TWIDC-AS-APTWIDCLimitedHK unknown 2->62 64 17 other IPs or domains 2->64 82 Antivirus detection for dropped file 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 16 other signatures 2->88 10 setup_x86_x64_install.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 21 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\...\Fri05f84fa77402bf.exe, PE32 13->50 dropped 52 C:\Users\user\AppData\...\Fri05cc28ce70b.exe, PE32 13->52 dropped 54 16 other files (10 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 56 172.67.141.157 CLOUDFLARENETUS United States 16->56 58 127.0.0.1 unknown unknown 16->58 78 Adds a directory exclusion to Windows Defender 16->78 80 Disables Windows Defender (via service or powershell) 16->80 20 cmd.exe 1 16->20         started        22 cmd.exe 1 16->22         started        25 cmd.exe 1 16->25         started        27 5 other processes 16->27 signatures10 process11 signatures12 29 Fri055cc2a6e65.exe 6 20->29         started        90 Adds a directory exclusion to Windows Defender 22->90 92 Disables Windows Defender (via service or powershell) 22->92 33 powershell.exe 8 22->33         started        35 Fri05beb1e355.exe 1 25->35         started        37 Fri05cc28ce70b.exe 27->37         started        39 Fri05eeb2dae7b88520a.exe 2 27->39         started        42 powershell.exe 25 27->42         started        process13 dnsIp14 66 88.99.66.31 HETZNER-ASDE Germany 29->66 68 149.28.253.196 AS-CHOOPAUS United States 29->68 70 192.168.2.1 unknown unknown 29->70 94 Antivirus detection for dropped file 29->94 96 Multi AV Scanner detection for dropped file 29->96 72 208.95.112.1 TUT-ASUS United States 35->72 74 8.8.8.8 GOOGLEUS United States 35->74 76 45.136.151.102 ENZUINC-US Latvia 35->76 98 Tries to harvest and steal browser information (history, passwords, etc) 35->98 100 Machine Learning detection for dropped file 37->100 44 C:\Users\user\...\Fri05eeb2dae7b88520a.tmp, PE32 39->44 dropped file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bfb87691070668037df7a6bc1eac92bdb683ada3159b83c136146632835cb7f/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-10-22 10:50:11 UTC
AV detection:
30 of 45 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lp5yo2iqobtian67pjv4d2wjfpnwqow2gfm3qpatmfdggkbvzn7q._file
Verdict:
unknown
Similar samples:
08dcc0cd8aa90a04708aab25c7de5b66d62b4218ef0c5d2654a24b3cef83e534
RaccoonStealer
3eaed1d4442ddd5cb4691a9cfd5aef6f374be2a3489b934d9043bb6e980a4841
RaccoonStealer
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
RaccoonStealer
80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e
RaccoonStealer
91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5
RaccoonStealer
941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
RaccoonStealer
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
RaccoonStealer
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
RaccoonStealer
f5f477d945634e37e1abca7c1390e03a7535005c9ff071a191f4d24274bdf075
RaccoonStealer
f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7
RaccoonStealer
+ 632 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:933 aspackv2 backdoor evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211022-xrhdjsdaaj/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Kelihos.F exe Download 2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
https://mas.to/@xeroxxx
Unpacked files
SH256 hash:
e07353baabb9c287093629bdbe00c5721f3b130a2bf337cba5cf475d857681e9
MD5 hash:
a46e4985a6592cad27270c965643b752
SHA1 hash:
89188cb0f9c715848b71b162916e0c88e956f08a
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
8f8604f93b508d492328dcbd9cb72b9434a247bd8ffb2f08aa09984351c19b2b
MD5 hash:
129494d451d6f27367276c40128084a9
SHA1 hash:
ec346acd89ff26c4cd9fafc276284e700c360eaf
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
3c7eafd4b40f81bb7bdfb00c5a9d5fc741ddd12ed6d660db826de783aa429b25
MD5 hash:
350b836e6fbd8d8a1f104ebdd82ed0f7
SHA1 hash:
e19ab63560fe796fe7fd140bf315aeff412cde6a
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
b3dcba8a5bc137c22566984e9fafc78fd5175eaca6a48a628bcb0686d78b3986
MD5 hash:
346d64c02ecfcff0b2fbdc3c1c066e2b
SHA1 hash:
b68034f5ebd0f4d986d61ec1020907742b656e00
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
6bcca33a599532917b446f07952719fa7a70edf6646c14b13e64686ff2c6d44c
MD5 hash:
7af76a6cff6996241b9d85558848e6c8
SHA1 hash:
a8df8a22e003849550c2e6827bf17a5edbec5524
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
c156f91969008e96f1ec8443afcd489a4e283176246235cd5965e6a0a041d799
MD5 hash:
fac5b69abe681160bd77da4dd505e571
SHA1 hash:
6bdad8e1e37c383b4ed98ed5d4e91df687a7b104
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
3957b505fb366810cd245680544aad0f9c3940d30414595d93b3d04c7aca1a72
MD5 hash:
f31a54784f43aad28110894c79091bbc
SHA1 hash:
51541a89438fb38a764d5fb1caafe0003200e938
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
eb46a5dd639179cb261cb797527a343bb32bc8e44efe6a9620cd94392b9734ce
MD5 hash:
a8cdf3dfd3908d9e908bceda5eb17e64
SHA1 hash:
33e0d68fb94117c57ae0bdc121567d440f5ece90
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
a66bf332eab3d4153d03454f661adf5b98afabb119bbe9069a871125ab190a3f
MD5 hash:
177d13a7bf5ae8cb3aa31bc60567f52c
SHA1 hash:
235206d85cb4093ac35adf1be5cb5b686fdd737e
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
3ffdaa1515622897c84111ab4180de09aadd03674935555270a2789625f7e513
MD5 hash:
9074b165bc9d453e37516a2558af6c9b
SHA1 hash:
11db0a256a502aa87d5491438775922a34fb9aa8
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
62aa90b21e22bb662ef9923f220fe854c206af67ad2cf1776030ccfd8e8cf567
MD5 hash:
ec26b8c7d5a5b27039e7b38d1165da92
SHA1 hash:
66ae32262b2c5def873f474df2ebc941b337ec24
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
fb35e940eb07e761704d5c922e77e28d51279088375fef12ed342361e428df66
MD5 hash:
4023b304f7969a24b91be30d76997997
SHA1 hash:
40bf9443df97437df7b695874fefa3e8103d76bc
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
c347a863ee10a621b0368d2c52e297fe82f4a70f5223bdf5e1cc332cfbb300b3
MD5 hash:
222c2101d2689ccd889d864cefc0e52c
SHA1 hash:
dfc809a6dd96db2ceb701883dff3fe826d2b6d69
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
2180ff6c78a5747804f832744b541d6449f2b914e269349fd68c450353977556
MD5 hash:
4e010f0f329a0eaadac04bd80b3d30e9
SHA1 hash:
573c8a5e28d0aa53a7cd1604ccc8c7e66dc99d46
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
402ed85f25ef33a11f50ddddcd25d495cd8b2758c3abd5c37633afc775cf1e9c
MD5 hash:
46069f47012771b7bc9f03f6b0b7b0ee
SHA1 hash:
c83271e314cd40fc520b7d05e540ca54c0928080
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
6548f7c7a7f0ce2445594a635be01d1813bcbbe9c2ea75aa0d164227754358bb
MD5 hash:
dc4b90a348a1d3f6e07f2918bbb36efc
SHA1 hash:
db75523cc4d09f0cd0f401d9d444b1b664475748
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
fe8137f38dbe0d43f46b617131909b7a1e87ad284f98bd45cbe8b93940372453
MD5 hash:
d6dabc6f3f84f5037cb30bcc16696b62
SHA1 hash:
3dc7541b63e856736178333b2488e566d08a7596
Detections:
win_retefe_auto
Create hunting rule
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
SH256 hash:
5bfb87691070668037df7a6bc1eac92bdb683ada3159b83c136146632835cb7f
MD5 hash:
e4c99dcc117b45dbd02c49723df0e5da
SHA1 hash:
9b31d81aa541f473360574fdbdd86aca2201033a
Link:
https://www.unpac.me/results/f2ab4c7f-c69c-4218-ac5e-57c65762c076/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5bfb87691070668037df7a6bc1eac92bdb683ada3159b83c136146632835cb7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe 5bfb87691070668037df7a6bc1eac92bdb683ada3159b83c136146632835cb7f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/199512/

Comments