MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1c011be98e6aa97ab3beb986d18b62be34d8e792992750a0be36620094efab5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1c011be98e6aa97ab3beb986d18b62be34d8e792992750a0be36620094efab5
SHA3-384 hash: e4865512a01b979a9d8dc77b22e35e7ed8acc66efc9d1759979d83ed63408d7e10b2428a50450ec02318c1f16fe18cc1
SHA1 hash: 87910fb2b09ac1609994da47c998093c3efbe422
MD5 hash: cae72613a3abd2c6bfa59736c5bc12f0
humanhash: victor-asparagus-nitrogen-oranges
File name:tuc7.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:7'867'265 bytes
First seen:2023-12-11 17:04:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'460 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 196608:OWc5A2XV/1qTZGgnkphp0rAwZYGespRHDfY5cdV4qCzj:ODFyOTpBsLp1c5SV4qCzj
Threatray 5'228 similar samples on MalwareBazaar
TLSH T10A8633B36004A13AE034E4F7ED27E91066332DC0147A952966EEB9F0777AE2DE06571F
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
dhash icon fefce49e86c0fcfe (884 x Socks5Systemz, 259 x RaccoonStealer)
Reporter Xev
Tags:exe RaccoonStealer Socks5Systemz


Avatar
NIXLovesCooper
Downloaded from http://never.hitsturbo.com/order/tuc7.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/465759/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching a process
Modifying a system file
Creating a file
Creating a service
Launching the process to interact with network services
Sending a custom TCP request
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/657741468b5ba47db2de5bfc/reports/9cd03d79-219b-4b22-ae6d-f421ad38e0c0/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1332570
Link:
https://www.hybrid-analysis.com/sample/c1c011be98e6aa97ab3beb986d18b62be34d8e792992750a0be36620094efab5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Petite Virus, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1359437
Signature
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Petite Virus
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1359437 Sample: tuc7.exe Startdate: 12/12/2023 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 7 other signatures 2->62 8 tuc7.exe 2 2->8         started        11 svchost.exe 2->11         started        14 svchost.exe 1 2->14         started        16 4 other processes 2->16 process3 file4 50 C:\Users\user\AppData\Local\Temp\...\tuc7.tmp, PE32 8->50 dropped 18 tuc7.tmp 17 76 8->18         started        66 Changes security center settings (notifications, updates, antivirus, firewall) 11->66 22 MpCmdRun.exe 1 11->22         started        68 Query firmware table information (likely to detect VMs) 14->68 signatures5 process6 file7 42 C:\Program Files (x86)\...\gifplayer.exe, PE32 18->42 dropped 44 C:\Program Files (x86)\...\is-IPHJ0.tmp, PE32 18->44 dropped 46 C:\Program Files (x86)\...\is-EHBN2.tmp, PE32 18->46 dropped 48 56 other files (none is malicious) 18->48 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 18->64 24 gifplayer.exe 1 15 18->24         started        27 net.exe 1 18->27         started        29 gifplayer.exe 1 2 18->29         started        32 schtasks.exe 1 18->32         started        34 conhost.exe 22->34         started        signatures8 process9 dnsIp10 54 csrirpv.net 185.196.8.22, 49708, 49709, 49710 SIMPLECARRER2IT Switzerland 24->54 36 conhost.exe 27->36         started        38 net1.exe 1 27->38         started        52 C:\ProgramData\L77Storage\L77Storage.exe, PE32 29->52 dropped 40 conhost.exe 32->40         started        file11 process12
Score:
71%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c1c011be98e6aa97ab3beb986d18b62be34d8e792992750a0be36620094efab5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1c011be98e6aa97ab3beb986d18b62be34d8e792992750a0be36620094efab5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-11 17:05:07 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
10 of 23 (43.48%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhabdpuy42vjpkz35omg2gfwfpru3dtzfgjhkcql4ntcacko7k2q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1089d0d0965f42c5395b997af97f7780333e7eca054e3fa288c2948f1a7b1e52
RaccoonStealer
66fcee39009982c7f59da0e757bfc28d533677644a69574b77836a18c8709683
RaccoonStealer
9576908c20ec0c27abb1630a5bc670220a619cec985b6e38508e561d2ff32060
RaccoonStealer
e726591b828a5fb4faab7c82b1f60b136348327d12f3045bd538bd92a521ffaf
RaccoonStealer
fd7dd862dd2904bd73634725e479e4a827a78392fe13af1b600dddb81ffc3abe
RaccoonStealer
+ 5'218 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231211-vlttaacgfj/
Behaviour
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
c374ce370b8991347db808eed8be0ca9b693a160c624875706f4ff1fa68dc3ba
MD5 hash:
4fcc1a443bbd996a11db50e494496967
SHA1 hash:
d39880a707f5ee4d3c5047af1856ee192160c800
Link:
https://www.unpac.me/results/80c27ffd-f5e4-4bf6-866e-4e94d341da15/
SH256 hash:
c1b44abe18e4abff85ca77784257fe2ee1ca9f6186423d5b57f4236c7f369bdc
MD5 hash:
b1bbc66b10803ea74053f23119156d4b
SHA1 hash:
755a68621ea89bda385b92d3ef832ea923d73f94
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/80c27ffd-f5e4-4bf6-866e-4e94d341da15/
Parent samples :
d246c390d4d9387df5e7b79bd0a3039dd8422ade2f0f883059e25b7e126047b9
ea120a91de4a033c8d647379291018f07bc77acb477a83718337e4901d717f88
b2b02441c82db09bb6dd03fe651527d1ed7d7d2c47b2a15f50688fcf97986d99
9a9c7bba717e9aa3ba2f41e6bc882d4eda397ff9c2b7d904f70f5ed9f913a54f
d91cd6555430d9fd9791064b61d6aa82b22c83cf4463e77d3ee16d4f0c23c7a6
fd7dd862dd2904bd73634725e479e4a827a78392fe13af1b600dddb81ffc3abe
9576908c20ec0c27abb1630a5bc670220a619cec985b6e38508e561d2ff32060
3fb24fbed5ea21aff720a20540424c5d591f78fb439654821b88206bb5d1a691
684b4d933e995a9d445d396eaba5240575e7a0f406459d31915a2bc6b22e672f
aaed1e278b69cb980557262a06afcc5f918bfcc290e6c72adcb85fe69981610e
d3eb48b9c6025098aa0f9716eb39af7ccb6632ad17d989dae17f8110fdb0df2d
c1c011be98e6aa97ab3beb986d18b62be34d8e792992750a0be36620094efab5
ee00a51c42abd97a81cc7947324fb3d2c52f18d6eac53e0b51eeafad65c50eed
6d33ba54e5ac0ed2b56b6341091be3cc12084081885d0f348210d0379b22940b
cd9332047f78b263c124ac43a236cf1662a6811bc1bec5197dcbb6854d071f2b
99e3852360608fed8fd936f758425e48c4d0694716ff4552ca50eebe9bd47da9
4f02850ddaefbc4552e8d52be5204f99104091691e75a55686e3165857ecba15
a6cc8883c03f3562ac370d0c0bd709fe2beffb2e926831ece5a5285807f97b1f
a367d3b37e8c9994bcb9dc97e7553426d000e5b6a3fbc6235519493634e4c2ad
abbd1e2a717c5dce8dfce8a32ce19de260a9828296e297630ce2555079bd3c5c
1b086eb781e75e1a2b28341b7acddb2f65cf3a365a638b204d582ee60dd2d41a
77a61b13f28a85fca5b6f78b44e6df02af50f2034309375c0ce016c6616e7531
2dbca63d6f0565f9170faf9a114d86dee7e0c51ab2b2a22b863d1b8f51efdbcb
3fc033a2106787dee55edb329dd0c31194e1ed5b86c4a6100f7fcdafe20e173d
8aa6218ca4f56c2464ff226a8da6fea0b8d13dc5c6243b84b8066eee6db6e743
cd536ed5483dcfaf6d19a9ae40fa47982337389d4a1f6274f5d88443e1598245
4cdcaef112302725218a08607954f874f64d15e76ef48fb9809ac3cd19c06d13
5cda495baa9978ed76d303209293439c3373ea3744567574c954ae168d060da0
28d87cca102be87689f6f085a0abbc2d62d803e0b14eff3ed1ad34c039ff4fc8
8dbbedf05e06ebb7441c26fa73778cec6cf6a4483aced52fe2a31a90e528d8c2
05cebeb24f99286065ff93755df273358b5586c149e88f510dd45c0eeb675869
882598184d2453fd87eed2ef6090764f65746bb9605ec3817971daf53efb1c6f
5fc9c8787931219210d3417b370c2535c88fbdb6cbca23dda95773ff1710ded3
a3812f6a93f8a1dd4caa7f305e96c227e9e8af02efa9cde5208b04d85ec9ad26
f76aa649194b0553605a8281963987bdadfd05a307e3c9c78fb0792e66b87d3f
6f5f0910b9a02eb74cb27daa6bb5321d3455859c014ec5f94e14254bc5a0345c
a7a95bf6888b345983096cadb97ce22d3cdd7eeea64e9dd2c661dfa49c43bf30
6afdaaecf198f2bbf78a7be1be6eeca8e7d325d1e20467f2b1bfa07cd0d0675d
371a9a6844c1c8416bbc7292451029a2cf9fee6eb5f298ea722676ab1c186dfd
766355f833c41506b57f86c1f89a57cf89018a117ad2e9a5da971bfa3bcc491d
17a5fdfe51f55c75d099e96a9a9d0100f84903c85eff088f8c3ffeb514a04b90
4b131bbee35c504702b00064233623eade38597e9540d56659ce174bc937eddb
885eff10a41b81d8d58da81639ac194c4a7ee85597dc60862cfe1fe793c07ae1
f123a1ba6d66769711234f7d9f678826c81c50d7f66d9f55842e062aa619e8b2
cb4f4ba4cae619f5078c3984e7342987c858ea6c32d7832c8ae348204b614d56
917f01722daf03a6115d712560681a75ea556f35e09de2e83ade4c1e7ed6260e
9c5caec05310df350aff28106bb7e23551b892ce34c0ab91194a4e37ffa6e89f
65f778f8246f25e24edc579aa3b1ab9927ca79d40a777afed4d67927c120c504
7d0d34208646d3b2f686943869ae128146310322d9c57f00cb33d1587e59ea4f
15c58f22fcc584d521eebf60f3f42b1b4515507e8140a453ee6f914475047781
98837410e92b9e3c2c5cfb5e55d34adc9789267ae6ad4f93d01ad96850469c43
c60a121bc17a7429cf4eb77201718f2399ecbafee14e1e8b8abe06439caff338
e51bf2c45dec7b1ec533eb36407f1128411660562572f31ea6daa86f458d0a16
abed09c492453264a7f97821919f432fb17d9f63b400135d77437446a1a9171a
de9800d9459eb67804ea627dad30f7f829010e486592916b1017350bff7391e5
ed793e3a67d11de24edd4630185050a3ac2aabde995d693086c07905b1b363d9
0b6d0b550e1288b8b4d4755fd2b0f1a626d65546d575896cc54161a50c96ee09
e69dbe84db5388fa05289061ff5457bef83372af0ae7d0f48ba79b4c744dfad3
1b067ef46dcbbc71f2d5a2487fa1e6d95200301d4e4834910d3f14cb119b5a3e
d9e2ab135e48706fd86e7f97b3f239f8da792825ec519c76ff4f3b759db47ccd
SH256 hash:
dc5d7971ff6aadf64269a5a5ae6667a93a931bd02c60ef01604dfda6048979dc
MD5 hash:
5ced4cd23dd3903404e3751634caf87e
SHA1 hash:
fa45d3eb2bcb242f995f085ecdbc66f24426dcdd
Link:
https://www.unpac.me/results/80c27ffd-f5e4-4bf6-866e-4e94d341da15/
SH256 hash:
3c5a5dfe48fd52d00a41a58cf6c5a564cd94f9cef858b9b9aa15681767cc2d4c
MD5 hash:
819926ad1b4d8bcdde32b4f9e0402a45
SHA1 hash:
dca7b2041522c1e9673d9cdc7567fe11b1639953
Link:
https://www.unpac.me/results/80c27ffd-f5e4-4bf6-866e-4e94d341da15/
SH256 hash:
e536ef7e227f121794babf3896a11949a1b25bb48b76bb5e3b6475d9b4e31d16
MD5 hash:
66fe1db8bc6f0f57045534f31309ea46
SHA1 hash:
825a4c94dd4820bded6a54ef20817ad5cdb8dc19
Link:
https://www.unpac.me/results/80c27ffd-f5e4-4bf6-866e-4e94d341da15/
SH256 hash:
c1c011be98e6aa97ab3beb986d18b62be34d8e792992750a0be36620094efab5
MD5 hash:
cae72613a3abd2c6bfa59736c5bc12f0
SHA1 hash:
87910fb2b09ac1609994da47c998093c3efbe422
Link:
https://www.unpac.me/results/80c27ffd-f5e4-4bf6-866e-4e94d341da15/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Socks5 Systemz
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1c011be98e6aa97ab3beb986d18b62be34d8e792992750a0be36620094efab5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
http://never.hitsturbo.com/order/tuc7.exe
Cape
Cape
https://www.capesandbox.com/analysis/465759/

Comments