MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c
SHA3-384 hash: 5cda09bcee97ec508b8fad1c0833b420dc0144feaee6f28a21945b1fdbfc3fff95b8e9da3db6794899ec7b915e787191
SHA1 hash: b20b386d490de019c1c545ed6b559bec6d26fb20
MD5 hash: b5244af94b52a188ce9b656496cfd4e9
humanhash: georgia-golf-river-artist
File name:Setup.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:6'617'600 bytes
First seen:2022-08-29 21:09:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8f1a9288bae20d24c92d3d27d642d92e (14 x RecordBreaker)
ssdeep 196608:mTpT8xO0fG5I8DOeo/thaqgBy85X2xuA:mUO0fG+eoVh4ykmT
Threatray 278 similar samples on MalwareBazaar
TLSH T1C26623EF2B9411FDD2C5CD398537FD65B2F00B6F4A9288708DEE298227225E9E607543
TrID 34.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
29.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
11.5% (.EXE) Win64 Executable (generic) (10523/12/4)
7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c9ccfbfbd3938b14 (1 x RecordBreaker)
Reporter r3dbU7z
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
No threats detected
Analysis date:
2022-08-29 21:11:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/052a6ab5-9be5-4a47-8c59-0c4bf81a3cea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/302335/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30788/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/630d2b31ab0be91dfea248ae/reports/2a8bb1a4-7873-4d3d-ac82-4a304ff52a86/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/47fb4e09-1f27-49ff-a017-34f4f7087b77
Result
Threat name:
Clipboard Hijacker, MinerDownloader, Pri
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1060150
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Generic MinerDownloader
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected YTStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 692667 Sample: Setup.exe Startdate: 29/08/2022 Architecture: WINDOWS Score: 100 66 goback.delivery 2->66 100 Malicious sample detected (through community Yara rule) 2->100 102 Antivirus detection for URL or domain 2->102 104 Multi AV Scanner detection for submitted file 2->104 106 9 other signatures 2->106 9 Setup.exe 27 2->9         started        14 WpcTok.exe 2->14         started        signatures3 process4 dnsIp5 72 185.225.19.190, 49711, 80 MIVOCLOUDMD Romania 9->72 74 5.149.254.3, 49718, 80 HZ-NL-ASGB United Kingdom 9->74 76 transfer.sh 144.76.136.153, 443, 49719, 49724 HETZNER-ASDE Germany 9->76 58 C:\Users\user\AppData\Roaming\4ok8t5Bm.exe, PE32 9->58 dropped 60 C:\Users\user\AppData\Local\...\4jys5IIe.exe, PE32 9->60 dropped 62 C:\Users\user\AppData\...\vcruntime140.dll, PE32 9->62 dropped 64 7 other files (none is malicious) 9->64 dropped 108 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->108 110 Query firmware table information (likely to detect VMs) 9->110 112 Tries to harvest and steal browser information (history, passwords, etc) 9->112 122 2 other signatures 9->122 16 4ok8t5Bm.exe 4 9->16         started        20 4jys5IIe.exe 15 501 9->20         started        23 cmd.exe 1 9->23         started        25 Ek7qy3r5.exe 9->25         started        114 Multi AV Scanner detection for dropped file 14->114 116 Machine Learning detection for dropped file 14->116 118 Tries to evade analysis by execution special instruction (VM detection) 14->118 120 Tries to detect virtualization through RDTSC time measurements 14->120 file6 signatures7 process8 dnsIp9 56 C:\Users\user\AppData\Roaming\...\WpcTok.exe, PE32 16->56 dropped 78 Multi AV Scanner detection for dropped file 16->78 80 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->80 82 Query firmware table information (likely to detect VMs) 16->82 92 4 other signatures 16->92 27 schtasks.exe 1 16->27         started        29 schtasks.exe 1 16->29         started        31 schtasks.exe 16->31         started        68 github.com 140.82.121.4, 443, 49731 GITHUBUS United States 20->68 70 192.168.2.1 unknown unknown 20->70 84 Antivirus detection for dropped file 20->84 86 Obfuscated command line found 20->86 88 Machine Learning detection for dropped file 20->88 33 cmd.exe 20->33         started        90 Adds a directory exclusion to Windows Defender 23->90 36 powershell.exe 8 23->36         started        38 conhost.exe 23->38         started        40 powershell.exe 25->40         started        file10 signatures11 process12 signatures13 42 conhost.exe 27->42         started        44 conhost.exe 29->44         started        94 Obfuscated command line found 33->94 96 Adds a directory exclusion to Windows Defender 33->96 46 conhost.exe 33->46         started        48 chcp.com 33->48         started        50 powershell.exe 33->50         started        54 2 other processes 33->54 98 Queries memory information (via WMI often done to detect virtual machines) 40->98 52 conhost.exe 40->52         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-08-29 21:10:18 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
19 of 26 (73.08%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=io4vkmttpugmyc4vpunlhzv2imiliymo5q72jbltnohqunolcv6a._file
Verdict:
malicious
Similar samples:
06cd1b17015926da3c902f7b67e130054e9170f355a1cdf1274ddc955f4152ee
RecordBreaker
1e5c7dcfbe4a1e9da06229b4512229c463b0268832b9cb6cdb35a1153963be37
RecordBreaker
595a5d21b386ba8e30b567cbe575b24ed104ee589037a48aa2d277452ba0b6a6
RecordBreaker
6b8dac8326076b76369a8eb4e316a86a7663b597aeffe89b35e86c02aa5df4c0
RecordBreaker
72da013062ea0fd8acf955c4517f8998fef0f6f6d467c9610f8d9b5f77169f57
RecordBreaker
8f22fed63b011354380ce229b053b3b9167d66d37506acd6288886cf526edefe
RecordBreaker
ba9b4ed1a5f1e4f658430f393969f1b6a602c5534d745ad3f12fae35cf2a64d1
RecordBreaker
ef7f2a5348c23351c26390a636b47d35b3e236c47017e1ed95c112a87b783cf0
RecordBreaker
+ 268 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:4d169f192247ee46f9b3369d26d270d2 stealer
Link:
https://tria.ge/reports/220829-zzfk2afadp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Raccoon
Malware Config
C2 Extraction:
http://185.225.19.190/
Unpacked files
SH256 hash:
16245ab4bec04a6f147b96f08a43a8fd008e3c3c10f98a683b9e916e47c5aaa0
MD5 hash:
39afc6295990b778a7a4942f0fb328d4
SHA1 hash:
d2f0a5daba36ba66fd6bf9a591221dc890d6d074
Detections:
raccoonstealer
Create hunting rule
Link:
https://www.unpac.me/results/a072bac5-e7d6-4cd6-bed1-a42d780d3435/
SH256 hash:
43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c
MD5 hash:
b5244af94b52a188ce9b656496cfd4e9
SHA1 hash:
b20b386d490de019c1c545ed6b559bec6d26fb20
Link:
https://www.unpac.me/results/a072bac5-e7d6-4cd6-bed1-a42d780d3435/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/302335/

Comments