MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77546e4fdc3323633d7ab065dd65e48869799e715015d760424fa43af1c4b3c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77546e4fdc3323633d7ab065dd65e48869799e715015d760424fa43af1c4b3c4
SHA3-384 hash: 5d3f53470cbc23618cc096162ad846bdb31b0407a10c99ba5374761c37de4b5e62459bd04aed49c91453fb4310517916
SHA1 hash: fb623827ee564139a374a9153934a5a5a7f85b72
MD5 hash: 736a8adcae73352be7b0d86c5f21518b
humanhash: pasta-fish-august-speaker
File name:SetupFile.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:585'728 bytes
First seen:2022-12-09 08:33:19 UTC
Last seen:2022-12-09 10:30:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 68 x LummaStealer, 61 x Rhadamanthys)
ssdeep 1536:srae78zjORCDGwfdCSog01313AFs5gUnujkqkSZZZ3gdtib0tIQA5J:0ahKyd2n31wS5HnujSUlbBQ8J
TLSH T1B9C4E1C53790D063EC570A314E93839A9769FCE1AE71319B2360F36E0B7AAC36E65705
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f86eeae6b696c6cc (6 x AgentTesla, 3 x LummaStealer, 3 x Floxif)
Reporter abuse_ch
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
2
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344637/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1722.16523.19698.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Launching a process
Running batch commands
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6392f2fc75655a0108ea8b3b/reports/04341996-4b06-441f-9b0a-77093242292b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d707b87a-32c6-484d-8f58-cfe855acf6df
Result
Threat name:
Laplas Clipper, Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1131286
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Laplas Clipper
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 764010 Sample: SetupFile.exe Startdate: 09/12/2022 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 Antivirus detection for URL or domain 2->78 80 4 other signatures 2->80 10 SetupFile.exe 1 3 2->10         started        13 HkPdmQZFLe.exe 1 2->13         started        17 rundll32.exe 2->17         started        process3 dnsIp4 58 C:\Users\user\AppData\Local\...\MEMBER~2.EXE, PE32 10->58 dropped 19 MEMBER~2.EXE 15 4 10->19         started        66 185.223.93.251, 49717, 80 HOSTING-SOLUTIONSUS Netherlands 13->66 96 Antivirus detection for dropped file 13->96 file5 signatures6 process7 dnsIp8 60 geovanisantos.adv.br 191.6.209.179, 49704, 80 IPV6InternetLtdaBR Brazil 19->60 82 Antivirus detection for dropped file 19->82 84 Multi AV Scanner detection for dropped file 19->84 86 Encrypted powershell cmdline option found 19->86 23 MEMBER~2.EXE 26 19->23         started        28 cmd.exe 1 19->28         started        30 powershell.exe 16 19->30         started        signatures9 process10 dnsIp11 62 45.15.156.120, 49711, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 23->62 64 104.193.254.97, 49712, 80 HOSTING-SOLUTIONSUS United States 23->64 50 C:\Users\user\AppData\Local\...\le4mKlEt.exe, PE32 23->50 dropped 52 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 23->52 dropped 54 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 23->54 dropped 56 5 other files (3 malicious) 23->56 dropped 88 Tries to harvest and steal browser information (history, passwords, etc) 23->88 90 Tries to steal Crypto Currency Wallets 23->90 32 le4mKlEt.exe 2 23->32         started        92 Encrypted powershell cmdline option found 28->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 28->94 36 powershell.exe 21 28->36         started        38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        file12 signatures13 process14 file15 48 C:\Users\user\AppData\...\HkPdmQZFLe.exe, PE32 32->48 dropped 68 Antivirus detection for dropped file 32->68 70 Multi AV Scanner detection for dropped file 32->70 72 Machine Learning detection for dropped file 32->72 42 cmd.exe 1 32->42         started        signatures16 process17 process18 44 conhost.exe 42->44         started        46 schtasks.exe 1 42->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77546e4fdc3323633d7ab065dd65e48869799e715015d760424fa43af1c4b3c4/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-12-09 09:09:59 UTC
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o5kg4t64gmrwgpl2wbs52zperbuxthtrkak5oyccj6sdv4oewpca._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:466df8a9db048e45613253ae1b68b0ea discovery persistence spyware stealer
Link:
https://tria.ge/reports/221209-kgetfsff31/
Behaviour
Creates scheduled task(s)
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Malware Config
C2 Extraction:
http://45.15.156.120/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/675abc65-e7f9-4c60-af8e-041a88be8c7e
Unpacked files
SH256 hash:
77546e4fdc3323633d7ab065dd65e48869799e715015d760424fa43af1c4b3c4
MD5 hash:
736a8adcae73352be7b0d86c5f21518b
SHA1 hash:
fb623827ee564139a374a9153934a5a5a7f85b72
Link:
https://www.unpac.me/results/15a0a281-e2e5-4c46-8eaa-51101922ec6c/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/77546e4fdc33/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77546e4fdc3323633d7ab065dd65e48869799e715015d760424fa43af1c4b3c4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/344637/

Comments