Edit tour
Windows
Analysis Report
xzQ4Zf3975.exe
Overview
General Information
| Sample name: | xzQ4Zf3975.exerenamed because original name is a hash value |
| Original sample name: | cefc3739d099bae51eb2a9d3887ac12c.exe |
| Analysis ID: | 1469058 |
| MD5: | cefc3739d099bae51eb2a9d3887ac12c |
| SHA1: | fba9f10f553d73382f73247c5c136e8338f1ebe5 |
| SHA256: | 17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7 |
| Tags: | 64exetrojan |
| Infos: |  |
 | |
Detection
Raccoon Stealer v2
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Raccoon Stealer v2
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
xzQ4Zf3975.exe (PID: 424 cmdline: "C:\Users\ user\Deskt op\xzQ4Zf3 975.exe" MD5: CEFC3739D099BAE51EB2A9D3887AC12C) 
cmd.exe (PID: 3004 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\RarS FX0\1.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4892 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
clamer.exe (PID: 5536 cmdline: clamer.exe -priverdD MD5: 257496C44C4C464162950D5BBDA59BAB) 
voptda.exe (PID: 2792 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\RarSFX 1\voptda.e xe" MD5: E43EF6CF5352762AEF8AAB85D26B08EC)
- cleanup
{"C2 url": ["http://95.169.205.186:80/"], "Bot ID": "fb96e3bf5bafc00f44249e341787dfd4", "XOR key": "fb96e3bf5bafc00f44249e341787dfd4"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RaccoonV2_1 | Yara detected Raccoon Stealer v2 | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
| JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
| JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
| JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
| JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
| Click to see the 17 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RaccoonV2_1 | Yara detected Raccoon Stealer v2 | Joe Security | ||
| JoeSecurity_RaccoonV2_1 | Yara detected Raccoon Stealer v2 | Joe Security |
⊘No Sigma rule has matched
| Timestamp: | 07/08/24-13:14:08.625220 |
| SID: | 2036955 |
| Source Port: | 80 |
| Destination Port: | 49711 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 07/08/24-13:14:07.939324 |
| SID: | 2036934 |
| Source Port: | 49711 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 5_2_00402C05 | |
| Source: | Code function: | 5_2_0040318A | |
| Source: | Code function: | 5_2_00402723 | |
| Source: | Code function: | 5_2_004044BB | |
| Source: | Code function: | 5_2_00401639 | |
| Source: | Code function: | 5_2_0040823C | |
| Source: | Code function: | 5_2_004015BE | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 1_2_00007FF6FDDC40BC | |
| Source: | Code function: | 1_2_00007FF6FDDDB190 | |
| Source: | Code function: | 1_2_00007FF6FDDEFCA0 | |
| Source: | Code function: | 4_2_00007FF764E0B190 | |
| Source: | Code function: | 4_2_00007FF764DF40BC | |
| Source: | Code function: | 4_2_00007FF764E1FCA0 | |
| Source: | Code function: | 5_2_0040DC49 | |
| Source: | Code function: | 5_2_004070C9 | |
| Source: | Code function: | 5_2_0040194A | |
| Source: | Code function: | ||