Report - 2111.exe

Raccoon Stealer Gen1 Malicious Library UPX Malicious Packer PE File PE32 OS Processor Check DLL

ScreenShot

Info
Location map


Created	2023.06.30 09:46	Machine	s1_win7_x6403
Filename	2111.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	9	Behavior Score	6.0
ZERO API	file : malware
VT API (file)	39 detected (AIDetectMalware, Lazy, PasswordStealer, Save, malicious, confidence, 100%, Attribute, HighConfidence, high confidence, score, Raccoon, PWSX, AGEN, moderate, ai score=84, Sabsik, BScope, TrojanPSW, Racealer, unsafe, At9cuQQ5xMH, susgen)
md5	175ac1e037521a1d29bffe5abe0d9d92
sha256	5ff52ab9349cd6d7a7fc0d2596c3423cdfb5df668b363fb93bd686f9ab198910
ssdeep	768:TVcCo1dt4cybqx7P9vm9Rg6+E7apmW8msk:T2t4cybq56O84
imphash	8293f3c89c8bdc2a5d082fbe7d24c76c
impfuzzy	3:sU9KTXzhAXw3aAXwUgEJJ67WBJAE6iLMRMExn:HGDMy3/JJBJAEhcL

Network IP location

Signature (14cnts)

Level	Description
danger	File has been identified by 39 AntiVirus engines on VirusTotal as malicious
watch	Collects information about installed applications
watch	Communicates with host for which no DNS query was performed
notice	An executable file was downloaded by the process 2111.exe
notice	Creates executable files on the filesystem
notice	Drops an executable to the user AppData folder
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	Queries for potentially installed applications
notice	Sends data using the HTTP POST Method
notice	Steals private information from local Internet browsers
info	Checks amount of memory in system
info	Collects information to fingerprint the system (MachineGuid
info	Tries to locate where the browsers are installed

Rules (12cnts)

Level	Name	Description	Collection
danger	Raccoon_Stealer_1_Zero	Raccoon Stealer	binaries (upload)
danger	Win32_Trojan_Gen_1_0904B0_Zero	Win32 Trojan Emotet	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (download)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (10cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://89.208.107.176/1eaae3b81d638c46a80f7e2ea4ea952c whois		Psk-set LLC	89.208.107.176		clean
http://89.208.107.176/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll whois		Psk-set LLC	89.208.107.176		clean
http://89.208.107.176/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll whois		Psk-set LLC	89.208.107.176		clean
http://89.208.107.176/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll whois		Psk-set LLC	89.208.107.176		clean
http://89.208.107.176/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll whois		Psk-set LLC	89.208.107.176		clean
http://89.208.107.176/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll whois		Psk-set LLC	89.208.107.176		clean
http://89.208.107.176/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll whois		Psk-set LLC	89.208.107.176		clean
http://89.208.107.176/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll whois		Psk-set LLC	89.208.107.176		clean
http://89.208.107.176/ whois		Psk-set LLC	89.208.107.176		clean
89.208.107.176 whois		Psk-set LLC	89.208.107.176		clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x40c000 GetProcAddress
0x40c004 lstrlenA
0x40c008 LocalAlloc
0x40c00c LoadLibraryA
ole32.dll
0x40c014 CoInitialize

EAT(Export Address Table) is none

Similarity measure (PE file only) - Checking for service failure