File name:

160a37cda657d7f373478df74cf5d316.exe

Full analysis: https://app.any.run/tasks/dc5db9e0-f92a-4711-963c-371831a0cf1e
Verdict: Malicious activity
Threats:

Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019.

Analysis date: December 05, 2022, 17:46:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
raccoon
recordbreaker
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

160A37CDA657D7F373478DF74CF5D316

SHA1:

4A5EBCFAFA481F3F87874A63CF5865A213917274

SHA256:

0717C266EAE6BC114948C106E886C2CB8A488AAA28EABB9C2DFC9CAF27AC911D

SSDEEP:

6144:geE0WCLnQX46PiAdNF5mi21ojc5dVX3kENvGGGGGGGGHGGGGGGGGGGGGGGGGGGGM:ggWCLQIClF5m53VX3pNgp1aUK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • Connects to the CnC server

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • RACCOON was detected

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • Loads dropped or rewritten executable

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
  • SUSPICIOUS

    • Application launched itself

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 2724)
    • Detected use of alternative data streams (AltDS)

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 2724)
    • Reads the Internet Settings

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
      • 160a37cda657d7f373478df74cf5d316.exe (PID: 2724)
    • Reads settings of System Certificates

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 2724)
    • Searches for installed software

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • Process drops Mozilla's DLL files

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • Process drops SQLite DLL files

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • Connects to the server without a host name

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • Process requests binary or script from the Internet

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • Process checks DPAPI master keys

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • Reads browser cookies

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • Starts application from unusual location

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
  • INFO

    • Reads the computer name

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 2724)
      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • Reads Environment values

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 2724)
      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • Checks proxy server information

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • Checks supported languages

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
      • 160a37cda657d7f373478df74cf5d316.exe (PID: 2724)
    • Process looks inside Credentials folder

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • Reads product name

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
    • Drops a file that was compiled in debug mode

      • 160a37cda657d7f373478df74cf5d316.exe (PID: 3992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1975-Jan-23 07:43:36
Detected languages:
  • English - United States
CompanyName: Tim Kosse
FileDescription: FileZilla FTP Client
FileVersion: 3.62.0
LegalCopyright: Tim Kosse
OriginalFilename: FileZilla_3.62.0_win32-setup.exe
ProductName: FileZilla
ProductVersion: 3.62.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 3
TimeDateStamp: 1975-Jan-23 07:43:36
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
8192
320500
320512
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.35705
.rsrc
335872
111873
112128
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.79375
.reloc
450560
12
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.0815394

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.16096
20
UNKNOWN
UNKNOWN
RT_GROUP_ICON
50
2.91531
1384
UNKNOWN
UNKNOWN
RT_ICON
51
4.66044
2216
UNKNOWN
UNKNOWN
RT_ICON
52
5.16834
3752
UNKNOWN
UNKNOWN
RT_ICON
53
3.69314
9640
UNKNOWN
UNKNOWN
RT_ICON
54
7.97032
18525
UNKNOWN
UNKNOWN
RT_ICON
55
5.08627
67624
UNKNOWN
UNKNOWN
RT_ICON
102
2.71813
180
UNKNOWN
English - United States
RT_DIALOG
103
2.56193
288
UNKNOWN
English - United States
RT_DIALOG
104
2.70411
344
UNKNOWN
English - United States
RT_DIALOG

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 160a37cda657d7f373478df74cf5d316.exe #RACCOON 160a37cda657d7f373478df74cf5d316.exe

Process information

PID
CMD
Path
Indicators
Parent process
2724"C:\Users\admin\AppData\Local\Temp\160a37cda657d7f373478df74cf5d316.exe" C:\Users\admin\AppData\Local\Temp\160a37cda657d7f373478df74cf5d316.exe
Explorer.EXE
User:
admin
Company:
Tim Kosse
Integrity Level:
MEDIUM
Description:
FileZilla FTP Client
Exit code:
0
Version:
3.62.0
Modules
Images
c:\users\admin\appdata\local\temp\160a37cda657d7f373478df74cf5d316.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3992"C:\Users\admin\AppData\Local\Temp\160a37cda657d7f373478df74cf5d316.exe"C:\Users\admin\AppData\Local\Temp\160a37cda657d7f373478df74cf5d316.exe
160a37cda657d7f373478df74cf5d316.exe
User:
admin
Company:
Tim Kosse
Integrity Level:
MEDIUM
Description:
FileZilla FTP Client
Exit code:
0
Version:
3.62.0
Modules
Images
c:\users\admin\appdata\local\temp\160a37cda657d7f373478df74cf5d316.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
4 528
Read events
4 482
Write events
46
Delete events
0

Modification events

(PID) Process:(2724) 160a37cda657d7f373478df74cf5d316.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\160a37cda657d7f373478df74cf5d316_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2724) 160a37cda657d7f373478df74cf5d316.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\160a37cda657d7f373478df74cf5d316_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2724) 160a37cda657d7f373478df74cf5d316.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\160a37cda657d7f373478df74cf5d316_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2724) 160a37cda657d7f373478df74cf5d316.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\160a37cda657d7f373478df74cf5d316_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2724) 160a37cda657d7f373478df74cf5d316.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\160a37cda657d7f373478df74cf5d316_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2724) 160a37cda657d7f373478df74cf5d316.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\160a37cda657d7f373478df74cf5d316_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2724) 160a37cda657d7f373478df74cf5d316.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\160a37cda657d7f373478df74cf5d316_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2724) 160a37cda657d7f373478df74cf5d316.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\160a37cda657d7f373478df74cf5d316_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2724) 160a37cda657d7f373478df74cf5d316.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\160a37cda657d7f373478df74cf5d316_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2724) 160a37cda657d7f373478df74cf5d316.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\160a37cda657d7f373478df74cf5d316_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
7
Suspicious files
1
Text files
3
Unknown types
6

Dropped files

PID
Process
Filename
Type
3992160a37cda657d7f373478df74cf5d316.exeC:\Users\admin\AppData\LocalLow\vcruntime140.dllexecutable
MD5:1B171F9A428C44ACF85F89989007C328
SHA256:9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
3992160a37cda657d7f373478df74cf5d316.exeC:\Users\admin\AppData\LocalLow\nss3.dllexecutable
MD5:F67D08E8C02574CBC2F1122C53BFB976
SHA256:C65B7AFB05EE2B2687E6280594019068C3D3829182DFE8604CE4ADF2116CC46E
3992160a37cda657d7f373478df74cf5d316.exeC:\Users\admin\AppData\LocalLow\msvcp140.dllexecutable
MD5:1FB93933FD087215A3C7B0800E6BB703
SHA256:2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
3992160a37cda657d7f373478df74cf5d316.exeC:\Users\admin\AppData\LocalLow\0KAl5XmfTELbsqlite
MD5:B8E63E7225C9F4E0A81371F29D6456D8
SHA256:35A6919CE60EA8E0A44934F8B267BDE2C5A063C2E32F22D34724F168C43150C8
3992160a37cda657d7f373478df74cf5d316.exeC:\Users\admin\AppData\LocalLow\freebl3.dllexecutable
MD5:15B61E4A910C172B25FB7D8CCB92F754
SHA256:B2AE93D30C8BEB0B26F03D4A8325AC89B92A299E8F853E5CAA51BB32575B06C6
3992160a37cda657d7f373478df74cf5d316.exeC:\Users\admin\AppData\LocalLow\O1JeYoSNJe3Osqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
3992160a37cda657d7f373478df74cf5d316.exeC:\Users\admin\AppData\LocalLow\uQr038R794J9sqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
3992160a37cda657d7f373478df74cf5d316.exeC:\Users\admin\AppData\LocalLow\softokn3.dllexecutable
MD5:63A1FE06BE877497C4C2017CA0303537
SHA256:44BE3153C15C2D18F49674A092C135D3482FB89B77A1B2063D01D02985555FE0
3992160a37cda657d7f373478df74cf5d316.exeC:\Users\admin\AppData\LocalLow\Dx2fAqmUa26isqlite
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087
SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B
3992160a37cda657d7f373478df74cf5d316.exeC:\Users\admin\AppData\LocalLow\mozglue.dllexecutable
MD5:F07D9977430E762B563EAADC2B94BBFA
SHA256:4191FAF7E5EB105A0F4C5C6ED3E9E9C71014E8AA39BBEE313BC92D1411E9E862
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
2
DNS requests
1
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3992
160a37cda657d7f373478df74cf5d316.exe
POST
200
74.119.195.225:80
http://74.119.195.225/
NL
text
7.27 Kb
malicious
3992
160a37cda657d7f373478df74cf5d316.exe
GET
200
74.119.195.225:80
http://74.119.195.225/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
NL
executable
1.95 Mb
malicious
3992
160a37cda657d7f373478df74cf5d316.exe
GET
200
74.119.195.225:80
http://74.119.195.225/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
NL
executable
438 Kb
malicious
3992
160a37cda657d7f373478df74cf5d316.exe
GET
200
74.119.195.225:80
http://74.119.195.225/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
NL
executable
78.2 Kb
malicious
3992
160a37cda657d7f373478df74cf5d316.exe
GET
200
74.119.195.225:80
http://74.119.195.225/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
NL
executable
612 Kb
malicious
3992
160a37cda657d7f373478df74cf5d316.exe
GET
200
74.119.195.225:80
http://74.119.195.225/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
NL
executable
668 Kb
malicious
3992
160a37cda657d7f373478df74cf5d316.exe
GET
200
74.119.195.225:80
http://74.119.195.225/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
NL
executable
248 Kb
malicious
3992
160a37cda657d7f373478df74cf5d316.exe
GET
200
74.119.195.225:80
http://74.119.195.225/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
NL
executable
1.05 Mb
malicious
3992
160a37cda657d7f373478df74cf5d316.exe
POST
200
74.119.195.225:80
http://74.119.195.225/e8797adb3005cf521a9ce769a4765191
NL
text
8 b
malicious
3992
160a37cda657d7f373478df74cf5d316.exe
POST
200
74.119.195.225:80
http://74.119.195.225/e8797adb3005cf521a9ce769a4765191
NL
text
8 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2724
160a37cda657d7f373478df74cf5d316.exe
142.250.186.100:443
www.google.com
GOOGLE
US
whitelisted
3992
160a37cda657d7f373478df74cf5d316.exe
74.119.195.225:80
Stark Industries Solutions Ltd
NL
malicious

DNS requests

Domain
IP
Reputation
www.google.com
  • 142.250.186.100
whitelisted

Threats

PID
Process
Class
Message
3992
160a37cda657d7f373478df74cf5d316.exe
A Network Trojan was detected
ET TROJAN Win32/RecordBreaker CnC Checkin M1
3992
160a37cda657d7f373478df74cf5d316.exe
A Network Trojan was detected
ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response
3992
160a37cda657d7f373478df74cf5d316.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3992
160a37cda657d7f373478df74cf5d316.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3992
160a37cda657d7f373478df74cf5d316.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3992
160a37cda657d7f373478df74cf5d316.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3992
160a37cda657d7f373478df74cf5d316.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3992
160a37cda657d7f373478df74cf5d316.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3992
160a37cda657d7f373478df74cf5d316.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3992
160a37cda657d7f373478df74cf5d316.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
No debug info