Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.PWS.Siggen3.33653.31886.3628.exe
Overview
General Information
Detection
Raccoon Stealer v2
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer v2
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains more sections than normal
PE file contains sections with non-standard names
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Credential Stealer
Classification
- System is w10x64
- SecuriteInfo.com.Trojan.PWS.Siggen3.33653.31886.3628.exe (PID: 5720 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.PWS .Siggen3.3 3653.31886 .3628.exe" MD5: 093C5901F614540D964109A9AC58A0FF)
- cleanup
{"C2 url": ["http://193.142.147.59:80"], "Bot ID": "fa72f4c1fbe65cee8651140fd47267ba", "XOR key": "fa72f4c1fbe65cee8651140fd47267ba"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2_1 | Yara detected Raccoon Stealer v2 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2_1 | Yara detected Raccoon Stealer v2 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
Click to see the 45 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2_1 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2_1 | Yara detected Raccoon Stealer v2 | Joe Security |
⊘No Sigma rule has matched
Timestamp: | 2024-08-13T10:21:17.807068+0200 |
SID: | 2854151 |
Severity: | 1 |
Source Port: | 49711 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-08-13T10:21:11.287359+0200 |
SID: | 2036934 |
Severity: | 1 |
Source Port: | 49711 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 2024-08-13T10:21:11.535611+0200 |
SID: | 2036955 |
Severity: | 1 |
Source Port: | 80 |
Destination Port: | 49711 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_00403A6C | |
Source: | Code function: | 0_2_004035B2 | |
Source: | Code function: | 0_2_00403FB8 | |
Source: | Code function: | 0_2_004025C2 | |
Source: | Code function: | 0_2_0040254C | |
Source: | Code function: | 0_2_00407553 |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_00406CC5 | |
Source: | Code function: | 0_2_00404F4A | |
Source: | Code function: | 0_2_0040F04B | |
Source: | Code function: | 0_2_004108CA | |
Source: | Code function: |