MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 338447d40e099471b745ab89c003011a8e3443fd687845a199b76ed67f462516. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 338447d40e099471b745ab89c003011a8e3443fd687845a199b76ed67f462516
SHA3-384 hash: 411c5a6bf2255e968c553269c59e435c16922e5d8844789bd49d935d201cf63c15bb8c7ea10510765254666dd5b6ec5c
SHA1 hash: 415c63fd0a62519ccdd761142baf052db0c9b148
MD5 hash: fdf89cef00011f087f541cf26851ffcf
humanhash: single-arizona-virginia-nineteen
File name:Set-up.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:7'324'160 bytes
First seen:2023-01-28 14:35:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 11ea24073ee65343ee563e3160c77fde (11 x RecordBreaker, 3 x RaccoonStealer, 1 x Zyklon)
ssdeep 196608:vWoKh6/86G8izj595XAp9irEsXUX+EKAq:sQwN2LiHX2+EK
Threatray 699 similar samples on MalwareBazaar
TLSH T13676124252548220E8BF8D72A9E5EAB767773D56CD318C3C81D33A8625355D2EE32B0F
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0c4b49cd8dcaccc (1 x Rhadamanthys, 1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://45.15.156.215/

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Set-up.exe
Verdict:
No threats detected
Analysis date:
2023-01-28 14:38:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e0dbe585-6381-4da2-b02f-e6159f3c45b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357751/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connecting to a non-recommended domain
Sending an HTTP POST request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63656/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d532d689bd67c10fdb03b9/reports/f00cfc49-a5ed-4e5b-9895-4d02647e80b1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/219e8f67-78e9-47e0-8803-0b8838d0dd4a
Result
Threat name:
Laplas Clipper, Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160791
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Laplas Clipper
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 793528 Sample: Set-up.exe Startdate: 28/01/2023 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Antivirus detection for URL or domain 2->42 44 8 other signatures 2->44 7 Set-up.exe 24 2->7         started        12 ntlhost.exe 2->12         started        process3 dnsIp4 34 45.15.156.215, 49699, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 7->34 36 104.193.254.97, 49702, 80 HOSTING-SOLUTIONSUS United States 7->36 22 C:\Users\user\AppData\Local\...22Xfule25.exe, PE32+ 7->22 dropped 24 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 7->24 dropped 26 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 7->26 dropped 28 5 other files (3 malicious) 7->28 dropped 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->48 50 Tries to harvest and steal browser information (history, passwords, etc) 7->50 52 Tries to evade analysis by execution special instruction (VM detection) 7->52 54 3 other signatures 7->54 14 NXfule25.exe 1 2 7->14         started        file5 signatures6 process7 file8 30 C:\Users\user\AppData\Roaming\...\ntlhost.exe, PE32+ 14->30 dropped 56 Antivirus detection for dropped file 14->56 58 Multi AV Scanner detection for dropped file 14->58 60 Machine Learning detection for dropped file 14->60 18 ntlhost.exe 14->18         started        signatures9 process10 dnsIp11 32 185.223.93.251, 49704, 49705, 49706 HOSTING-SOLUTIONSUS Netherlands 18->32 46 Antivirus detection for dropped file 18->46 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/338447d40e099471b745ab89c003011a8e3443fd687845a199b76ed67f462516/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Suspicious
First seen:
2023-01-28 14:36:12 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
15 of 26 (57.69%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gocepvaobgkhdn2fvoe4aaybdkhdiq75nb4elimzw5xnm72geula._file
Verdict:
suspicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1b06b05b3d03c253f9bfa45fd2d02a982a0dcc4290a531ef0786b9d6092b041c
RecordBreaker
21ce471527c051d26da04e96c2829f450b031767399ea401920ab8b43018e421
RecordBreaker
28c1edc4fa9f29fde994540cd25402fd47d46404eb1ebbfc0fc0a245bf03bd04
RecordBreaker
3a289614d73c4260ae0cb5be146a0642f8a269dc0320b141d823aeed35209a56
RecordBreaker
682abd62b6e3c0e8ca57f079cd96f2d3848752eaf7002bdf57bfb512bd242811
RecordBreaker
7008a243e04182353acfd7b105350ba6785b2b9b512f1c874d1619a87f419688
RecordBreaker
9a380ad3f2980cb91e04de3c91a405de0075bbe26b4c68f9e427b6abf1da26ef
RecordBreaker
ba9b4ed1a5f1e4f658430f393969f1b6a602c5534d745ad3f12fae35cf2a64d1
RecordBreaker
d719df850d62a455d34bf2a5847b36e6d267047824b2e96b7c4c9cdfbd9737e3
RecordBreaker
+ 689 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1c145396a071df7e490bd2cf3def4bdf stealer
Link:
https://tria.ge/reports/230128-rykvcsfb76/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Raccoon
Malware Config
C2 Extraction:
http://45.15.156.215/
Unpacked files
SH256 hash:
338447d40e099471b745ab89c003011a8e3443fd687845a199b76ed67f462516
MD5 hash:
fdf89cef00011f087f541cf26851ffcf
SHA1 hash:
415c63fd0a62519ccdd761142baf052db0c9b148
Link:
https://www.unpac.me/results/be373f51-1b7c-43b8-b1ed-780aac336fb0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/338447d40e099471b745ab89c003011a8e3443fd687845a199b76ed67f462516

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/357751/

Comments