MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2dbca63d6f0565f9170faf9a114d86dee7e0c51ab2b2a22b863d1b8f51efdbcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RaccoonStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	2dbca63d6f0565f9170faf9a114d86dee7e0c51ab2b2a22b863d1b8f51efdbcb
SHA3-384 hash:	af27e06d0c38aa9ad3996538dbb47114fc37aeb385c887a8b5e5234edf7e0717ba70e2f8490237240da8a173d76ebcf6
SHA1 hash:	df4fc9bc80b7fed50917eaa770aa46da69be511d
MD5 hash:	c4452802edd8e7f32b16790eca81b63e
humanhash:	yankee-cold-fruit-maine
File name:	tuc7.exe
Download:	download sample
Signature	RaccoonStealer Create hunting rule
File size:	7'867'265 bytes
First seen:	2023-12-11 18:32:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'460 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	196608:UWc5A2XV/1qTZGgnkphp0rAwZYGespRHDfY5cdV4qCzj:oDFyOTpBsLp1c5SV4qCzj
Threatray	5'478 similar samples on MalwareBazaar
TLSH	T1098633B36004A13AE034E4F7ED27E91066332DC0147A952966EEB9F0777AE2DE06571F
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
dhash icon	fefce49e86c0fcfe (884 x Socks5Systemz, 259 x RaccoonStealer)
Reporter	Xev
Tags:	exe RaccoonStealer Socks5Systemz

NIXLovesCooper

Downloaded from http://never.hitsturbo.com/order/tuc7.exe

Intelligence

File Origin

# of uploads :

# of downloads :

248

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/465900/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for the window

Searching for synchronization primitives

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Launching a process

Modifying a system file

Creating a file

Creating a service

Sending a custom TCP request

Launching the process to interact with network services

Enabling autorun for a service

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/657755e5855eb2633d66ec5c/reports/dfc77541-d37f-4b28-a803-5074401e0102/overview

Verdict:

Malicious

Labled as:

HEUR/AGEN.1332570

Link:

https://www.hybrid-analysis.com/sample/2dbca63d6f0565f9170faf9a114d86dee7e0c51ab2b2a22b863d1b8f51efdbcb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c766155d-1f15-4e08-943a-702a9bca59fb

Score:

71%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2dbca63d6f0565f9170faf9a114d86dee7e0c51ab2b2a22b863d1b8f51efdbcb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2dbca63d6f0565f9170faf9a114d86dee7e0c51ab2b2a22b863d1b8f51efdbcb/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-12-11 18:33:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

10 of 23 (43.48%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fw6kmplpavs7sfypv6nbctmg33t6bri2wkzkek4ghuny6upp3pfq._file

Verdict:

malicious

Label(s):

raccoon

RaccoonStealer

66fcee39009982c7f59da0e757bfc28d533677644a69574b77836a18c8709683

RaccoonStealer

9576908c20ec0c27abb1630a5bc670220a619cec985b6e38508e561d2ff32060

RaccoonStealer

e726591b828a5fb4faab7c82b1f60b136348327d12f3045bd538bd92a521ffaf

RaccoonStealer

fd7dd862dd2904bd73634725e479e4a827a78392fe13af1b600dddb81ffc3abe

RaccoonStealer

+ 5'468 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/231211-w67fjsfha7/

Behaviour

Runs net.exe

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Unpacked files

SH256 hash:

c374ce370b8991347db808eed8be0ca9b693a160c624875706f4ff1fa68dc3ba

MD5 hash:

4fcc1a443bbd996a11db50e494496967

SHA1 hash:

d39880a707f5ee4d3c5047af1856ee192160c800

Link:

https://www.unpac.me/results/d1657fbd-dd6b-4d0a-922b-92d80e7d4233/

SH256 hash:

c1b44abe18e4abff85ca77784257fe2ee1ca9f6186423d5b57f4236c7f369bdc

MD5 hash:

b1bbc66b10803ea74053f23119156d4b

SHA1 hash:

755a68621ea89bda385b92d3ef832ea923d73f94

Detections:

INDICATOR_EXE_Packed_VMProtect

Link:

https://www.unpac.me/results/d1657fbd-dd6b-4d0a-922b-92d80e7d4233/

Parent samples :

d246c390d4d9387df5e7b79bd0a3039dd8422ade2f0f883059e25b7e126047b9
ea120a91de4a033c8d647379291018f07bc77acb477a83718337e4901d717f88
b2b02441c82db09bb6dd03fe651527d1ed7d7d2c47b2a15f50688fcf97986d99
9a9c7bba717e9aa3ba2f41e6bc882d4eda397ff9c2b7d904f70f5ed9f913a54f
d91cd6555430d9fd9791064b61d6aa82b22c83cf4463e77d3ee16d4f0c23c7a6
fd7dd862dd2904bd73634725e479e4a827a78392fe13af1b600dddb81ffc3abe
9576908c20ec0c27abb1630a5bc670220a619cec985b6e38508e561d2ff32060
3fb24fbed5ea21aff720a20540424c5d591f78fb439654821b88206bb5d1a691
684b4d933e995a9d445d396eaba5240575e7a0f406459d31915a2bc6b22e672f
aaed1e278b69cb980557262a06afcc5f918bfcc290e6c72adcb85fe69981610e
d3eb48b9c6025098aa0f9716eb39af7ccb6632ad17d989dae17f8110fdb0df2d
c1c011be98e6aa97ab3beb986d18b62be34d8e792992750a0be36620094efab5
ee00a51c42abd97a81cc7947324fb3d2c52f18d6eac53e0b51eeafad65c50eed
6d33ba54e5ac0ed2b56b6341091be3cc12084081885d0f348210d0379b22940b
cd9332047f78b263c124ac43a236cf1662a6811bc1bec5197dcbb6854d071f2b
99e3852360608fed8fd936f758425e48c4d0694716ff4552ca50eebe9bd47da9
4f02850ddaefbc4552e8d52be5204f99104091691e75a55686e3165857ecba15
a6cc8883c03f3562ac370d0c0bd709fe2beffb2e926831ece5a5285807f97b1f
a367d3b37e8c9994bcb9dc97e7553426d000e5b6a3fbc6235519493634e4c2ad
abbd1e2a717c5dce8dfce8a32ce19de260a9828296e297630ce2555079bd3c5c
1b086eb781e75e1a2b28341b7acddb2f65cf3a365a638b204d582ee60dd2d41a
77a61b13f28a85fca5b6f78b44e6df02af50f2034309375c0ce016c6616e7531
2dbca63d6f0565f9170faf9a114d86dee7e0c51ab2b2a22b863d1b8f51efdbcb
3fc033a2106787dee55edb329dd0c31194e1ed5b86c4a6100f7fcdafe20e173d
8aa6218ca4f56c2464ff226a8da6fea0b8d13dc5c6243b84b8066eee6db6e743
cd536ed5483dcfaf6d19a9ae40fa47982337389d4a1f6274f5d88443e1598245
4cdcaef112302725218a08607954f874f64d15e76ef48fb9809ac3cd19c06d13
5cda495baa9978ed76d303209293439c3373ea3744567574c954ae168d060da0
28d87cca102be87689f6f085a0abbc2d62d803e0b14eff3ed1ad34c039ff4fc8
8dbbedf05e06ebb7441c26fa73778cec6cf6a4483aced52fe2a31a90e528d8c2
05cebeb24f99286065ff93755df273358b5586c149e88f510dd45c0eeb675869
882598184d2453fd87eed2ef6090764f65746bb9605ec3817971daf53efb1c6f
5fc9c8787931219210d3417b370c2535c88fbdb6cbca23dda95773ff1710ded3
a3812f6a93f8a1dd4caa7f305e96c227e9e8af02efa9cde5208b04d85ec9ad26
f76aa649194b0553605a8281963987bdadfd05a307e3c9c78fb0792e66b87d3f
6f5f0910b9a02eb74cb27daa6bb5321d3455859c014ec5f94e14254bc5a0345c
a7a95bf6888b345983096cadb97ce22d3cdd7eeea64e9dd2c661dfa49c43bf30
6afdaaecf198f2bbf78a7be1be6eeca8e7d325d1e20467f2b1bfa07cd0d0675d
371a9a6844c1c8416bbc7292451029a2cf9fee6eb5f298ea722676ab1c186dfd
766355f833c41506b57f86c1f89a57cf89018a117ad2e9a5da971bfa3bcc491d
17a5fdfe51f55c75d099e96a9a9d0100f84903c85eff088f8c3ffeb514a04b90
4b131bbee35c504702b00064233623eade38597e9540d56659ce174bc937eddb
885eff10a41b81d8d58da81639ac194c4a7ee85597dc60862cfe1fe793c07ae1
f123a1ba6d66769711234f7d9f678826c81c50d7f66d9f55842e062aa619e8b2
cb4f4ba4cae619f5078c3984e7342987c858ea6c32d7832c8ae348204b614d56
917f01722daf03a6115d712560681a75ea556f35e09de2e83ade4c1e7ed6260e
9c5caec05310df350aff28106bb7e23551b892ce34c0ab91194a4e37ffa6e89f
65f778f8246f25e24edc579aa3b1ab9927ca79d40a777afed4d67927c120c504
7d0d34208646d3b2f686943869ae128146310322d9c57f00cb33d1587e59ea4f
15c58f22fcc584d521eebf60f3f42b1b4515507e8140a453ee6f914475047781
98837410e92b9e3c2c5cfb5e55d34adc9789267ae6ad4f93d01ad96850469c43
c60a121bc17a7429cf4eb77201718f2399ecbafee14e1e8b8abe06439caff338
e51bf2c45dec7b1ec533eb36407f1128411660562572f31ea6daa86f458d0a16
abed09c492453264a7f97821919f432fb17d9f63b400135d77437446a1a9171a
de9800d9459eb67804ea627dad30f7f829010e486592916b1017350bff7391e5
ed793e3a67d11de24edd4630185050a3ac2aabde995d693086c07905b1b363d9
0b6d0b550e1288b8b4d4755fd2b0f1a626d65546d575896cc54161a50c96ee09
e69dbe84db5388fa05289061ff5457bef83372af0ae7d0f48ba79b4c744dfad3
1b067ef46dcbbc71f2d5a2487fa1e6d95200301d4e4834910d3f14cb119b5a3e
d9e2ab135e48706fd86e7f97b3f239f8da792825ec519c76ff4f3b759db47ccd

SH256 hash:

f8fa71710404a7878c429250aee2b0fdd91abf377fc088503a210488fdcf952b

MD5 hash:

970adf7fc7247f217763bf3f9efd1e7f

SHA1 hash:

d41f7d4a1398c35e403fd8ccc7545c48ae988d7a

Link:

https://www.unpac.me/results/d1657fbd-dd6b-4d0a-922b-92d80e7d4233/

SH256 hash:

783055c14b1ec9df0d4f92d58264a7893140bf9acd15355954d7689be062c04e

MD5 hash:

b1e50a6f0ce7ae90e1ab74d234b68491

SHA1 hash:

b98b909b56b63713a6cfbaf47647a08900558539

Link:

https://www.unpac.me/results/d1657fbd-dd6b-4d0a-922b-92d80e7d4233/

SH256 hash:

2dbca63d6f0565f9170faf9a114d86dee7e0c51ab2b2a22b863d1b8f51efdbcb

MD5 hash:

c4452802edd8e7f32b16790eca81b63e

SHA1 hash:

df4fc9bc80b7fed50917eaa770aa46da69be511d

Link:

https://www.unpac.me/results/d1657fbd-dd6b-4d0a-922b-92d80e7d4233/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2dbca63d6f0565f9170faf9a114d86dee7e0c51ab2b2a22b863d1b8f51efdbcb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

http://never.hitsturbo.com/order/tuc7.exe

Cape

https://www.capesandbox.com/analysis/465900/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample