Edit tour
Windows
Analysis Report
c35d4e641adf21bead54611499c416c8e2de75ac96098.exe
Overview
General Information
Detection
Raccoon Stealer v2
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Raccoon Stealer v2
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
DLL side loading technique detected
Contains functionality to inject code into remote processes
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Is looking for software installed on the system
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- c35d4e641adf21bead54611499c416c8e2de75ac96098.exe (PID: 5796 cmdline:
"C:\Users\ user\Deskt op\c35d4e6 41adf21bea d54611499c 416c8e2de7 5ac96098.e xe" MD5: C5AF2B53CF4B8D6177240A822EF6F350) - AppLaunch.exe (PID: 5728 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\AppL aunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
JoeSecurity_RaccoonV2 | Yara detected Raccoon Stealer v2 | Joe Security | ||
Click to see the 3 entries |
⊘No Sigma rule has matched
Timestamp: | 192.168.2.389.208.103.449736802036934 08/11/22-06:57:07.043612 |
SID: | 2036934 |
Source Port: | 49736 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 89.208.103.4192.168.2.380497362036955 08/11/22-06:57:07.164104 |
SID: | 2036955 |
Source Port: | 80 |
Destination Port: | 49736 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Avira: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_013B8E50 |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | HTTP traffic detected: |