MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fac6114554675dba7ba82a4da7076333bdf4dab4786d6632e71ad64fb3bdb35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fac6114554675dba7ba82a4da7076333bdf4dab4786d6632e71ad64fb3bdb35
SHA3-384 hash: 438a7343129beda4edb66bc1373b93e2d3d269eba3ca70c80ca30fd55eaff29dc9dcfe1af6e7c2bc603b7ece6df5668a
SHA1 hash: a1a07c3cc4deaf0edcca83dbad7cc657e72495cd
MD5 hash: a6de94d87bc0bf4d9a1a8d70f489c84c
humanhash: asparagus-steak-lamp-red
File name:Setup.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'018'187 bytes
First seen:2023-01-24 01:28:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2612fb848cf4ac8d179f70754ebbda6b (3 x RedLineStealer, 2 x RaccoonStealer, 1 x ArkeiStealer)
ssdeep 98304:tKvNd9ERHFzGO0a38SDqr7LkBqxyGVKl7kiiX0MI:tKr9ERHFb0a3nK7oBEDXrI
Threatray 1'849 similar samples on MalwareBazaar
TLSH T1C3062273126214C9E4F5C53DC63BFDF471F64A268A42983D79DABAC62A358F0E203653
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Chainskilabs
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2023-01-24 01:29:02 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/f740a7dd-9b21-4884-ac2c-ae27ffbc3cfb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356191/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62642/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/63cf345f554489340685239e/reports/0121a6ea-46cb-4542-8d97-ba956e213434/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da85fc4d-c77b-436e-9c7e-8cd87539fa14
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157574
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790311 Sample: Setup.exe Startdate: 24/01/2023 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Antivirus detection for URL or domain 2->59 61 9 other signatures 2->61 9 Setup.exe 1 2->9         started        process3 signatures4 71 Writes to foreign memory regions 9->71 73 Allocates memory in foreign processes 9->73 75 Tries to detect virtualization through RDTSC time measurements 9->75 77 Injects a PE file into a foreign processes 9->77 12 AppLaunch.exe 24 9->12         started        17 conhost.exe 9->17         started        process5 dnsIp6 49 65.109.208.142, 49710, 80 ALABANZA-BALTUS United States 12->49 51 t.me 149.154.167.99, 443, 49709 TELEGRAMRU United Kingdom 12->51 53 dl.uploadgram.me 92.222.250.82, 443, 49712, 49713 OVHFR France 12->53 37 C:\Users\user\AppData\...\Starter[1].exe, PE32 12->37 dropped 39 C:\Users\user\AppData\...\635965506[1].exe, PE32+ 12->39 dropped 41 C:\ProgramData\74923607336971071731.exe, PE32 12->41 dropped 43 C:\ProgramData\15247453186470146265.exe, PE32+ 12->43 dropped 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->79 81 Tries to harvest and steal browser information (history, passwords, etc) 12->81 83 Tries to steal Crypto Currency Wallets 12->83 85 Contains functionality to compare user and computer (likely to detect sandboxes) 12->85 19 74923607336971071731.exe 2 12->19         started        22 15247453186470146265.exe 12->22         started        25 cmd.exe 1 12->25         started        file7 signatures8 process9 dnsIp10 63 Antivirus detection for dropped file 19->63 65 Multi AV Scanner detection for dropped file 19->65 67 Machine Learning detection for dropped file 19->67 45 youtube-ui.l.google.com 142.250.203.110, 443, 49714 GOOGLEUS United States 22->45 47 www.youtube.com 22->47 69 Tries to harvest and steal browser information (history, passwords, etc) 22->69 27 cmd.exe 1 22->27         started        29 conhost.exe 25->29         started        31 timeout.exe 1 25->31         started        signatures11 process12 process13 33 conhost.exe 27->33         started        35 choice.exe 1 27->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fac6114554675dba7ba82a4da7076333bdf4dab4786d6632e71ad64fb3bdb35/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6wgcfcviz25xj52qksnu4dwgm556tnli6dnmyzoogwwj6z33m2q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
12567de24a8dbc6c0103aa263217ad240098d7545e32546f35fd5b791b1869fa
RaccoonStealer
2e205ecc398903361efb69b5790716a47b76301e7b8ad3be506fbde96ee6ffe7
RaccoonStealer
4b1338eceb20e531dca686256b82a8aa56e75aeb4b53f54d08900dd75fc0b19f
RaccoonStealer
4b56f06c41fb17b2e445bee3e4016d3297f758cbb20b3fc280763593813242df
RaccoonStealer
4c98097c2e234a8cb19327c9ddaa9b8c8669dd0f0a95fd71912282e6f0cf50d5
RaccoonStealer
68d471be0c90161c04cd1645b4cb63cef52a7ad79ecf4de62331befb19645f58
RaccoonStealer
6e3f1055521e01bd967f22fd68b48410342264b62cf7b7998a6686a2141d4d67
RaccoonStealer
88dbf134cd4628fc8b97cc1adf5201cae875df1fa5280b3cbc0306478161e9f4
RaccoonStealer
b25c916108e990357c009d88c075fda55419b5a13da0a3b2dc5643b607bb6b0e
RaccoonStealer
+ 1'839 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:408 spyware stealer
Link:
https://tria.ge/reports/230124-bv8t1sgc83/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar
Malware Config
C2 Extraction:
https://t.me/jetbim2
https://steamcommunity.com/profiles/76561199471266194
Unpacked files
SH256 hash:
76f57b1c86e2894f385495d135d7472f8a05f554b59c09969c4b46fe3122f505
MD5 hash:
21ac8bbc7ee4c18f0c4f512e0b972a7c
SHA1 hash:
78a66ed93bce027cd660e7b6d58345f5ee94cf17
Link:
https://www.unpac.me/results/e1cd7138-3248-4c56-8685-e7feb402e382/
SH256 hash:
b33b928c34b401b54ef0aa493262e335294eb661caecd1f43e2b3bdc1ec8d913
MD5 hash:
71aa3b99f1ea1dcc8ad1b040fc08b063
SHA1 hash:
7392ab32cafc7511363d770c144080de540fa948
Link:
https://www.unpac.me/results/e1cd7138-3248-4c56-8685-e7feb402e382/
SH256 hash:
6fac6114554675dba7ba82a4da7076333bdf4dab4786d6632e71ad64fb3bdb35
MD5 hash:
a6de94d87bc0bf4d9a1a8d70f489c84c
SHA1 hash:
a1a07c3cc4deaf0edcca83dbad7cc657e72495cd
Link:
https://www.unpac.me/results/e1cd7138-3248-4c56-8685-e7feb402e382/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6fac61145546/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fac6114554675dba7ba82a4da7076333bdf4dab4786d6632e71ad64fb3bdb35

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356191/

Comments