MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77ed638394053fe4fef1486f85bac2423f392a1f5e523f9ddf3f5dec289868d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77ed638394053fe4fef1486f85bac2423f392a1f5e523f9ddf3f5dec289868d8
SHA3-384 hash: f2dfc9eebd492e5aeb101e2c55bf9220ec098230b4ea8459339b7207c1dd9688f1eab220fe1cb77c1e31d4a7f2be3862
SHA1 hash: 7b8f5bdd3620cd456679260ca71bcb89ba055924
MD5 hash: bce3160afb422785db0529c5066fd91c
humanhash: december-nebraska-nitrogen-fruit
File name:Cookie.exe
Download: download sample
File size:4'467'712 bytes
First seen:2022-11-08 00:17:34 UTC
Last seen:2022-11-08 01:57:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 98304:Kxk1h+NMsIF53esAEefq530936EXYyXq7yOf1Y7FVR:c6h+NMsIX37AEefq509IyXDOdUFf
Threatray 141 similar samples on MalwareBazaar
TLSH T17426334E21977A72C04FB27AB2917C1CEF215E3F146E7A6C7B6CABF0895789242147D0
TrID 56.1% (.EXE) UPX compressed Win64 Executable (70117/5/12)
21.6% (.EXE) UPX compressed Win32 Executable (27066/9/6)
13.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter tcains1
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
US US
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-11-07 03:58:28 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/7bf7009e-f7e8-4466-be90-1c607212678d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/330295/
Detection(s):
SecuriteInfo.com.Trojan.Generic.32072492.5027.24214.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/6369a03c4965a861c71fb218/reports/9de7f745-99b6-4a48-975a-4831017f262f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d3d7dddd-d4b2-4d08-beec-7ed7c435d8d0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1107840
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 740504 Sample: Cookie.exe Startdate: 08/11/2022 Architecture: WINDOWS Score: 68 23 Antivirus / Scanner detection for submitted sample 2->23 25 Multi AV Scanner detection for submitted file 2->25 7 Cookie.exe 2->7         started        process3 signatures4 27 Tries to harvest and steal browser information (history, passwords, etc) 7->27 10 powershell.exe 11 7->10         started        13 powershell.exe 11 7->13         started        15 powershell.exe 11 7->15         started        process5 signatures6 29 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->29 31 Queries memory information (via WMI often done to detect virtual machines) 10->31 17 conhost.exe 10->17         started        19 conhost.exe 13->19         started        21 conhost.exe 15->21         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77ed638394053fe4fef1486f85bac2423f392a1f5e523f9ddf3f5dec289868d8/
Threat name:
Win64.Infostealer.Goback
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 07:15:24 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7wwha4uau76j7xrjbxylowcii7tskq7lzjd7ho7h5o6ykeyndma._file
Verdict:
malicious
Similar samples:
01c783217c63735fbd5ceca453426e30bcf34b548b8d0bd4e0390b0c1b3c3ffa
25bb1b8e163acf68f060f21c668cf4acb7541e46947af13f11b0581cea7cbf2d
2e557bd01d811580bda017fd1d1070d56d722e7d261474f2b404410f55ec1abc
35ba668de0b81553c08865fa08b6d1dba20d36b7d284edf25d5f1b60f42f034b
46925967d26cb4373de322bde604948b21a6100822d52b003c82eb88f42668e6
52fbe26c4b9fd1f8fae6d4840ef6741eb6c8bcd4f137f9139ae49b15d1590b20
5d624f8e7057338458913360aa8187f73df438184232eca592e12b37d0b2781a
75520762f93c99c79ebac6081437b0b1ebf7122b1bcc1942484ea5de8e06a1ea
7ec738bfdf48fd3a07f87eee1bf8f17a4d790b97263e9655106369c642bff090
ff3ae8fff0d1862d4bde8f61e0ed14ef76d6d2cc6d940bb83dc0b4cfdacc2752
+ 131 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer upx
Link:
https://tria.ge/reports/221108-all38agcg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
UPX packed file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/05e455ec-16b6-4b5e-a5bb-38cb1ffee228
Unpacked files
SH256 hash:
dd0846ebb4daa3357851daf7e0f3831d2866896a02205cdba19674fe7cf7d8c3
MD5 hash:
62b76302a3d3ac7eb6029cf8171318e4
SHA1 hash:
1ce898d4acd33778af52a561ff9bbecaf40f87e2
Link:
https://www.unpac.me/results/92fecb07-23f0-4982-b89d-3d123de41aa2/
SH256 hash:
77ed638394053fe4fef1486f85bac2423f392a1f5e523f9ddf3f5dec289868d8
MD5 hash:
bce3160afb422785db0529c5066fd91c
SHA1 hash:
7b8f5bdd3620cd456679260ca71bcb89ba055924
Link:
https://www.unpac.me/results/92fecb07-23f0-4982-b89d-3d123de41aa2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77ed638394053fe4fef1486f85bac2423f392a1f5e523f9ddf3f5dec289868d8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe ff764f0ab5f7a6c6fc5358a3bcc556e6d1e96fb80b9c2030f8f46b2d51ef241a

Executable exe 77ed638394053fe4fef1486f85bac2423f392a1f5e523f9ddf3f5dec289868d8

(this sample)

  
Dropped by
SHA256 ff764f0ab5f7a6c6fc5358a3bcc556e6d1e96fb80b9c2030f8f46b2d51ef241a
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/330295/
  
URLhaus
https://urlhaus.abuse.ch/url/2403961/
  
Dropped by
MD5 2026a87d0beef3bbd06120e8f789e7b9

Comments