MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d034c82de08e2aabe9f27089610a46d42fa741cfcaedec06a016810c660b402c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d034c82de08e2aabe9f27089610a46d42fa741cfcaedec06a016810c660b402c
SHA3-384 hash: 7d1c0860c78f5e94b2ba1414e0499eda317664481209f32a356e269a461d9442a36550a3966985c984406878faa6620d
SHA1 hash: 892671ee0891a557f69d37a950e179fecb3c05ab
MD5 hash: 1aa4f37c461ca22fa518c032e67739df
humanhash: video-bulldog-snake-edward
File name:Setup.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:6'954'937 bytes
First seen:2023-02-21 03:24:23 UTC
Last seen:2023-02-21 04:30:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 161839a78ef6f07a30d3f07895f6fe23 (27 x RecordBreaker)
ssdeep 196608:wy0w8mRdALuABSnzSdUbiEQt9nSXMojADLgO+xKl:yEMudzHOEQt0jsgOaKl
Threatray 29 similar samples on MalwareBazaar
TLSH T1BA6623632137514EE0F6853D402B7DA571F63F520EC2987CB4EABED924728F5A307A92
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 34e4ccfcecf8e86c (4 x RecordBreaker, 1 x CryptBot)
Reporter Chainskilabs
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
No threats detected
Analysis date:
2023-02-21 03:25:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8a7d9988-8372-4bbe-96cc-a7345c4703d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368541/
Detection(s):
SecuriteInfo.com.Variant.Lazy.252736.3447.26312.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Reading critical registry keys
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Stealing user critical data
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71899/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63f4398f5741abdfaa9d6717/reports/6e03d774-8fcd-4b9a-bdaa-f8d3b3e741e0/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/d034c82de08e2aabe9f27089610a46d42fa741cfcaedec06a016810c660b402c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b3204d37-293d-4351-bfd1-2712de984e3f
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1179536
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 812362 Sample: Setup.exe Startdate: 21/02/2023 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Antivirus detection for URL or domain 2->57 59 6 other signatures 2->59 7 Setup.exe 34 2->7         started        12 USOSharedDesktop-tupe7.3.2.9.exe 2->12         started        14 USOSharedDesktop-tupe7.3.2.9.exe 2->14         started        process3 dnsIp4 35 83.217.11.34, 49692, 80 ATLEX-ASRU Russian Federation 7->35 37 77.73.134.24, 49695, 80 FIBEROPTIXDE Kazakhstan 7->37 39 77.73.134.35 FIBEROPTIXDE Kazakhstan 7->39 27 C:\Users\user\AppData\Roaming\heSip4wO.exe, PE32+ 7->27 dropped 29 C:\Users\user\AppData\Local\...\e3fq9u9k.exe, PE32+ 7->29 dropped 31 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 7->31 dropped 33 6 other files (4 malicious) 7->33 dropped 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->65 67 Tries to harvest and steal browser information (history, passwords, etc) 7->67 69 Tries to evade analysis by execution special instruction (VM detection) 7->69 71 3 other signatures 7->71 16 heSip4wO.exe 1 3 7->16         started        20 e3fq9u9k.exe 7->20         started        file5 signatures6 process7 file8 25 C:\...\USOSharedDesktop-tupe7.3.2.9.exe, PE32+ 16->25 dropped 41 Multi AV Scanner detection for dropped file 16->41 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->43 45 Machine Learning detection for dropped file 16->45 47 Creates autostart registry keys with suspicious names 16->47 22 USOSharedDesktop-tupe7.3.2.9.exe 16->22         started        49 Antivirus detection for dropped file 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51 signatures9 process10 signatures11 61 Antivirus detection for dropped file 22->61 63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d034c82de08e2aabe9f27089610a46d42fa741cfcaedec06a016810c660b402c/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-02-21 03:25:08 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2a2mqlparyvkx2psocewccsg2qx2oqopzlw6ybvac2aqyzqliawa._file
Verdict:
malicious
Similar samples:
0e9897fd86ef718d4ff9e73768ce3e660743a5485a7d9c216b7eebc8d908f221
RecordBreaker
1ef0fe49cef266707c54468ea0113c06965f021ca19db32035d80007b6517c2b
RecordBreaker
37b90013b2b05efd0ff943fb6b3173bc802d5cc7eb0d24801ee5c298f30b5b3d
RecordBreaker
5280df289219b64295e97b3b94e61b34e93a2fa9796067a447b7695499711e97
RecordBreaker
90e7c78ca1612b6f6e0f2c25e00e4c73e9df86936a243a03a488a3b155334eea
RecordBreaker
9232426390d42ce8e9949e77d00fc3c4359c08eec7b6af0d190d9027f8f210ac
RecordBreaker
b7e70119bad5c9fcd84035b4b9064911f45f0e95a2ec4a84b0ee10105d541055
RecordBreaker
ceb3007d4015dd96043315cd91f6c4ff82da1b206921311c8833d76947e92702
RecordBreaker
+ 19 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:e8079d22e46847399691305c53f6386c discovery persistence spyware stealer
Link:
https://tria.ge/reports/230221-dylvrsfc8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Malware Config
C2 Extraction:
http://83.217.11.34
http://83.217.11.35
Unpacked files
SH256 hash:
d034c82de08e2aabe9f27089610a46d42fa741cfcaedec06a016810c660b402c
MD5 hash:
1aa4f37c461ca22fa518c032e67739df
SHA1 hash:
892671ee0891a557f69d37a950e179fecb3c05ab
Link:
https://www.unpac.me/results/6815dbbc-2034-43f2-aa92-d90d68704dfb/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d034c82de08e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d034c82de08e2aabe9f27089610a46d42fa741cfcaedec06a016810c660b402c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/368541/

Comments