MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8813ce0b52ede911a70ea37ba48f59a79884e4ab484b71c49026c23ee729844. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8813ce0b52ede911a70ea37ba48f59a79884e4ab484b71c49026c23ee729844
SHA3-384 hash: 7717621bee1341cc5e838dec9f25862a88f0bda9d97e8a2500f7e7f63de552b25c357615af404fbd2cd6d7c3e526a8d9
SHA1 hash: 61a7c9dc35245c644766d88e0a1bc6663a944a0d
MD5 hash: 27620dbe86989bb95446764ccd700603
humanhash: fruit-colorado-jupiter-fillet
File name:Setup.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:6'863'290 bytes
First seen:2023-02-06 15:43:56 UTC
Last seen:2023-02-06 17:29:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 161839a78ef6f07a30d3f07895f6fe23 (27 x RecordBreaker)
ssdeep 196608:x76IqlKDAGDCGyHWjs/hns/CiS0ofeLGK2n3:1qlK/CBHcsmO0Y8GK2n3
Threatray 5 similar samples on MalwareBazaar
TLSH T15A6601123D3C9995DD5088388EAF7EA426B53F07B5C0562261BBBDCFD8B9790A10F721
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon dcf0b2babacac2c0 (1 x RecordBreaker, 1 x LaplasClipper)
Reporter Chainskilabs
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
2
# of downloads :
238
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
No threats detected
Analysis date:
2023-02-06 15:44:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d9954a1b-5152-449b-b013-968621f36293

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/360960/
Detection(s):
SecuriteInfo.com.Variant.Midie.120666.17857.27799.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/65834/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63e120441c9cbf7d62562686/reports/7d971c37-3ef2-4d80-98df-2d9acdade17f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d8813ce0b52ede911a70ea37ba48f59a79884e4ab484b71c49026c23ee729844
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8ca1a67a-8505-497d-9778-292a927a85e9
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166862
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 799632 Sample: Setup.exe Startdate: 06/02/2023 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Antivirus detection for URL or domain 2->67 69 5 other signatures 2->69 8 Setup.exe 32 2->8         started        13 regid.1991-06.com.microsoftSoftwareDistribution-type6.8.5.8.exe 2->13         started        process3 dnsIp4 45 83.217.11.27, 49701, 80 ATLEX-ASRU Russian Federation 8->45 47 77.73.134.24, 49702, 80 FIBEROPTIXDE Kazakhstan 8->47 49 77.73.134.35 FIBEROPTIXDE Kazakhstan 8->49 31 C:\Users\user\AppData\Roaming\7t8CuCHY.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\Roaming\1Baps9o8.exe, PE32+ 8->33 dropped 35 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 8->35 dropped 37 6 other files (4 malicious) 8->37 dropped 73 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->73 75 Tries to harvest and steal browser information (history, passwords, etc) 8->75 77 Tries to evade analysis by execution special instruction (VM detection) 8->77 79 3 other signatures 8->79 15 7t8CuCHY.exe 1 3 8->15         started        19 1Baps9o8.exe 8->19         started        file5 signatures6 process7 dnsIp8 39 regid.1991-06.com....ion-type6.8.5.8.exe, PE32 15->39 dropped 51 Multi AV Scanner detection for dropped file 15->51 53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->53 55 Machine Learning detection for dropped file 15->55 57 Creates autostart registry keys with suspicious names 15->57 22 regid.1991-06.com.microsoftSoftwareDistribution-type6.8.5.8.exe 15->22         started        41 youtube-ui.l.google.com 142.251.209.46 GOOGLEUS United States 19->41 43 www.youtube.com 19->43 59 Antivirus detection for dropped file 19->59 61 Tries to harvest and steal browser information (history, passwords, etc) 19->61 25 cmd.exe 1 19->25         started        file9 signatures10 process11 signatures12 71 Antivirus detection for dropped file 22->71 27 conhost.exe 25->27         started        29 choice.exe 1 25->29         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8813ce0b52ede911a70ea37ba48f59a79884e4ab484b71c49026c23ee729844/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-02-06 15:44:09 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
18 of 26 (69.23%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3catzyfvf3pjcgtq5i33ushvtj4yqtskwsclohcjajwch3tstbca._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
58591d220d48fbc565054766db000c1d14250a02c160bfe86370877441e5d2da
RecordBreaker
61f1a2d39b49ded2ad9e84f9826a33c20e8f35e11ecc43d3eac4e076d6d33caf
RecordBreaker
90e7c78ca1612b6f6e0f2c25e00e4c73e9df86936a243a03a488a3b155334eea
RecordBreaker
ceb3007d4015dd96043315cd91f6c4ff82da1b206921311c8833d76947e92702
RecordBreaker
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230206-s6gy4sef75/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
d8813ce0b52ede911a70ea37ba48f59a79884e4ab484b71c49026c23ee729844
MD5 hash:
27620dbe86989bb95446764ccd700603
SHA1 hash:
61a7c9dc35245c644766d88e0a1bc6663a944a0d
Link:
https://www.unpac.me/results/35b6256f-ddf3-4087-b297-6da87c1badc7/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d8813ce0b52e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8813ce0b52ede911a70ea37ba48f59a79884e4ab484b71c49026c23ee729844

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/360960/

Comments