MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6080d51c23ff3825d6dda3280757ba1ce88be4b06d10bf9960a0d79973b43e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6080d51c23ff3825d6dda3280757ba1ce88be4b06d10bf9960a0d79973b43e3
SHA3-384 hash: dd198c5bd628bf433b0baa079c5ae2f08d16ea33e4b8c89eb9935d24bc510b9633a2939fde2df6afbf5a974f5c05d2b0
SHA1 hash: 29b6c64e806bdc864ca37a62e50478c3179284a4
MD5 hash: 71c3c6ef549daa7a9e2fe5cecb83031f
humanhash: emma-winter-music-two
File name:setup_x86_x64_install.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'371'812 bytes
First seen:2021-10-08 18:08:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:J95uL02QwDp/oy0GO/KPjFHmtrq6jFCbJb:J/E5D9o97/QjFH8+
TLSH T1321633040AC11586CDF0A1F79141BD7DC29C28FD0DEAFAE98A656F6223B6970121F7E6
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
441
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
No threats detected
Analysis date:
2021-10-08 18:16:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ee17f51e-e136-4c84-9acf-7c157bbd3463

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196237/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mokes overlay packed
Link:
https://www.filescan.io/uploads/61608940e3d213d202bc042c/reports/8a0cc102-14b6-4d5f-86fd-6d48668659ec/overview
Result
Threat name:
RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867263
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 499693 Sample: setup_x86_x64_install.exe Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 75 37.0.8.119 WKD-ASIE Netherlands 2->75 77 103.155.93.196 TWIDC-AS-APTWIDCLimitedHK unknown 2->77 79 16 other IPs or domains 2->79 101 Antivirus detection for URL or domain 2->101 103 Antivirus detection for dropped file 2->103 105 Multi AV Scanner detection for submitted file 2->105 107 17 other signatures 2->107 10 setup_x86_x64_install.exe 10 2->10         started        13 svchost.exe 2->13         started        16 svchost.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 file5 73 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->73 dropped 20 setup_installer.exe 20 10->20         started        129 Changes security center settings (notifications, updates, antivirus, firewall) 13->129 signatures6 process7 file8 53 C:\Users\user\AppData\...\setup_install.exe, PE32 20->53 dropped 55 C:\Users\user\...\Fri14fc548bbfdb093c.exe, PE32 20->55 dropped 57 C:\Users\user\AppData\...\Fri14e8398503.exe, PE32 20->57 dropped 59 15 other files (7 malicious) 20->59 dropped 23 setup_install.exe 1 20->23         started        process9 dnsIp10 95 104.21.87.76 CLOUDFLARENETUS United States 23->95 97 127.0.0.1 unknown unknown 23->97 127 Adds a directory exclusion to Windows Defender 23->127 27 cmd.exe 1 23->27         started        29 cmd.exe 23->29         started        31 cmd.exe 23->31         started        33 7 other processes 23->33 signatures11 process12 signatures13 36 Fri148ab4e7c687c2e61.exe 72 27->36         started        41 Fri148a7b41dd4e434.exe 29->41         started        43 Fri1484990fee93c2f8e.exe 31->43         started        99 Adds a directory exclusion to Windows Defender 33->99 45 Fri14e8398503.exe 33->45         started        47 Fri14fc548bbfdb093c.exe 33->47         started        49 Fri14a6f32b92b4d905.exe 33->49         started        51 powershell.exe 26 33->51         started        process14 dnsIp15 91 2 other IPs or domains 36->91 61 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 36->61 dropped 63 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 36->63 dropped 65 C:\Users\user\AppData\...\softokn3[1].dll, PE32 36->65 dropped 71 9 other files (none is malicious) 36->71 dropped 109 Detected unpacking (changes PE section rights) 36->109 111 Detected unpacking (overwrites its own PE header) 36->111 113 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->113 125 2 other signatures 36->125 115 Antivirus detection for dropped file 41->115 117 Machine Learning detection for dropped file 41->117 119 Injects a PE file into a foreign processes 41->119 121 Sample uses process hollowing technique 43->121 81 192.241.101.69 SERVER-MANIACA Canada 45->81 83 190.211.254.178 PLI-ASCH Panama 45->83 85 45.9.20.13 DEDIPATH-LLCUS Russian Federation 45->85 67 C:\Users\user\AppData\Local\...\null[1], PE32 45->67 dropped 123 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 45->123 93 2 other IPs or domains 47->93 69 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 47->69 dropped 87 88.99.66.31 HETZNER-ASDE Germany 49->87 89 144.202.76.47 AS-CHOOPAUS United States 49->89 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6080d51c23ff3825d6dda3280757ba1ce88be4b06d10bf9960a0d79973b43e3/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 18:09:06 UTC
AV detection:
28 of 45 (62.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4yea2uoch7zyexln3izia5l3uhhirpsla3iqx6mwbigxtfz3iprq._file
Verdict:
unknown
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars family:vidar family:xmrig botnet:916 botnet:933 botnet:937 botnet:media8 botnet:sehrish aspackv2 backdoor discovery evasion infostealer miner persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/211008-wrfdhsegd5/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Checks BIOS information in registry
Checks computer location settings
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
XMRig Miner Payload
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
xmrig
Malware Config
C2 Extraction:
https://mas.to/@serg4325
91.121.67.60:2151
135.181.129.119:4805
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Unpacked files
SH256 hash:
b3ebe2d73a6d2b289eb9076a94e1080d095cd3dfa0eb28d000ff9ea495ec286d
MD5 hash:
0bf74c3c12256fbe7ddc9ef82550c5ec
SHA1 hash:
9125023250645cbe4aaa5237b2ee2690bdb6167d
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
b0907562ec1ac4ff1abc08598c77804ea6a4434b6955ef1d8ea7cfa99a6cb849
MD5 hash:
2aa74bffcea929cdd73b163a1dfabbcf
SHA1 hash:
74a2007532e312d234fbadcc0fb7d081a1932bc0
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
Parent samples :
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
d12e9e17264b775bbd2fe0ce9200598edaf1d7be64dff0e9e6a14619f24ec558
MD5 hash:
b483660d7e5a9b6fc0cc4438cd59b5bf
SHA1 hash:
d7cf95baf14f649a9cb336a9c0c0cb5318c15edf
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
66b83b0849b03e36112ca0ed86d1151463cf64141031877a900c69683e27ece6
MD5 hash:
9e2728bb565e1530f3df3b474d4e25d7
SHA1 hash:
d2961fbb8a6ad94b55ab13f6d3ab7e0ba5fcf03f
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
b1792b96ee1599053169c723ef3847f150fb3a6cbd7f6e49f0c7980e56f17ec0
MD5 hash:
782464a630ee6593821219958720db3e
SHA1 hash:
c46ee1af2bd512533f1cd26337e73e0ccb18f57f
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
b9518e12f129337119803d448c2127f8fb63455e8ff7dc9aef7b8f239487718d
MD5 hash:
1d6def6285adf263d9c3dddf06a6dab3
SHA1 hash:
b8d43082a572dee53d12e380dcdfd68fc302b916
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
b9263a4a77b7956e2487937db3a95445baf6465ec42e6356581515f535aeca11
MD5 hash:
f598fa8158a27c01887de7fd5f996e8a
SHA1 hash:
9bd1132b3df5474a962d7dc3780fd68e39499957
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
f7ec45966ad8e38d8507c637d75cd70d70f0a77a4fd436595c87c483eea6d567
MD5 hash:
17cebac621efe1638506eaa93b112748
SHA1 hash:
8c226904c925a4c61dc6a3ae02a1c3e7410b01cf
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
55c15870bea584a331bcf4dcccc2be241329a7da9da70e7f4beb02bae1113415
MD5 hash:
8d3b05f3e0fd4a1d79799debca70ddac
SHA1 hash:
5b3c648bfe6a996ff194842572eb21f8c8e822ed
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
3127db454894da4af94dafef6f8826e06dfd44c8337e160948b38fbf2b83c1a0
MD5 hash:
cc9c722f75be49e8f93929c989e4568d
SHA1 hash:
320fba78d341f12c4225e65e276281278b3c6316
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
5de063d98221a5f0951e9e290c4b9f6c6d45602f5b5617ba832a4bee926f0059
MD5 hash:
25f85df36f4ec8103991f1c4df0e7049
SHA1 hash:
e12d673c30b459b81d6e0b43f2cd9a280c2e2acf
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
cbf1bc36ae69b5d54992392f8b7711e4ee4973e72e33a33318268d129eed4c45
MD5 hash:
29b30b117e8be91a98b72ada7211294f
SHA1 hash:
ca859c58c7a09cdc2d171b96a1a01f43f26b634e
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
0d5b1bda1e1e4c31ea37f19b8bd2fbce66882639d4486f3303d9adb72e760057
MD5 hash:
29adbeef1c80a2f2eeaf0901e094816d
SHA1 hash:
53073930d1ad357b9d8497c3ba3fae8f9c597320
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
9cf2354927c9a4f359114f50929190db2e42574edc28a772e156977bfd3cb932
MD5 hash:
b23260fb07c98ede83c64b1271e32732
SHA1 hash:
3fe10991085b4bfa0136678d01f04db189118947
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
f9a912e51215656018b538da0b03c7f4b6966eb890d2c0eb90360d151dd3943d
MD5 hash:
3641a22ecb32bcab36327f5d2a582dc0
SHA1 hash:
950e51c476f05717c148bab3533460cfcbb53a39
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
SH256 hash:
e6080d51c23ff3825d6dda3280757ba1ce88be4b06d10bf9960a0d79973b43e3
MD5 hash:
71c3c6ef549daa7a9e2fe5cecb83031f
SHA1 hash:
29b6c64e806bdc864ca37a62e50478c3179284a4
Link:
https://www.unpac.me/results/c676d3dc-8262-4e95-973f-1ffdef985963/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6080d51c23ff3825d6dda3280757ba1ce88be4b06d10bf9960a0d79973b43e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/196237/

Comments