MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92d6f9c8f9908a054c5112a49f7725a5e058533e81bf8c12f0bdeb653771b8b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92d6f9c8f9908a054c5112a49f7725a5e058533e81bf8c12f0bdeb653771b8b5
SHA3-384 hash: 09ddd3d41fb1ea76be4013741365db743865f22260a7b4010f844aff48f451750a5836aac830585bfeeb24eb34e0c8b8
SHA1 hash: 87f6e4097b43ba4224350bede837af7b083c469e
MD5 hash: 95c81aea110513352466313af25a0b4e
humanhash: moon-seventeen-lake-mexico
File name:95C81AEA110513352466313AF25A0B4E.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:3'070'527 bytes
First seen:2021-09-10 18:50:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:9g7g1rGwI2zMFRQNiztkqZCRkwQjUFXJhodISjELhwdcM8uxoNLkYl4C9NnL7mou:y7gFGgUkqZskjj2LQIPy5xoNLkg4UL7+
Threatray 542 similar samples on MalwareBazaar
TLSH T1D6E5337068AFD8FEE5E201B238B0C735BB1C535E21C829B9869C6DAD7C256738763534
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://5.181.156.77/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.77/ https://threatfox.abuse.ch/ioc/219656/

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-09-07 09:32:32 UTC
Tags:
trojan loader evasion
Link:
https://app.any.run/tasks/d487b66f-9d82-44d1-8f5b-b352bbc85e20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186954/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Connection attempt
Sending a custom TCP request
DNS request
Running batch commands
Sending an HTTP GET request
Deleting a recently created file
Launching a process
Sending a UDP request
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b87032b-f0ac-42c3-9e11-47ca20ef61f3
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848986
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481417 Sample: 14RjGK3Ida.exe Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 76 104.21.64.202 CLOUDFLARENETUS United States 2->76 78 162.0.210.44 ACPCA Canada 2->78 80 4 other IPs or domains 2->80 126 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->126 128 Multi AV Scanner detection for domain / URL 2->128 130 Antivirus detection for URL or domain 2->130 132 14 other signatures 2->132 10 14RjGK3Ida.exe 10 2->10         started        13 svchost.exe 1 2->13         started        signatures3 process4 file5 66 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->66 dropped 15 setup_installer.exe 17 10->15         started        process6 file7 68 C:\Users\user\AppData\...\setup_install.exe, PE32 15->68 dropped 70 C:\Users\user\...\Tue05a7ce0aa2dde.exe, PE32 15->70 dropped 72 C:\Users\user\...\Tue05a5ef213df9ae089.exe, PE32 15->72 dropped 74 12 other files (7 malicious) 15->74 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 82 hsiens.xyz 172.67.142.91, 49739, 80 CLOUDFLARENETUS United States 18->82 84 127.0.0.1 unknown unknown 18->84 134 Performs DNS queries to domains with low reputation 18->134 136 Adds a directory exclusion to Windows Defender 18->136 22 cmd.exe 18->22         started        24 cmd.exe 1 18->24         started        26 cmd.exe 1 18->26         started        28 8 other processes 18->28 signatures10 process11 signatures12 31 Tue052a2b89fc7eff4.exe 22->31         started        36 Tue056efd68a6be.exe 24->36         started        38 Tue05a7ce0aa2dde.exe 15 6 26->38         started        138 Adds a directory exclusion to Windows Defender 28->138 40 Tue05675d90c748e3e4.exe 28->40         started        42 Tue0509a8d20e.exe 28->42         started        44 Tue0566c5feedf0b.exe 28->44         started        46 4 other processes 28->46 process13 dnsIp14 96 2 other IPs or domains 31->96 48 C:\Users\user\AppData\...\softokn3[1].dll, PE32 31->48 dropped 50 C:\Users\user\AppData\...\mozglue[1].dll, PE32 31->50 dropped 52 C:\Users\user\AppData\...\freebl3[1].dll, PE32 31->52 dropped 64 9 other files (none is malicious) 31->64 dropped 100 Detected unpacking (changes PE section rights) 31->100 102 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->102 104 Machine Learning detection for dropped file 31->104 124 2 other signatures 31->124 106 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->106 108 Maps a DLL or memory area into another process 36->108 110 Checks if the current machine is a virtual machine (disk enumeration) 36->110 86 startupmart.bar 104.21.37.182, 443, 49743, 49750 CLOUDFLARENETUS United States 38->86 98 3 other IPs or domains 38->98 54 C:\Users\user\AppData\Roaming\4484467.exe, PE32 38->54 dropped 56 C:\Users\user\AppData\Roaming\3978183.exe, PE32 38->56 dropped 112 Performs DNS queries to domains with low reputation 38->112 88 iplogger.org 88.99.66.31, 443, 49749, 49761 HETZNER-ASDE Germany 40->88 90 www.listincode.com 144.202.76.47, 443, 49747 AS-CHOOPAUS United States 40->90 114 Antivirus detection for dropped file 40->114 116 May check the online IP address of the machine 40->116 92 cdn.discordapp.com 162.159.133.233, 443, 49741 CLOUDFLARENETUS United States 42->92 58 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 42->58 dropped 118 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 44->118 94 a.goatgame.co 172.67.146.70, 443, 49734, 49744 CLOUDFLARENETUS United States 46->94 60 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 46->60 dropped 62 C:\Users\user\AppData\...\Tue0558ff6ebd.tmp, PE32 46->62 dropped 120 Sample uses process hollowing technique 46->120 122 Creates processes via WMI 46->122 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92d6f9c8f9908a054c5112a49f7725a5e058533e81bf8c12f0bdeb653771b8b5/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 20:36:24 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sllptshzscfaktcrcksj65zfuxqfquz6qg7yyexqxxvwkn3rxc2q._file
Verdict:
malicious
Similar samples:
32f6b938399aa2d2ac58336d83a4fcdb5aab622c91e019969a78fc041af75339
RaccoonStealer
3febf03463e0e65ef9d0fc4e8a38f01dd7c6dfee10258876981539b7a319a620
RaccoonStealer
4f4c2c9bdfef8a8cfbe2c8f84bf12cc86f26f59d54c277dab39f4c5e92948708
RaccoonStealer
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
RaccoonStealer
5bbc833edf2e7c061fd34fe1aba85ff56746dbe0875eafcc945c264ac45193ae
RaccoonStealer
618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8
RaccoonStealer
6e67e541d5801d97cb6fc3ec483b7b9dc302506c0f3a1ef0942ea3f7126e9e87
RaccoonStealer
90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407
RaccoonStealer
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
RaccoonStealer
+ 532 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:lyla aspackv2 backdoor discovery evasion infostealer persistence ransomware spyware stealer suricata trojan
Link:
https://tria.ge/reports/210910-xhgqnadfck/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
Vidar Stealer
Djvu Ransomware
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Win32/Tnega Activity (GET)
Malware Config
C2 Extraction:
https://gheorghip.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
95.181.172.207:56915
Unpacked files
SH256 hash:
30ced67922952319f405dec8f04efd805135b8e44f800efe0adbf5b4f2609e9c
MD5 hash:
38ffbb461006fcd43d0c8c4dda5138aa
SHA1 hash:
1e91d3235146b6b4ce2b21674b159f773a042434
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
57c0974db11a84b305dd07a49d3569a42f8d19fc42b659ef9d5755c40ee87537
MD5 hash:
ba669dedf1c507c40a5932ca77a6ae72
SHA1 hash:
83582af8c00c6ebf0bd71aecc2f6fa67ecd127a4
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
84100c09249deb297e6b7ec1e94538f9652731b961d056d529535f0efaa428cc
MD5 hash:
9da2c27249e707cec3b2b3f83f492ebf
SHA1 hash:
f856e47afc6f8663e0a9366d08078bfeb8431dc3
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
c034ee0ed45c8278cf10e330a92220f7d33c2d3d10f2721c2acabcca552b6423
MD5 hash:
4df600c45dbfd49fa9e31134e8f47434
SHA1 hash:
f07d4411a7b3722206e9d17e94749819930cedcb
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
15df8e8a7cb1721007ab652250097818fa0a0fffe2555c55708209549e0e5303
MD5 hash:
467c1658e917bb61952551b9651c83d4
SHA1 hash:
ce6c8dc12a8eb3caf2cd299517f6e51421947701
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
fedaccddc690b2b65456f75f84c5a8604e659d4647968d48b44abb3e2f2f366a
MD5 hash:
df403b7b88da0784e8b2479ed3a0c1c7
SHA1 hash:
bfb1db83003e905094446765cb6785018c253379
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
e4b12b0e408212f171c8b4b849143516d8b0bceef2f6fa7e59deb72c7cd10a5e
MD5 hash:
b1a0d3577500820f3a71e2fb055f526a
SHA1 hash:
a5b22bf9e9a92f79a898e16403b2ad8f50b1bb83
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
bd8b7a94c0a972c2d5e63f3ae654f2dfa43f5e15aef3c837a8539c099b7db85c
MD5 hash:
21f62770cd5deaa60198feffa3801224
SHA1 hash:
82f14d80b6a68cdc746fc33955722b8367be18f4
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
e3611442220e3800b098998f18cdcae937d3d1b7325cb943cea28d4d2df77305
MD5 hash:
d64d750dc0ab22041116f2eaf2a3ac06
SHA1 hash:
475c5f4ecbdb080bd045b830d5b08171b042b060
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
687ab49bfbd9f58418fe39b087790f6cfafa8ea81f93ac5a8eb10c497fa990aa
MD5 hash:
35cc4833f8f2255c01e87f79029608c2
SHA1 hash:
26d36d8af1570a4dbc2c229e7f68332fc41380ca
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
17c6394f4256e6ec014b98d078dcfae89bfff431bb5fd17e95d5858b50ca1659
MD5 hash:
2927aaa5f942c2fb3f781d0ed30fb6ab
SHA1 hash:
19c566defbc40d60e909cd4635a840a042b119b3
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
287260547975fc3fba440a19597256f483a5bc1d5f673eff235dd9e20921d4ed
MD5 hash:
50ae3d20dca4f83708708eafaba6f75c
SHA1 hash:
8d6d1fcd395708f1fac137cadfab0bc7655fc74e
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
030d037300256f57a9af849337a9bd287ec90757e3855985be4660eeca007f3e
MD5 hash:
8f248bf90796b2bdf758e70bcb45ad00
SHA1 hash:
56ac3784e5c65c61ab71175c1c8389f781d1e1ce
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
c71547ee8853f4d5fdad15316818c4f035f2c88f27bf51c1a0e3699f18e70ef0
MD5 hash:
91d4b2713380ae16ee0d1998820be775
SHA1 hash:
614d04d81c24db9bbb7db643c8e6739d6a12ae9a
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
346402921d8d9f4973eb3f98ced44fed00087428153886545556b1d86fdbb5f3
MD5 hash:
35a1650c6538e98237c6815314ed59ce
SHA1 hash:
0d79eb607c13ab119f7b4bab785959d2ad297645
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
SH256 hash:
92d6f9c8f9908a054c5112a49f7725a5e058533e81bf8c12f0bdeb653771b8b5
MD5 hash:
95c81aea110513352466313af25a0b4e
SHA1 hash:
87f6e4097b43ba4224350bede837af7b083c469e
Link:
https://www.unpac.me/results/e21e3093-2407-4724-bc07-9b15796ff1cc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/92d6f9c8f990/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92d6f9c8f9908a054c5112a49f7725a5e058533e81bf8c12f0bdeb653771b8b5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186954/

Comments