Analysis Report y98WYYcJ2U.exe
Overview
General Information
Detection
Raccoon SmokeLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Raccoon Stealer
Yara detected SmokeLoader
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Renames NTDLL to bypass HIPS
Tries to detect Sandboxie (via GetModuleHandle check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Raccoon Stealer |
---|
{"Config: ": ["00000000 -> [Raccoon Stealer] - v1.5.13-af-hotfix Release", "Build compiled on Mon Jul 6 14:33:03 2020", "Launched at: 2020.09.14 - 03:55:16 GMT", "Bot_ID: 717E1B34-6140-4FC8-B497-B7800CAA7E40_user", "Running on a desktop", "=R=A=C=C=O=O=N=", "- Cookies: 8", "- Passwords: 0", "- Files: 0", "System Information:", "- System Language: English", "- System TimeZone: -8 hrs", "- IP: 91.132.136.206", "- Location: 47.392502, 8.454600 | Zurich, Zurich, Switzerland (8010)", "- ComputerName: 528110", "- Username: user", "- Windows version: NT 10.0", "- Product name: Windows 10 Pro", "- System arch: x64", "- CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores)", "- RAM: 8191 MB (6822 MB used)", "- Screen resolution: 1280x1024", "- Display devices:", "0) Microsoft Basic Display Adapter", "============", "Installed Apps:", "Adobe Acrobat Reader DC (18.011.20055)", "Google Chrome (67.0.3396.99)", "Google Update Helper (1.3.33.17)", "Java 8 Update 171 (8.0.1710.11)", "Java Auto Updater (2.8.171.11)", "Mozilla Firefox 72.0.2 (x86 en-US) (72.0.2)", "============"]}
Yara Overview |
---|
PCAP (Network Traffic) |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security |
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | ||
ConventionEngine_Keyword_Inject | Searching for PE files with PDB path keywords, terms or anomalies. | @stvemillertime |
| |
ConventionEngine_Keyword_Hook | Searching for PE files with PDB path keywords, terms or anomalies. | @stvemillertime |
| |
ConventionEngine_Keyword_Proxy | Searching for PE files with PDB path keywords, terms or anomalies. | @stvemillertime |
| |
ConventionEngine_Keyword_Hook | Searching for PE files with PDB path keywords, terms or anomalies. | @stvemillertime |
| |
Click to see the 1 entries |
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_SmokeLoader | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_Raccoon | Yara detected Raccoon Stealer | Joe Security | ||
Click to see the 2 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_SmokeLoader | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader | Yara detected SmokeLoader | Joe Security | ||
JoeSecurity_SmokeLoader | Yara detected SmokeLoader | Joe Security | ||
Click to see the 1 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Yara detected Raccoon Stealer | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Code function: | 4_2_0040A5D7 | |
Source: | Code function: | 4_2_00423030 | |
Source: | Code function: | 4_2_00423203 | |
Source: | Code function: | 4_2_004094E8 | |
Source: | Code function: | 4_2_0040B586 | |
Source: | Code function: | 4_2_00409BD7 | |
Source: | Code function: | 4_2_0041A0CC | |
Source: | Code function: | 4_2_00408F24 | |
Source: | Code function: | 4_2_00433A25 |
Source: | Code function: | 4_2_0043DD11 | |
Source: | Code function: | 4_2_0045F48D | |
Source: | Code function: | 4_2_0043DD31 | |
Source: | Code function: | 4_2_0043DE7C | |
Source: | Code function: | 9_2_0267A650 |
Source: | Code function: | 4_2_00434B68 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Code function: | 5_2_004178C0 | |
Source: | Code function: | 5_2_0040E8B0 | |
Source: | Code function: | 5_2_004071B0 | |
Source: | Code function: | 5_2_0040D240 | |
Source: | Code function: | 5_2_00414240 | |
Source: | Code function: | 5_2_00409220 | |
Source: | Code function: | 5_2_00402300 | |
Source: | Code function: | 5_2_00401300 | |
Source: | Code function: | 5_2_004033E0 | |
Source: | Code function: | 5_2_00417460 | |
Source: | Code function: | 5_2_00405540 | |
Source: | Code function: | 5_2_00402500 | |
Source: | Code function: | 5_2_00406EA0 | |
Source: | Code function: | 5_2_001E905F | |
Source: | Code function: | 5_2_001D70F0 | |
Source: | Code function: | 5_2_001E7B10 | |
Source: | Code function: | 5_2_001DEB00 | |
Source: | Code function: | 5_2_001D7400 | |
Source: | Code function: | 5_2_001D9470 | |
Source: | Code function: | 5_2_001D9468 | |
Source: | Code function: | 5_2_001DD490 | |
Source: | Code function: | 5_2_001E4490 | |
Source: | Code function: | 5_2_001D1550 | |
Source: | Code function: | 5_2_001D2550 | |
Source: | Code function: | 5_2_001D3630 | |
Source: | Code function: | 5_2_001E76B0 | |
Source: | Code function: | 5_2_001D2750 | |
Source: | Code function: | 5_2_001D5790 | |
Source: | Code function: | 9_2_0266D240 | |
Source: | Code function: | 9_2_02674240 | |
Source: | Code function: | 9_2_02669220 | |
Source: | Code function: | 9_2_02662300 | |
Source: | Code function: | 9_2_02661300 | |
Source: | Code function: | 9_2_026633E0 | |
Source: | Code function: | 9_2_026778C0 | |
Source: | Code function: | 9_2_0266E8B0 | |
Source: | Code function: | 9_2_026671B0 | |
Source: | Code function: | 9_2_02666EA0 | |
Source: | Code function: | 9_2_02677460 | |
Source: | Code function: | 9_2_02665540 | |
Source: | Code function: | 9_2_02662500 |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: |
Source: | HTTP traffic detected: |