MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37b90013b2b05efd0ff943fb6b3173bc802d5cc7eb0d24801ee5c298f30b5b3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37b90013b2b05efd0ff943fb6b3173bc802d5cc7eb0d24801ee5c298f30b5b3d
SHA3-384 hash: 3f01a6d34d62201836236bd66a244ee1957000125e92f06d6523d561166d66aae5bd56425aa558ee3df01b9b5236bee9
SHA1 hash: eb76dca9b1b9b927d6b4895f7041c9e8656b91f5
MD5 hash: 8f0d49001382056bb22d498b0c1e8426
humanhash: eighteen-tennessee-lactose-enemy
File name:Setup.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:7'313'920 bytes
First seen:2023-02-18 09:16:57 UTC
Last seen:2023-02-18 10:30:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 161839a78ef6f07a30d3f07895f6fe23 (27 x RecordBreaker)
ssdeep 196608:hJwaVL4x+Zr1By4jOrscVh6qpmMgkFbO8E:QaVLACrvTOoiEqpmMxb
Threatray 561 similar samples on MalwareBazaar
TLSH T1EF76237623A0109FE3D68C31422F7EE662B53FDB3641EC3816857DC125325D0AA6DAB7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e8c4b2367ce9ccf0 (2 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
No threats detected
Analysis date:
2023-02-18 09:27:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5ddddb58-87eb-487b-990f-acd9e5922914

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368059/
Detection(s):
SecuriteInfo.com.Variant.Lazy.294002.28585.7536.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Stealing user critical data
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71586/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63f09791e0b58044817ad0c7/reports/ace68d6c-b931-4685-b489-eafcdacd1116/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/37b90013b2b05efd0ff943fb6b3173bc802d5cc7eb0d24801ee5c298f30b5b3d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1cee2c50-66d1-4877-9144-9ceb6647f09f
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1178481
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 811306 Sample: Setup.exe Startdate: 18/02/2023 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Antivirus detection for URL or domain 2->41 43 6 other signatures 2->43 7 Setup.exe 32 2->7         started        process3 dnsIp4 31 83.217.11.27, 49715, 80 ATLEX-ASRU Russian Federation 7->31 33 77.73.134.24, 49716, 80 FIBEROPTIXDE Kazakhstan 7->33 35 77.73.134.35 FIBEROPTIXDE Kazakhstan 7->35 21 C:\Users\user\AppData\Roaming\vSDaGJy8.exe, PE32+ 7->21 dropped 23 C:\Users\user\AppData\Roaming\Q8NqB2t2.exe, PE32+ 7->23 dropped 25 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 7->25 dropped 27 6 other files (4 malicious) 7->27 dropped 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->47 49 Tries to harvest and steal browser information (history, passwords, etc) 7->49 51 Tries to evade analysis by execution special instruction (VM detection) 7->51 53 3 other signatures 7->53 12 Q8NqB2t2.exe 1 3 7->12         started        16 vSDaGJy8.exe 7->16         started        file5 signatures6 process7 file8 29 C:\...\USOSharedMicrosoft-type5.4.2.2.exe, PE32+ 12->29 dropped 55 Multi AV Scanner detection for dropped file 12->55 57 Query firmware table information (likely to detect VMs) 12->57 59 Machine Learning detection for dropped file 12->59 65 2 other signatures 12->65 18 USOSharedMicrosoft-type5.4.2.2.exe 12->18         started        61 Antivirus detection for dropped file 16->61 63 Tries to harvest and steal browser information (history, passwords, etc) 16->63 signatures9 process10 signatures11 45 Antivirus detection for dropped file 18->45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37b90013b2b05efd0ff943fb6b3173bc802d5cc7eb0d24801ee5c298f30b5b3d/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-02-14 22:39:53 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
24 of 39 (61.54%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g64qae5swbpp2d7zip5wwmltxsac2xgh5mgsjaa64xbjr4yllm6q._file
Verdict:
malicious
Similar samples:
25bb1b8e163acf68f060f21c668cf4acb7541e46947af13f11b0581cea7cbf2d
RecordBreaker
2e557bd01d811580bda017fd1d1070d56d722e7d261474f2b404410f55ec1abc
RecordBreaker
52fbe26c4b9fd1f8fae6d4840ef6741eb6c8bcd4f137f9139ae49b15d1590b20
RecordBreaker
61944d63af0a88ab927fa3bfb88eadd93435c4a851c2010756819cfaa90acde1
RecordBreaker
75520762f93c99c79ebac6081437b0b1ebf7122b1bcc1942484ea5de8e06a1ea
RecordBreaker
77ed638394053fe4fef1486f85bac2423f392a1f5e523f9ddf3f5dec289868d8
RecordBreaker
84a04190d479e2cf0fd459258a4fd4fc4a5059f96c355172e2c230f0bd1e863b
RecordBreaker
9232426390d42ce8e9949e77d00fc3c4359c08eec7b6af0d190d9027f8f210ac
RecordBreaker
a162a4a82e21300ea8634e03e4d7f4b186cff8b9c41e2e9c46ca0c72e97aeacb
RecordBreaker
+ 551 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/230218-k82sasbb91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
37b90013b2b05efd0ff943fb6b3173bc802d5cc7eb0d24801ee5c298f30b5b3d
MD5 hash:
8f0d49001382056bb22d498b0c1e8426
SHA1 hash:
eb76dca9b1b9b927d6b4895f7041c9e8656b91f5
Link:
https://www.unpac.me/results/6020de1d-f10c-4818-95a6-b14afe51fcc5/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/37b90013b2b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37b90013b2b05efd0ff943fb6b3173bc802d5cc7eb0d24801ee5c298f30b5b3d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/368059/

Comments