MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8e1278013c51e48739b8df8ca11f407000ef64260dd9102023dc3d1854fa507. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8e1278013c51e48739b8df8ca11f407000ef64260dd9102023dc3d1854fa507
SHA3-384 hash: d5e689645726d5fc3d075b362ecaf4356d775fd0e9f84ec1c3a53fccf33262c35a0ea21857140f68ed26d199a7e44e54
SHA1 hash: bfb762a957fcc26eda0423b18db0d25e3ca83255
MD5 hash: 4e5896a09ce1a31d1f5f130625b202c0
humanhash: cup-quebec-mountain-finch
File name:4E5896A09CE1A31D1F5F130625B202C0.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:3'058'970 bytes
First seen:2021-09-10 12:25:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcB6EwJ84vLRaBtIl9mVuJEhw3fK6up9MSN5qq2CQv2SS5wY3RxR4fw1qSEYJ80C:x4CvLUBsgG9K6muSN5qVv2SS5J80qSpO
Threatray 537 similar samples on MalwareBazaar
TLSH T1CEE533203F83C2F7CA8262788F5CBBB591B9C7980B71584BF361456B693CC999627C52
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://5.181.156.77/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.77/ https://threatfox.abuse.ch/ioc/219656/

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4E5896A09CE1A31D1F5F130625B202C0.exe
Verdict:
No threats detected
Analysis date:
2021-09-10 12:27:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/77c0c923-ee93-4e65-a3fc-fb1525d6b0e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186877/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Launching a process
Sending a UDP request
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f79c6906-89da-465a-a704-4812b97d4b9f
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848766
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481197 Sample: j7Aw1MqW5w.exe Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 120 46.8.29.181 TEAM-HOSTASRU Russian Federation 2->120 122 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->122 124 5 other IPs or domains 2->124 172 Antivirus detection for URL or domain 2->172 174 Antivirus detection for dropped file 2->174 176 Multi AV Scanner detection for dropped file 2->176 178 14 other signatures 2->178 11 j7Aw1MqW5w.exe 17 2->11         started        14 rundll32.exe 2->14         started        signatures3 process4 file5 96 C:\Users\user\AppData\...\setup_install.exe, PE32 11->96 dropped 98 C:\Users\user\AppData\...\Mon23e1feee931.exe, PE32 11->98 dropped 100 C:\Users\user\...\Mon23d80cfab55ee9b2.exe, PE32 11->100 dropped 102 12 other files (6 malicious) 11->102 dropped 16 setup_install.exe 1 11->16         started        20 rundll32.exe 14->20         started        process6 dnsIp7 112 172.67.190.165 CLOUDFLARENETUS United States 16->112 114 127.0.0.1 unknown unknown 16->114 116 192.168.2.1 unknown unknown 16->116 144 Adds a directory exclusion to Windows Defender 16->144 22 cmd.exe 1 16->22         started        24 cmd.exe 16->24         started        26 cmd.exe 16->26         started        28 8 other processes 16->28 signatures8 process9 signatures10 31 Mon237ffb98fe2a30.exe 71 22->31         started        36 Mon23d80cfab55ee9b2.exe 24->36         started        38 Mon237314f9d6.exe 26->38         started        180 Adds a directory exclusion to Windows Defender 28->180 40 Mon23e1feee931.exe 28->40         started        42 Mon23c5ca144fe7.exe 28->42         started        44 Mon2301282ef115c51c.exe 28->44         started        46 4 other processes 28->46 process11 dnsIp12 130 74.114.154.18 AUTOMATTICUS Canada 31->130 132 162.55.179.90 ACPCA United States 31->132 62 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 31->62 dropped 64 C:\Users\user\AppData\...\freebl3[1].dll, PE32 31->64 dropped 78 10 other files (none is malicious) 31->78 dropped 146 Detected unpacking (changes PE section rights) 31->146 148 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->148 150 Machine Learning detection for dropped file 31->150 168 2 other signatures 31->168 152 Writes to foreign memory regions 36->152 154 Allocates memory in foreign processes 36->154 170 2 other signatures 36->170 66 C:\Users\user\AppData\...\Mon237314f9d6.tmp, PE32 38->66 dropped 156 Antivirus detection for dropped file 38->156 48 Mon237314f9d6.tmp 38->48         started        158 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 40->158 160 Maps a DLL or memory area into another process 40->160 162 Checks if the current machine is a virtual machine (disk enumeration) 40->162 52 explorer.exe 40->52 injected 134 172.67.211.161 CLOUDFLARENETUS United States 42->134 68 C:\Users\user\AppData\Roaming\8390127.exe, PE32 42->68 dropped 70 C:\Users\user\AppData\Roaming\7954579.exe, PE32 42->70 dropped 72 C:\Users\user\AppData\Roaming\3340256.exe, PE32 42->72 dropped 136 95.181.163.181 RACKTECHRU Russian Federation 44->136 164 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 44->164 54 WerFault.exe 44->54         started        138 88.99.66.31 HETZNER-ASDE Germany 46->138 140 8.8.8.8 GOOGLEUS United States 46->140 142 3 other IPs or domains 46->142 74 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 46->74 dropped 76 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 46->76 dropped 166 Creates processes via WMI 46->166 56 LzmwAqmV.exe 46->56         started        file13 signatures14 process15 dnsIp16 118 162.0.213.132 ACPCA Canada 48->118 80 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 48->80 dropped 82 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 48->82 dropped 84 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 48->84 dropped 86 C:\Users\user\AppData\...\46807GHF____.exe, PE32 48->86 dropped 58 46807GHF____.exe 48->58         started        88 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 56->88 dropped 90 C:\Users\user\AppData\Local\Temp\2.exe, PE32 56->90 dropped 92 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 56->92 dropped 94 5 other files (none is malicious) 56->94 dropped file17 process18 dnsIp19 126 162.0.210.44 ACPCA Canada 58->126 128 162.0.220.187 ACPCA Canada 58->128 104 C:\Program Files (x86)\Java\Howyfivoba.exe, PE32 58->104 dropped 106 C:\...\Howyfivoba.exe.config, XML 58->106 dropped 108 C:\Users\user\AppData\...\Kacaenatemu.exe, PE32 58->108 dropped 110 2 other files (none is malicious) 58->110 dropped file20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8e1278013c51e48739b8df8ca11f407000ef64260dd9102023dc3d1854fa507/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 03:39:26 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5dqspaatyupeq443rx4muepua4aa55scmdozcaqchxb5dbkpuudq._file
Verdict:
malicious
Similar samples:
051c5d064ba3816e2eb061b2f1b96c8bf3609b038831464596c3a8436d3415eb
RaccoonStealer
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
RaccoonStealer
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
RaccoonStealer
32f6b938399aa2d2ac58336d83a4fcdb5aab622c91e019969a78fc041af75339
RaccoonStealer
3d7ba99d7b360819146cd6223b2d668e8b1a661023f5b36932860bc84271eecd
RaccoonStealer
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
RaccoonStealer
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
RaccoonStealer
618969df2d98c660836fc0c94f95d93c8c561f19f106c56eca3f5aa9930cbba8
RaccoonStealer
90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407
RaccoonStealer
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
RaccoonStealer
+ 527 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:lyla aspackv2 backdoor discovery evasion infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210910-pl7ggsdbfq/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Checks for common network interception software
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
https://gheorghip.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
95.181.172.207:56915
Unpacked files
SH256 hash:
1e47b0a87b714febf0f805a2c319a150cc8bd58d738669c76c975a64d40130ab
MD5 hash:
6cbca955ae2bb778cf9de6cef5d114a7
SHA1 hash:
527feb36a0cbd2c348df1862bb2d4516ed9bad6f
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
7bb9fcce253a13e05ce2fee3713758efc327651b765612e0eb3d75ca40ddab50
MD5 hash:
6febaafcbdd13d50e3f512b75d3b3c9e
SHA1 hash:
e86816fd3ead9e7638875e3fd49ba9bb33aa6a49
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
30ced67922952319f405dec8f04efd805135b8e44f800efe0adbf5b4f2609e9c
MD5 hash:
38ffbb461006fcd43d0c8c4dda5138aa
SHA1 hash:
1e91d3235146b6b4ce2b21674b159f773a042434
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
17c6394f4256e6ec014b98d078dcfae89bfff431bb5fd17e95d5858b50ca1659
MD5 hash:
2927aaa5f942c2fb3f781d0ed30fb6ab
SHA1 hash:
19c566defbc40d60e909cd4635a840a042b119b3
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
84100c09249deb297e6b7ec1e94538f9652731b961d056d529535f0efaa428cc
MD5 hash:
9da2c27249e707cec3b2b3f83f492ebf
SHA1 hash:
f856e47afc6f8663e0a9366d08078bfeb8431dc3
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
c034ee0ed45c8278cf10e330a92220f7d33c2d3d10f2721c2acabcca552b6423
MD5 hash:
4df600c45dbfd49fa9e31134e8f47434
SHA1 hash:
f07d4411a7b3722206e9d17e94749819930cedcb
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
c1e82e5cca95cde947d3efd700e78ace5c6bf257d38471f24332106bd0ab64dc
MD5 hash:
d957a5416379e59ac62f1c5000fc5890
SHA1 hash:
e0072a3c1d3eba22296761ea38f0b4ba120751b4
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
15df8e8a7cb1721007ab652250097818fa0a0fffe2555c55708209549e0e5303
MD5 hash:
467c1658e917bb61952551b9651c83d4
SHA1 hash:
ce6c8dc12a8eb3caf2cd299517f6e51421947701
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
e7b3c0126abe26945df3d2282c222eb9625f8cddfabf2a214faf322458ce3d0e
MD5 hash:
dd61b5875b765bdfa8fcb923051d312b
SHA1 hash:
5ac1509e4d0a277d6dce6fc0d6e906b6ab2821b7
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
d36f1e845579e9100ae21a0ef7688a9c72371942e46b7539698fb84ce8b95aa7
MD5 hash:
c74f8ea7709069151abb0b62570ff0b4
SHA1 hash:
105c2eb53125bd22c349764ce0784045dda4bb85
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
cc0256bc84e32384673051fee4dff4b384530d47049da00ca0f908ded6747bd3
MD5 hash:
9515eba930e6b9d93a15e42ab345fb82
SHA1 hash:
dc2817895a23b4defd4ce8f5d55b5cb7077b0852
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
d4e6ba33a7219855618a15ff7a6f36413696ad0f28117f02670413b1fdcc836a
MD5 hash:
3598261a210bd017575081d01cbe6eb5
SHA1 hash:
ff6f0232f70e3f460c785005254d99dd69518f54
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
b9158eaf295eca299a2760f4ce13048afc0f624ec49b7f5041fae51caca44588
MD5 hash:
310c22137776117085b31bf8005cc674
SHA1 hash:
90b0deb8f4cd19a2418b9f55b1a77d4cdc702d9e
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
e196151865a25f62cc3a69211abae9d09436e9a201e6be038014d3f6c7725963
MD5 hash:
c97bb421bc857ffcb3690d3ac5f13c6e
SHA1 hash:
e21edcdf07e5a4c6c533c99c967bd20a59745a22
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
SH256 hash:
e8e1278013c51e48739b8df8ca11f407000ef64260dd9102023dc3d1854fa507
MD5 hash:
4e5896a09ce1a31d1f5f130625b202c0
SHA1 hash:
bfb762a957fcc26eda0423b18db0d25e3ca83255
Link:
https://www.unpac.me/results/075cfa61-7933-4cce-96a8-57cdec063000/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e8e1278013c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8e1278013c51e48739b8df8ca11f407000ef64260dd9102023dc3d1854fa507

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186877/

Comments