analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

V01dZ.exe

Full analysis: https://app.any.run/tasks/a2188274-b576-40d9-971b-589d2a8ca108
Verdict: Malicious activity
Threats:

Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 08:49:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
raccoon
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

EA769ACB9C9175ADC17BC0A323F1AA52

SHA1:

F341781473F0502E210A8D465C7591CD2EBF1819

SHA256:

D46CABFF569359780D3BAB01D15F9312B231EB9A6105AB0763AA02F932BC361B

SSDEEP:

12288:4f8Y9mVgeKflxzL8SfvcyRb6KUzowfXu7p7ifFzehGoih/i028iiu:DQ/NlxzLRabXPa4eKiD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • V01dZ.exe (PID: 3000)

    • Actions looks like stealing of personal data

      • V01dZ.exe (PID: 3000)

    • Stealing of credential data

      • V01dZ.exe (PID: 3000)

    • RACCOON was detected

      • V01dZ.exe (PID: 3000)
      • V01dZ.exe (PID: 3000)

    • Connects to CnC server

      • V01dZ.exe (PID: 3000)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3928)

    • Changes settings of System certificates

      • V01dZ.exe (PID: 3000)

  • SUSPICIOUS

    • Reads the cookies of Mozilla Firefox

      • V01dZ.exe (PID: 3000)

    • Executable content was dropped or overwritten

      • V01dZ.exe (PID: 3000)

    • Connects to server without host name

      • V01dZ.exe (PID: 3000)

    • Reads the cookies of Google Chrome

      • V01dZ.exe (PID: 3000)

    • Starts CMD.EXE for self-deleting

      • V01dZ.exe (PID: 3000)

    • Starts CMD.EXE for commands execution

      • V01dZ.exe (PID: 3000)

    • Adds / modifies Windows certificates

      • V01dZ.exe (PID: 3000)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1f33
UninitializedDataSize: -
InitializedDataSize: 34360320
CodeSize: 88064
LinkerVersion: 14
PEType: PE32
TimeStamp: 2018:06:19 03:26:25+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Jun-2018 01:26:25
Detected languages:
  • Italian - Italy
Debug artifacts:
  • C:\febimiki21_vowejumefoxosohiw.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 9
Time date stamp: 19-Jun-2018 01:26:25
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001565B
0x00015800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.69408
.rdata
0x00017000
0x0008E856
0x0008EA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.45181
.data
0x000A6000
0x0202EE00
0x00002200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.682501
.biduluz
0x020D5000
0x00000400
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.cilix
0x020D6000
0x00000001
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.tls
0x020D7000
0x00000009
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.gfids
0x020D8000
0x000000AC
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.52255
.rsrc
0x020D9000
0x00005668
0x00005800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.76961
.reloc
0x020DF000
0x000011E0
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.6039

Resources

Title
Entropy
Size
Codepage
Language
Type
1
6.47432
4264
UNKNOWN
Italian - Italy
RT_ICON
14
3.24535
704
UNKNOWN
UNKNOWN
RT_STRING
15
3.30642
1744
UNKNOWN
UNKNOWN
RT_STRING
16
3.29266
1902
UNKNOWN
UNKNOWN
RT_STRING
17
3.32584
1500
UNKNOWN
UNKNOWN
RT_STRING
18
3.34166
1214
UNKNOWN
UNKNOWN
RT_STRING
19
3.30236
1896
UNKNOWN
UNKNOWN
RT_STRING
20
3.30497
1694
UNKNOWN
UNKNOWN
RT_STRING
21
3.24969
898
UNKNOWN
UNKNOWN
RT_STRING
116
1.7815
20
UNKNOWN
Italian - Italy
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
USER32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RACCOON v01dz.exe cmd.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3000"C:\Users\admin\AppData\Local\Temp\V01dZ.exe" C:\Users\admin\AppData\Local\Temp\V01dZ.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3928cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\admin\AppData\Local\Temp\V01dZ.exe"C:\Windows\system32\cmd.exeV01dZ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1884ping 1.1.1.1 -n 1 -w 3000 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
101
Read events
65
Write events
35
Delete events
1

Modification events

(PID) Process:(3000) V01dZ.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3000) V01dZ.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:@%SystemRoot%\system32\p2pcollab.dll,-8042
Value:
Peer to Peer Trust
(PID) Process:(3000) V01dZ.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:@%SystemRoot%\system32\qagentrt.dll,-10
Value:
System Health Authentication
(PID) Process:(3000) V01dZ.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dnsapi.dll,-103
Value:
Domain Name System (DNS) Server Trust
(PID) Process:(3000) V01dZ.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:@%SystemRoot%\System32\fveui.dll,-843
Value:
BitLocker Drive Encryption
(PID) Process:(3000) V01dZ.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:@%SystemRoot%\System32\fveui.dll,-844
Value:
BitLocker Data Recovery Agent
(PID) Process:(3000) V01dZ.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\V01dZ_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3000) V01dZ.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\V01dZ_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3000) V01dZ.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\V01dZ_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3000) V01dZ.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\V01dZ_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
60
Suspicious files
2
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
3000V01dZ.exeC:\Users\admin\AppData\Local\Temp\frAQBc8Wsa
MD5:
SHA256:
3000V01dZ.exeC:\Users\admin\AppData\Local\Temp\1xVPfvJcrg
MD5:
SHA256:
3000V01dZ.exeC:\Users\admin\AppData\Local\Temp\RYwTiizs2t
MD5:
SHA256:
3000V01dZ.exeC:\Users\admin\AppData\Local\Temp\rQF69AzBla
MD5:
SHA256:
3000V01dZ.exeC:\Users\admin\AppData\Local\Temp\passwords.txttext
MD5:27067F1913491016D42E3185DA610888
SHA256:12EFBBED167C3844B41367D55A35B6B9883399005B79CC75B5B4C29177FA1747
3000V01dZ.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\libs[1].zipcompressed
MD5:1117CD347D09C43C1F2079439056ADA3
SHA256:4CFADA7EB51A6C0CB26283F9C86784B2B2587C59C46A5D3DC0F06CAD2C55EE97
3000V01dZ.exeC:\Users\admin\AppData\Local\Temp\AdLibs\qipcap.dllexecutable
MD5:F3A355D0B1AB3CC8EFFCC90C8A7B7538
SHA256:7A589024CF0EEB59F020F91BE4FE7EE0C90694C92918A467D5277574AC25A5A2
3000V01dZ.exeC:\Users\admin\AppData\Local\Temp\AdLibs\prldap60.dllexecutable
MD5:6099C438F37E949C4C541E61E88098B7
SHA256:46B005817868F91CF60BAA052EE96436FC6194CE9A61E93260DF5037CDFA37A5
3000V01dZ.exeC:\Users\admin\AppData\Local\Temp\AdLibs\softokn3.dllexecutable
MD5:4E8DF049F3459FA94AB6AD387F3561AC
SHA256:25A4DAE37120426AB060EBB39B7030B3E7C1093CC34B0877F223B6843B651871
3000V01dZ.exeC:\Users\admin\AppData\Local\Temp\chrome_autofill.txttext
MD5:94E4B390BD3867A77FA5F1F2FA3A48E4
SHA256:20DDE09A7AAE3093FEC32D6D59DC8E58FC69C6E485FB267161ADFDA95F502FBD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3000
V01dZ.exe
POST
200
35.189.105.242:80
http://35.189.105.242/file_handler/file.php?hash=66c49ccb5f280e91377b053b7b29dd7635e99882&js=faf1088750f1ad352c097e4c1818a42ec6cef4bb&callback=http://35.189.105.242/gate
US
text
13 b
malicious
3000
V01dZ.exe
POST
200
35.189.105.242:80
http://35.189.105.242/gate/log.php
US
text
444 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3000
V01dZ.exe
35.189.105.242:80
Google Inc.
US
malicious
3000
V01dZ.exe
216.58.208.33:443
doc-0s-24-docs.googleusercontent.com
Google Inc.
US
whitelisted
3000
V01dZ.exe
31.31.198.12:443
mygift.space
Domain names registrar REG.RU, Ltd
RU
malicious
3000
V01dZ.exe
172.217.21.206:443
drive.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
drive.google.com
  • 172.217.21.206
shared
doc-0s-24-docs.googleusercontent.com
  • 216.58.208.33
whitelisted
mygift.space
  • 31.31.198.12
malicious

Threats

PID
Process
Class
Message
3000
V01dZ.exe
A Network Trojan was detected
AV TROJAN Trojan-Spy.MSIL.Stealer.ahp CnC Checkin
3000
V01dZ.exe
A Network Trojan was detected
MALWARE [PTsecurity] Spyware.RaccoonStealer
3000
V01dZ.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3000
V01dZ.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3000
V01dZ.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3000
V01dZ.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3000
V01dZ.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3000
V01dZ.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
3000
V01dZ.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Loader (Trojan.Agent.DDSA) Requesting Zip Archive
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
V01dZ.exe