MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82e99379bc175dcbdcecacbb1fa1cecbe9d02faae9f7fe38b34a821e7fbd2149. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82e99379bc175dcbdcecacbb1fa1cecbe9d02faae9f7fe38b34a821e7fbd2149
SHA3-384 hash: a0da666fb538a0199e9293e970f9db3a1086cd420768f9b6684aa99ac495a70dc6ca68ef304bfee64d527b6c5eab6bf7
SHA1 hash: b6838f6c91da549d69c36c35ded8fbb0bc21c3df
MD5 hash: c6feeef64e5de37fb64309f6c954c066
humanhash: romeo-nineteen-indigo-south
File name:tuc3.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:7'970'299 bytes
First seen:2023-12-11 20:30:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'507 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 196608:fnnY8NWvGpWTTlm0OxwW+nFnfZsMUdFt30Dzj:fnnY8NELTIrxwlxQWDzj
Threatray 2'433 similar samples on MalwareBazaar
TLSH T1D386338BF96568F3EB7C1536FF73EAA205C23E6099F25093308EB9D52B780191065B71
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
dhash icon fefce49e86c0fcfe (884 x Socks5Systemz, 259 x RaccoonStealer)
Reporter Xev
Tags:exe RaccoonStealer Socks5Systemz


Avatar
NIXLovesCooper
Downloaded from http://never.hitsturbo.com/order/tuc3.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
3'763
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/466172/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching a process
Modifying a system file
Creating a file
Creating a service
Launching the process to interact with network services
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6577718a3636548f374b09a5/reports/547116b6-0174-476d-9bee-091538ddc12e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/82e99379bc175dcbdcecacbb1fa1cecbe9d02faae9f7fe38b34a821e7fbd2149
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0b45bca1-ded1-4ce2-aef7-c98d7ac9648f
Result
Threat name:
Petite Virus, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1358991
Behaviour
Behavior Graph:
n/a
Score:
69%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/82e99379bc175dcbdcecacbb1fa1cecbe9d02faae9f7fe38b34a821e7fbd2149
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82e99379bc175dcbdcecacbb1fa1cecbe9d02faae9f7fe38b34a821e7fbd2149/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-12-11 20:31:06 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
11 of 22 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qluzg6n4c5o4xxhmvs5r7ioozpu5al5k5h374oftjkbb4755efeq._file
Verdict:
suspicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0cbbc73cef9824e93ef774e15d98e72440205bf4dc787e89c9c6e3ffed28139b
RaccoonStealer
24d8fce7cf58069321ab8ba4f54363894e592c55f1d683f52a70787067a9bdf6
RaccoonStealer
2d2bd7b4ba453e07e14d3bf13f4a2af5d0aa574a5b476b1f452cc3f34d76635e
RaccoonStealer
3129ff54ffde65b1b624d9f08be3c71a4e7dd89cc9834d9f3b71ef80035fa0f4
RaccoonStealer
69d64a5238c1ae6bd80b08662ef70ecdd39581c09ffc1eb24b0f24f6af08b4e1
RaccoonStealer
e25366514043cde3c25c796fa18537082aeb11be6eddb0455ca637db425ec078
RaccoonStealer
f4f981ccb3458bde6e9841d98259d2d80f7cc0b456859fd4b28cace6ac83cb79
RaccoonStealer
f81bc50e48d4f2d078fcc3a96e324d882b5f97c5cae888d6c5b1fb915c543f5f
RaccoonStealer
+ 2'423 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231211-zapseaabe9/
Behaviour
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
c9278f17730a4078d3b28e349d31dbdab961d8b61aab7b710f088d0f03a033c8
MD5 hash:
dcd2f5ab1e14cdd37fa4de9cac79f521
SHA1 hash:
c87577e55433a5f51080374337467a66283f0c68
Link:
https://www.unpac.me/results/656f2308-6864-4fe4-a402-c2ced6ded766/
SH256 hash:
445ac42e83da974f76b5b636b431fca87ade0d16323ed643dad1e50c6eddcdf4
MD5 hash:
ae6dd0d3f0c08f22c8ba401f9521d180
SHA1 hash:
64b07639194d83397d0e9a682a205b73b03e9a1b
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/656f2308-6864-4fe4-a402-c2ced6ded766/
Parent samples :
3129ff54ffde65b1b624d9f08be3c71a4e7dd89cc9834d9f3b71ef80035fa0f4
2d2bd7b4ba453e07e14d3bf13f4a2af5d0aa574a5b476b1f452cc3f34d76635e
f4f981ccb3458bde6e9841d98259d2d80f7cc0b456859fd4b28cace6ac83cb79
502f258ed1691fcffdf93e59164188b6738a39f80fd8f7c519106aea7d37d2df
5e20edb8babad5baef08bf66ac88804960f4fa18e60d60234c48c7b91393648c
bf0518c83e53d8a9fad17aba51a6c1317e428cf28f2c9f3803338b8227ca2af8
51d733de2ee5eaffcda94424edba0e3f8e82673e3c1d7dc21acfa899cee59b50
c8a73b2ee505c2f74c3faf82a85c58c8b8ef386fbcf0987719af5f674b59dc61
7143b30046c107e091bdd2a558f61f28510b4846529163b05595c40e459e4268
9680a3ec07e9e263d1f6b566a8af3b37c95bc92ac21dd9609f8d84f48d469c6d
db2df2578d7d2c15e5c1696c6dbe2ebc4426beff743c724afb99f0d5b28ed56e
a553bd561bda318d04d664ce6ae0b991a9bf9b27ab75b913db29407a8f56ba9e
1f6e1c3bf8f6deb8ea708d5f6718fc454aa16f694c7401ec8fda7d7ae0ddf0ae
17d9663dcac0b28d8429c07158c882d93a44597249c4e5c55f826c2b892b0531
f1d199108d7cfb21bd1179984f9eb919f32e406cdee2e7ab790ffa49d90b0e00
ee0f588c6d3007a44b8797566841ead04151d550ae7a6cc682e69eb7a1955b7a
d0d1ece2abd4672269064190834911aadcec1cf05df88f4634668ef55e7b5a0a
45b95b982af2f447795e97cdabad33fde3961a2bfe646842d6ad852b91b2ccc0
f735637d27e3e9330910bf5352e4101e1be22bd7cbcabd59b6c86518982ef598
4dd5acc049cfa9e26984760c586bde18524a93a8f8c1499a1f6845c055a6bdec
18caec17a0574e49f734baebb1b736352c743bd8e739937263c20cfbd4c4c4b2
1d555a4cb9cbe445a67c48048b94b7336d1defde26d54688fee50d41bb9fad18
4d1fe7953896cbf02fba992879e4690b6facfda418958f64e29bc92a766deba2
4a30dedc0e6495ddc919f1b6a76a9a021317eb93f0c070191af51e2a98ffd2f6
ef05a791d0b0c1e9f961ddbff92b23c1b9e37692c2d0b8365825f5d7106ecdda
e164d5b4dac1d4487f55e3aa0c2b0a6271568505aceecea5e19d6a80964a5286
a21881fe2b08caf46ec9631bb0517e8008b81097a2e5103c4e80a3885744afc3
d14708df09d700c9ccd6e9213d0627b14f704c2a8f7ce250daa51764bb2111c1
2c024e5cda6a7601c4b27571f945e6d822cfff694c4bdab6a179f56260c74c51
19b43b1eca6537838330bdcb25f96d65e64bde287b3968d480c51cb410e460ce
be5b586d79a72fcd9fe43e04a68b96423d9b99fb46d0b646ece94456e4ff5535
56761756b611a03e42e544a33b0480c351e9283bc84454925cd6d528859c7bc0
8de2603f51a2cb4fcfe9b21fde0f5390c1eeefd94af8db78dc76b5e4209642da
d63589b388ee48fd2de3bc68579bd5c472a84080be036c636833642638d51d00
292d8b97e31dfbd1d56b52c3565539c284c211dff5d9fca2c28ac9144a81b4f1
fe18e31da1886127fee5a7730c9de0ec3f97eef00a094463d82383cd4998ffa4
fd9c4bc2a34155beea889ee0531d0d22a68b7d678fd3b2112fc78df309c649c5
ff9c29097b654ba4da76225d65022654ee62646bfbf77ba82dfe15d9318d32be
6b58751350139e13099f46e736bb4297f3678dff0e987839f2590c68e4de8e18
45ce84539799aa747351f3385d65c2a21be3f864dcefaaea6ab06037d4db0f0f
7042e46f98a94ee81d30964f1d564042d7cd014e4af69851e74a323c8bf65157
06b915288a6d317eb94b2a9ed0c7652216b0205587e2bf481a4c0e8fb21ff98b
9f268cd1dad143f749d88bbe59c79df541c39b0627fb0b774b16fbb150ecd134
cadb89edce2d304d4ea91cc70e94c247cacdfd96bbfcffa636bb9e1701dedeb9
76d1f0bcbdb8e7c0122257dfec30cc10faa10735e111cc6d448ad9fb4b6d9c15
4aaf717c5683096aa902f2375c74c40555f9433ca645c851a5a48634a73660a7
1484bdd98305921d3cc338a5c8865ab692418f227d79751732059c79909ca551
7d769d5fa6e7c2ec7815980f82f6d86ef1cf8d5424a0bf1c67f4eca4ed23e64b
294f5f102e0b5037979ebf28a237c05078910309a6f2b7ce6a3895b0c0f9886d
8e6803d718bf08c8ca747781256b93b1630934ff4292de7c05e2b3b4f08e6d35
585398f7d2055165a6bc3af4c534407dc52b140ce3506ae20f27b528d70f78f5
4e4c3478951f880813c96529ecd2df00024b7e64eac78915e23ae392e78f8e75
332303b7a69b1da87f42c8429ca57a3f3a34178531cff2405e2a1a77165aecf9
75fb50ec84bb57b434eda938483bde761930be35f7f60110d98bca1379e978ec
ceee57e508ebdb79ca13ec9f61253fc2a75505a0f79f49f85a3bad16d9fe2393
a0c151a1b69d87ada1c362549714943a71057bafc98dfe8f8c2324275da6a836
b0764c0d084abd23ffeb5f5e2be199b009f119119e4b1ccce23a69926aa22bb3
82e99379bc175dcbdcecacbb1fa1cecbe9d02faae9f7fe38b34a821e7fbd2149
5c9b5a6a3f662e8fce44aac354f27856f0a2a8e5f5e35838eb595bd1e7dbbc32
1711074bc6e2f68cc007e4042a21ccdc3a59ec3af8a9246c9c9a32386a074105
f2646956fe73749866ebb3bdc54961d9551ff50988662fefae8ad4256e7051e1
933159146dfdd8076582d1e435ccd5a4f4f5d9de4628dbc93d08efacc59202e3
09f9835e5ceee0fc476674e4b1fc4b2efcce8047776d5623814e6b960857a9de
b101a26529d3258491a9d6587ad0526f176ebd05ff3f236dd36f0df72b08d63d
7a8beb232b745cf37b3128135618029a2ed65368169d0c083519a21132ad0010
5b17acc038cd63d8d14518b0252e9f6dd83b2e0eb7ca92178ec40b25a1efcca9
SH256 hash:
e9eecd5d95b06b2f06ec112f76bc8f851494bc74193ea8fb43179bd63a753902
MD5 hash:
cd37fc7ed5e4bd8b8c6a6d7fe133407d
SHA1 hash:
f9575417eb69e3b96d125e3e41013dede440a524
Link:
https://www.unpac.me/results/656f2308-6864-4fe4-a402-c2ced6ded766/
SH256 hash:
6fcb569fa7ff42de205cae060d377f561b961dad378c40247b54378cbe506e7d
MD5 hash:
33d0bb14e440f21612f99a7f07662c81
SHA1 hash:
0c29f75ed9f4dd29f99c30ec3c0eed60505dc73c
Link:
https://www.unpac.me/results/656f2308-6864-4fe4-a402-c2ced6ded766/
SH256 hash:
82e99379bc175dcbdcecacbb1fa1cecbe9d02faae9f7fe38b34a821e7fbd2149
MD5 hash:
c6feeef64e5de37fb64309f6c954c066
SHA1 hash:
b6838f6c91da549d69c36c35ded8fbb0bc21c3df
Link:
https://www.unpac.me/results/656f2308-6864-4fe4-a402-c2ced6ded766/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
http://never.hitsturbo.com/order/tuc3.exe
Cape
Cape
https://www.capesandbox.com/analysis/466172/

Comments