MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9232426390d42ce8e9949e77d00fc3c4359c08eec7b6af0d190d9027f8f210ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9232426390d42ce8e9949e77d00fc3c4359c08eec7b6af0d190d9027f8f210ac
SHA3-384 hash: 4ff0371312935c201d9d728727bf946d1d4136b1dd0dfa39be55cb923843e8e3a1f9e45659e5ee3323eb28cef3bfa1a0
SHA1 hash: 299e2d4a41793e8e1e7655edc88c16d5d5120e9b
MD5 hash: 2a911faf7c27a263491326402a8ff3fd
humanhash: alabama-four-nineteen-beryllium
File name:Setup.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:7'322'042 bytes
First seen:2023-02-16 16:09:04 UTC
Last seen:2023-02-16 17:30:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 161839a78ef6f07a30d3f07895f6fe23 (27 x RecordBreaker)
ssdeep 196608:hJwaVL4x+Zr1By4jOrscVh6qpmMgkFbO8E9:QaVLACrvTOoiEqpmMxbk
Threatray 14 similar samples on MalwareBazaar
TLSH T10B76237623A0109BE3D68C31421F7EE662B53FDB36C1EC3816857DC125325D0AA6DAB7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e8c4b2367ce9ccf0 (2 x RecordBreaker)
Reporter Chainskilabs
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
2
# of downloads :
243
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
No threats detected
Analysis date:
2023-02-16 16:09:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eb74fd7b-05bf-43c5-a0e7-dcc4fbe97e32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/367301/
Detection(s):
SecuriteInfo.com.Variant.Lazy.294002.2994.29957.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/70937/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed raccoon
Link:
https://www.filescan.io/uploads/63ee555b87510c38b73501a2/reports/e7e8b589-b6c2-4fd6-a681-e2b7fbc892c0/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/9232426390d42ce8e9949e77d00fc3c4359c08eec7b6af0d190d9027f8f210ac
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5dd918dd-d1e6-4b78-a42b-6bcbe6d232fc
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1177229
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found potential ransomware demand text
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 810054 Sample: Setup.exe Startdate: 16/02/2023 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Antivirus detection for URL or domain 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 5 other signatures 2->49 8 Setup.exe 34 2->8         started        process3 dnsIp4 33 83.217.11.27, 49715, 80 ATLEX-ASRU Russian Federation 8->33 35 77.73.134.24, 49716, 80 FIBEROPTIXDE Kazakhstan 8->35 37 77.73.134.35, 49717, 80 FIBEROPTIXDE Kazakhstan 8->37 25 C:\Users\user\AppData\Roaming\yYv7th6a.exe, PE32 8->25 dropped 27 C:\Users\user\AppData\Roaming\VDKhSti5.exe, PE32+ 8->27 dropped 29 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 8->29 dropped 31 6 other files (4 malicious) 8->31 dropped 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->51 53 Tries to harvest and steal browser information (history, passwords, etc) 8->53 55 Tries to evade analysis by execution special instruction (VM detection) 8->55 57 3 other signatures 8->57 13 VDKhSti5.exe 8->13         started        17 yYv7th6a.exe 2 8->17         started        file5 signatures6 process7 dnsIp8 39 youtube-ui.l.google.com 172.217.168.14 GOOGLEUS United States 13->39 41 www.youtube.com 13->41 59 Antivirus detection for dropped file 13->59 61 Tries to harvest and steal browser information (history, passwords, etc) 13->61 19 cmd.exe 1 13->19         started        63 Machine Learning detection for dropped file 17->63 signatures9 process10 process11 21 conhost.exe 19->21         started        23 choice.exe 1 19->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9232426390d42ce8e9949e77d00fc3c4359c08eec7b6af0d190d9027f8f210ac/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-02-16 16:10:09 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
20 of 25 (80.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sizeey4q2qwor2mutz35ad6dyq2zychoy63k6dizbwicp6hsccwa._file
Verdict:
malicious
Similar samples:
505d85e3f2cc036bd585825a9bf3fd03a90a849d76dc29e842a1b3725d0b86ce
RecordBreaker
61f1a2d39b49ded2ad9e84f9826a33c20e8f35e11ecc43d3eac4e076d6d33caf
RecordBreaker
6f8f904598a1dd49277595855a35602aeecc1ce6471dcc949def88f27199388e
RecordBreaker
788477c79faa2ed3b28f7232f1114b94d513dd643f4d0bcc0441d77a1eab4058
RecordBreaker
90e7c78ca1612b6f6e0f2c25e00e4c73e9df86936a243a03a488a3b155334eea
RecordBreaker
ceb3007d4015dd96043315cd91f6c4ff82da1b206921311c8833d76947e92702
RecordBreaker
d8813ce0b52ede911a70ea37ba48f59a79884e4ab484b71c49026c23ee729844
RecordBreaker
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230216-tmceysab3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
9232426390d42ce8e9949e77d00fc3c4359c08eec7b6af0d190d9027f8f210ac
MD5 hash:
2a911faf7c27a263491326402a8ff3fd
SHA1 hash:
299e2d4a41793e8e1e7655edc88c16d5d5120e9b
Link:
https://www.unpac.me/results/a7f62e1c-f894-48c4-8bcf-64eef041c79f/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9232426390d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9232426390d42ce8e9949e77d00fc3c4359c08eec7b6af0d190d9027f8f210ac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/367301/

Comments