MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 825ae458150e6c43d3549cd88feedaf92f3e8b407553852b1997916ecf26e851. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 825ae458150e6c43d3549cd88feedaf92f3e8b407553852b1997916ecf26e851
SHA3-384 hash: 390dd90d6ec40c8becf4808eece98a23aa83ea0c2ca1a47d1634ba9dd5a9133eed4ba0cea66ca13e41a38fea7d65ad96
SHA1 hash: a220613588c19ad4ce724ae33fbf37c0071324d4
MD5 hash: be6fec3f989c1551c28863071b8666e5
humanhash: friend-maine-gee-carolina
File name:BE6FEC3F989C1551C28863071B8666E5.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'633'534 bytes
First seen:2021-09-02 07:36:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBBJtdW5pcwC5tfjevuc+PCS7tupYCzNlnrKMHotVBsxVx1EUt5Ec+:xKdWfp0PT8aCpJZHojBMVxSt
Threatray 469 similar samples on MalwareBazaar
TLSH T1A0C533313ED5C0F3E2521132E9095BF355EAE34809645CD333FAB91C6D689AA522FA37
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://45.142.215.144/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.144/ https://threatfox.abuse.ch/ioc/204183/

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BE6FEC3F989C1551C28863071B8666E5.exe
Verdict:
No threats detected
Analysis date:
2021-09-02 07:36:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/065148ec-cae0-4d43-b622-006354cf46bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184692/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Launching a process
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f0058d9-bba1-4565-9e8b-bb1ecaf547de
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843855
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 476286 Sample: sp5q2BCFJ2.exe Startdate: 02/09/2021 Architecture: WINDOWS Score: 100 66 34.97.69.225 GOOGLEUS United States 2->66 68 104.21.20.198 CLOUDFLARENETUS United States 2->68 70 2 other IPs or domains 2->70 90 Antivirus detection for URL or domain 2->90 92 Antivirus detection for dropped file 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 12 other signatures 2->96 9 sp5q2BCFJ2.exe 17 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\setup_install.exe, PE32 9->42 dropped 44 C:\Users\user\AppData\...\Fri11f2bd2a885f.exe, PE32 9->44 dropped 46 C:\Users\user\AppData\...\Fri11ab92010185.exe, PE32 9->46 dropped 48 12 other files (6 malicious) 9->48 dropped 12 setup_install.exe 1 9->12         started        process6 dnsIp7 86 172.67.142.91 CLOUDFLARENETUS United States 12->86 88 127.0.0.1 unknown unknown 12->88 118 Adds a directory exclusion to Windows Defender 12->118 16 cmd.exe 12->16         started        18 cmd.exe 1 12->18         started        20 cmd.exe 12->20         started        22 8 other processes 12->22 signatures8 process9 signatures10 25 Fri11ab92010185.exe 16->25         started        30 Fri111dda87fbe569.exe 18->30         started        32 Fri114469956219507b3.exe 20->32         started        98 Adds a directory exclusion to Windows Defender 22->98 34 Fri118c7a8fd2c.exe 22->34         started        36 Fri118df96855.exe 3 22->36         started        38 Fri1122648ffff.exe 1 13 22->38         started        40 4 other processes 22->40 process11 dnsIp12 72 37.0.10.214 WKD-ASIE Netherlands 25->72 74 37.0.10.237 WKD-ASIE Netherlands 25->74 78 9 other IPs or domains 25->78 50 C:\Users\...\wLnBokLOUIQiPUSRSrLiQVi8.exe, PE32 25->50 dropped 52 C:\Users\...\tLBxF2JKj_gMt9OVwE6cHMdE.exe, PE32 25->52 dropped 54 C:\Users\...\su2W7jzrwMH1LVCGv9Q1KEPZ.exe, PE32 25->54 dropped 64 35 other files (32 malicious) 25->64 dropped 100 Drops PE files to the document folder of the user 25->100 102 Machine Learning detection for dropped file 25->102 104 Tries to harvest and steal browser information (history, passwords, etc) 25->104 106 Disable Windows Defender real time protection (registry) 25->106 108 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->108 110 Maps a DLL or memory area into another process 30->110 112 Checks if the current machine is a virtual machine (disk enumeration) 30->112 76 162.159.133.233 CLOUDFLARENETUS United States 32->76 114 Antivirus detection for dropped file 32->114 56 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 34->56 dropped 80 2 other IPs or domains 36->80 58 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 36->58 dropped 116 Creates processes via WMI 36->116 82 4 other IPs or domains 38->82 60 C:\Users\user\AppData\...\aaa_v013[1].dll, DOS 38->60 dropped 84 3 other IPs or domains 40->84 62 C:\Users\user\AppData\...\Fri1159c12d53.tmp, PE32 40->62 dropped file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/825ae458150e6c43d3549cd88feedaf92f3e8b407553852b1997916ecf26e851/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-28 05:53:20 UTC
AV detection:
28 of 45 (62.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qjnoiwavbzwehu2uttmi73w27ext5c2aovjykkyzs6iw5tzg5biq._file
Verdict:
unknown
Similar samples:
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
RaccoonStealer
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
RaccoonStealer
186992db0748857e13271f18b519fbf2b6f016bd8d81c3ee952786de798a6dad
RaccoonStealer
3d7ba99d7b360819146cd6223b2d668e8b1a661023f5b36932860bc84271eecd
RaccoonStealer
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
RaccoonStealer
45c04168fe1e27939f2e08c178279d8c1aca5eba4ed8f6a717eb70b966cc5617
RaccoonStealer
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
RaccoonStealer
987a2417a285a7e885e5acdd635d3e2dfa1cf00bb98b6a39fbc17bc7c3fb4993
RaccoonStealer
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
RaccoonStealer
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
RaccoonStealer
+ 459 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar family:xmrig botnet:706 botnet:pub botnet:rarani aspackv2 backdoor discovery evasion infostealer miner spyware stealer trojan
Link:
https://tria.ge/reports/210902-f8s3x8psps/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
XMRig Miner Payload
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
xmrig
Malware Config
C2 Extraction:
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
https://eduarroma.tumblr.com/
193.56.146.78:51487
87.251.71.14:89
Unpacked files
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
6568407488bfbdac850aa2f0e45e35a715acc3c0b72ddf74bf8f619afdbb1490
MD5 hash:
7430d3fe088aac670da5b80f3fdb0d2c
SHA1 hash:
ed34d6e4acdb76cc80bb7a155f08ae564f0a4581
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
4037b516bc49fac317f493c28a2668ae8182a87e79d01b9f9e68d95b7b258250
MD5 hash:
b3b251d41deb675510f06cfd6cdf0599
SHA1 hash:
dfb1661ae08b6aae2b635dcf191e78abe1ca548b
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
75851ad163bfdee63e50605ab805ed8fcaaac701016bbafffd46570c619357ee
MD5 hash:
298c4dc55383774598d9e58569f90473
SHA1 hash:
b7e621d92b5cb269f2ee7a788fe96c2f60dfb9b4
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
487dad571ff0a813f44bd7a8366c62a35d1f56362e67cd9e539c3b16bf1af8b1
MD5 hash:
b947dffa6401cf89ab1422bdaf60c360
SHA1 hash:
b38ee39717ff21d622c8a3e84b76d35a636715e6
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
c582ac8cd2b0fb8db43e2c31f1b21751d67619188d55e431771349cb6f79bf97
MD5 hash:
27308d0d72622a30af8ae9f01d95262a
SHA1 hash:
aebf75309d8df97b2975d6bd48be30b201422125
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
ed6d502c7c263fd9bd28324f68b287aea158203d0c5154ca07a9bcd059aa2980
MD5 hash:
de595e972bd04cf93648de130f5fb50d
SHA1 hash:
4c05d7c87aa6f95a95709e633f97c715962a52c4
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
968484872156a64a88ebc15e1b245cf7accf9c8ba84125fbb57e03fcd488ef4a
MD5 hash:
6227abcd6a6522f011270375fe8556da
SHA1 hash:
12e2d82a124974b17cc71e300cbb6d3dded95917
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
c3a33ed3d960c2d7eb699fc91b2e7aa90a0dea2eb9cbc40d9133edce3b9b6677
MD5 hash:
d23736a8bd8680eb32168470f5e94ebc
SHA1 hash:
15457f9bb58a07710b8a5bcc16c46d07331c88e5
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
81b91482903bcd0282e604f01319b9aa07c9c5d0d9d040684a4473b98f1c77b2
MD5 hash:
c99ab126b82eab97d88b4f39b521635c
SHA1 hash:
cd3e21d8a4c7aa1742879db7fe624ca0edea7b2b
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
8d3ea5329ef30c4f1b72b9a69d16da76fda11b9ab7290c4790979b28a041cd40
MD5 hash:
4c132e6237cb5f3c61e1b5173685f561
SHA1 hash:
3cc6f429a9fe0d85372cf26a09501c2ac49c4b88
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
6a3ee6b77876d26af9cc38c97ee89c6fee275aa3b3f9817d37129cbad6473063
MD5 hash:
e00bb466a8ac2e003c10eb6b920ccd61
SHA1 hash:
2d31e4a5c782df88de57794aef8a7a971d2cb0d6
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
708b308f66f799c802b72a14887c33b179ede733843a043c05af00561f05ace9
MD5 hash:
4a3a082e90d40a1809e1244b035193a3
SHA1 hash:
ca5decccbb5feb49e2bd886e2a483b79e364173b
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
SH256 hash:
825ae458150e6c43d3549cd88feedaf92f3e8b407553852b1997916ecf26e851
MD5 hash:
be6fec3f989c1551c28863071b8666e5
SHA1 hash:
a220613588c19ad4ce724ae33fbf37c0071324d4
Link:
https://www.unpac.me/results/47b7d660-4e0e-4150-a6e1-137664294f93/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/825ae458150e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/825ae458150e6c43d3549cd88feedaf92f3e8b407553852b1997916ecf26e851

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184692/

Comments