MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d
SHA3-384 hash: 683bbca629f215d77f4e9464cbf7994318405eaf36b2b68b2a1714f198e8933d893f0703db6a70fc4435e862d31226d7
SHA1 hash: cffcd52ebc1dac648c06abf22a73fed5e631d932
MD5 hash: aca042ff3879a53b09a6089012c0dc3c
humanhash: floor-robert-william-sad
File name:LauncherSoft.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:12'301'312 bytes
First seen:2023-03-12 20:24:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32b37a1ff8b4e9d40e4e5c4a048ee542 (2 x RecordBreaker)
ssdeep 196608:W9x9G9JpwtykN94/4KdH3WPdv16lzYrcttP5Kzn/cpCXH2zcgh0YZZoJ8wnVSh7U:WxRtykbuH3+x162r0Pkzn/c4XH2zcU0Q
Threatray 682 similar samples on MalwareBazaar
TLSH T189C62393756500DEE8FA4972743BBCFC30F22E9A978698B4A6F67B401132753861BD07
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon fce48c949c94fc88 (1 x RecordBreaker)
Reporter tcains1
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
US US
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
https://transfer.sh/get/qG91Vk/Launcher.rar
Verdict:
Malicious activity
Analysis date:
2023-03-12 20:15:09 UTC
Tags:
raccoon recordbreaker trojan loader stealer
Link:
https://app.any.run/tasks/a4d9cd71-6fff-4cbf-aff6-4312545e5bb9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373822/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72875/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
50%
Tags:
packed
Link:
https://www.filescan.io/uploads/640e3521d1a098efbc630988/reports/2cec3442-d17b-4b53-a582-532fa7d0ebdc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/11c449f3-6e69-4fe5-a819-5de4f393abfd
Result
Threat name:
Laplas Clipper, Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1192133
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Laplas Clipper
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 825009 Sample: LauncherSoft.exe Startdate: 12/03/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 7 other signatures 2->55 8 LauncherSoft.exe 27 2->8         started        13 svcservice.exe 15 2->13         started        15 svcservice.exe 14 2->15         started        process3 dnsIp4 45 185.106.92.84, 49702, 80 SUPERSERVERSDATACENTERRU Russian Federation 8->45 47 transfer.sh 144.76.136.153, 443, 49703, 49704 HETZNER-ASDE Germany 8->47 35 C:\Users\user\AppData\Local\...\zfX73v8L.exe, PE32+ 8->35 dropped 37 C:\Users\user\AppData\Local\...\wz0l7uRn.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 8->39 dropped 41 6 other files (4 malicious) 8->41 dropped 77 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->77 79 Tries to harvest and steal browser information (history, passwords, etc) 8->79 81 Tries to detect virtualization through RDTSC time measurements 8->81 83 Tries to steal Crypto Currency Wallets 8->83 17 wz0l7uRn.exe 1 3 8->17         started        21 zfX73v8L.exe 8->21         started        85 Hides threads from debuggers 13->85 file5 signatures6 process7 file8 33 C:\Users\user\AppData\...\svcservice.exe, PE32 17->33 dropped 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->57 59 Machine Learning detection for dropped file 17->59 61 Tries to evade analysis by execution special instruction (VM detection) 17->61 67 2 other signatures 17->67 23 svcservice.exe 16 17->23         started        63 Antivirus detection for dropped file 21->63 65 Tries to harvest and steal browser information (history, passwords, etc) 21->65 27 cmd.exe 1 21->27         started        signatures9 process10 dnsIp11 43 185.106.92.104 SUPERSERVERSDATACENTERRU Russian Federation 23->43 69 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->69 71 Tries to evade analysis by execution special instruction (VM detection) 23->71 73 Tries to detect virtualization through RDTSC time measurements 23->73 75 Hides threads from debuggers 23->75 29 conhost.exe 27->29         started        31 choice.exe 1 27->31         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Suspicious
First seen:
2023-03-12 17:00:43 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
16 of 38 (42.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hhbi6asex7vs7zkibdg2ax4avu3krbxr4ldvsydxt3parffjegoq._file
Verdict:
suspicious
Similar samples:
22e2b816a20424bb37abf9cfc22605709173aa4208b9e383fe10266469b2f916
RecordBreaker
25139b1e194865c93db98514375b74971e11a690d53b6030014830d019458313
RecordBreaker
3e38c14c9a27966b7768fa6a61a0bc86b79fdf8f554d232c26d0a13cd8dcdc36
RecordBreaker
67dd0268cb9b122574629662f97f6d56ffca8e7d478f38be141ac02131708730
RecordBreaker
89e18340e51790ee07e1c6845a93f737ef6be8470e5a1158aef24539658eb235
RecordBreaker
9f6b69057e19a7fd08aab0b2df861a65337207dcfac2d6fbd0d1c0a2b75670e7
RecordBreaker
c3ac86b3dfaed540a466f230e12c3f12c56e10755b6d5d195001ca5523d80fa4
RecordBreaker
e7924441cf355557372d5d058eeb30341f9bb4be80f54449ea66b288d183b928
RecordBreaker
e8d4fa5f9b4c34193286dae2a80c38cfe75e57942c9454ee9ca898017eab1d7b
RecordBreaker
f3d62ca6b2dfd77bd362dc1f4ec6e99bb43302e82583e6e8dce38df9ea1f6fe5
RecordBreaker
+ 672 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/230312-y698jshd4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Unpacked files
SH256 hash:
9c2c8fb4f49552dce59ece44778d28d26426f5ed253ba85ff28b0537ecd141bb
MD5 hash:
f51a03f7608c739324a9d36dc239e6db
SHA1 hash:
5761f16d6e21a44864c631ab3975c7d8708c5aff
Link:
https://www.unpac.me/results/de741eb9-dd69-4ed4-9fde-838111afc81c/
SH256 hash:
39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d
MD5 hash:
aca042ff3879a53b09a6089012c0dc3c
SHA1 hash:
cffcd52ebc1dac648c06abf22a73fed5e631d932
Link:
https://www.unpac.me/results/de741eb9-dd69-4ed4-9fde-838111afc81c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/373822/

Comments