popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

svchost2.exe

Raccoon Stealer
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 11, 2021, 4:57 p.m. March 11, 2021, 4:57 p.m.
Size 305.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 faca0df291612a0d24228dccf2665cd6
SHA256 25fdacee698a4e39e28d6cee29a81e4a39a81b9aff74b89c53b7d87fb3d3f311
CRC32 F2C9EF7B
ssdeep 6144:fitKq+SmPtXaUGylNy3qdupuQASsaabocZ4ugiY:WKq+SmVKU7lQagY1JhDaiY
Yara
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • Raccoon_Stealer_1_Zero - Raccoon Stealer
  • win_mutex - Create or check mutex
  • win_files_operation - Affect private profile
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasRichSignature - Rich Signature Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section .rozotal
section .vimeb
resource name DUMALEHANUGABA
resource name RUZINUHEFUJAB
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2212
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 159744
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b3b000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2212
region_size: 217088
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00390000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0003f000', u'virtual_address': u'0x00001000', u'entropy': 7.738485609036443, u'name': u'.text', u'virtual_size': u'0x0003ef44'} entropy 7.73848560904 description A section with a high entropy has been found
entropy 0.827586206897 description Overall entropy of this PE file is high
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Create a windows service rule create_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over P2P network rule network_p2p_win
description Communications over HTTP rule network_http
description File downloader/dropper rule network_dropper
description Communications over FTP rule network_ftp
description Communications over RAW socket rule network_tcp_socket
description Communications use DNS rule network_dns
description Communication using dga rule network_dga
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Steal credential rule cred_local
description Record Audio rule sniff_audio
description APC queue tasks migration rule migrate_apc
description Malware can spread east-west using share drive rule spreading_share
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_private_profile
description Affect private profile rule win_files_operation
description Match Winsock 2 API library declaration rule Str_Win32_Winsock2_Library
description Match Windows Inet API library declaration rule Str_Win32_Wininet_Library
description Match Windows Inet API call rule Str_Win32_Internet_API
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.45823537
FireEye Generic.mg.faca0df291612a0d
McAfee Artemis!FACA0DF29161
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 00576c951 )
K7GW Trojan ( 00576c951 )
Arcabit Trojan.Generic.D2BB3631
BitDefenderTheta Gen:NN.ZexaF.34608.tyW@a8fx5XoG
Symantec ML.Attribute.HighConfidence
Avast Win32:PWSX-gen [Trj]
ClamAV Win.Malware.Botx-9838326-0
Kaspersky HEUR:Trojan.Win32.Zenpak.gen
BitDefender Trojan.GenericKD.45823537
APEX Malicious
Ad-Aware Trojan.GenericKD.45823537
Emsisoft Trojan.GenericKD.45823537 (B)
F-Secure Trojan.TR/Kryptik.wtndw
McAfee-GW-Edition BehavesLike.Win32.Trojan.fc
Sophos Mal/Generic-S
Ikarus Trojan-Banker.UrSnif
Avira TR/Kryptik.wtndw
Gridinsoft Trojan.Heur!.02854021
Microsoft Trojan:Win32/Glupteba.OV!MTB
ZoneAlarm HEUR:Trojan.Win32.Zenpak.gen
GData Trojan.GenericKD.45823537
Cynet Malicious (score: 100)
ALYac Trojan.GenericKD.45823537
MAX malware (ai score=83)
Malwarebytes Trojan.MalPack.GS
ESET-NOD32 a variant of Win32/Kryptik.HJTA
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/GenKryptik.FCKE!tr
AVG Win32:PWSX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_100% (W)
Qihoo-360 HEUR/QVM10.1.A93F.Malware.Gen