Edit tour
Windows
Analysis Report
dz26XIBBSB.exe
Overview
General Information
Detection
Raccoon Stealer v2
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Raccoon Stealer v2
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
DLL side loading technique detected
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Is looking for software installed on the system
Drops PE files
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- dz26XIBBSB.exe (PID: 5148 cmdline:
C:\Users\u ser\Deskto p\dz26XIBB SB.exe MD5: 28870D10A69D01DDCF1F358E0C8A837A) - InstallUtil.exe (PID: 2416 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\Inst allUtil.ex e MD5: EFEC8C379D165E3F33B536739AEE26A3)
- cleanup
{"C2 url": ["http://51.79.211.202"], "Bot ID": "0963961b6efd711f927db2b31f7bcc38", "RC4_key1": "0963961b6efd711f927db2b31f7bcc38"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
Click to see the 3 entries |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.351.79.211.20249701802007648 11/03/22-18:57:43.240693 |
SID: | 2007648 |
Source Port: | 49701 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.351.79.211.20249701802036934 11/03/22-18:57:31.341817 |
SID: | 2036934 |
Source Port: | 49701 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 51.79.211.202192.168.2.380497012036955 11/03/22-18:57:31.887493 |
SID: | 2036955 |
Source Port: | 80 |
Destination Port: | 49701 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |