File name:

Coral_Island_Launcher.exe

Full analysis: https://app.any.run/tasks/7772dc78-c735-4e1b-bf15-3d02d1432ae9
Verdict: Malicious activity
Threats:

Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019.

Analysis date: December 06, 2022, 04:15:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
raccoon
recordbreaker
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D69963755B52DA516E2E35B8C085198D

SHA1:

D3C58FC8103CA7F8473E216A015CECFEBDF17228

SHA256:

316229A9F02B0E09B3C55E8DE1C07CA312F9F912FDC95B23ECD61801C68BCAE1

SSDEEP:

98304:BvNfDMYmviWoEweP4HPvThoVfuM3aHWbj+Phlv3VNdGXZTKIg3tQV102SQhCOM/w:nihwHnTmVu2v+Ph3CK53t6y8M6hery7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Connects to the CnC server

      • Coral_Island_Launcher.exe (PID: 3280)
    • RACCOON was detected

      • Coral_Island_Launcher.exe (PID: 3280)
    • Drops the executable file immediately after the start

      • Coral_Island_Launcher.exe (PID: 3280)
    • Loads dropped or rewritten executable

      • Coral_Island_Launcher.exe (PID: 3280)
  • SUSPICIOUS

    • Reads the Internet Settings

      • Coral_Island_Launcher.exe (PID: 3280)
    • Connects to the server without a host name

      • Coral_Island_Launcher.exe (PID: 3280)
    • Process requests binary or script from the Internet

      • Coral_Island_Launcher.exe (PID: 3280)
    • Executable content was dropped or overwritten

      • Coral_Island_Launcher.exe (PID: 3280)
    • Process drops Mozilla's DLL files

      • Coral_Island_Launcher.exe (PID: 3280)
    • Process drops SQLite DLL files

      • Coral_Island_Launcher.exe (PID: 3280)
    • Searches for installed software

      • Coral_Island_Launcher.exe (PID: 3280)
    • Process checks DPAPI master keys

      • Coral_Island_Launcher.exe (PID: 3280)
    • Starts application from unusual location

      • Coral_Island_Launcher.exe (PID: 3280)
    • Reads browser cookies

      • Coral_Island_Launcher.exe (PID: 3280)
    • Send credential is detected

      • Coral_Island_Launcher.exe (PID: 3280)
  • INFO

    • Checks proxy server information

      • Coral_Island_Launcher.exe (PID: 3280)
    • Checks supported languages

      • Coral_Island_Launcher.exe (PID: 3280)
    • Drops a file that was compiled in debug mode

      • Coral_Island_Launcher.exe (PID: 3280)
    • Reads the computer name

      • Coral_Island_Launcher.exe (PID: 3280)
    • Reads Environment values

      • Coral_Island_Launcher.exe (PID: 3280)
    • Process looks inside Credentials folder

      • Coral_Island_Launcher.exe (PID: 3280)
    • Reads product name

      • Coral_Island_Launcher.exe (PID: 3280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2022-Nov-20 11:00:45
Detected languages:
  • English - United States
CompanyName: IObit
FileDescription: Upgrader
FileVersion: 14.2.0.43
InternalName:
LegalCopyright: © IObit. All rights reserved.
LegalTrademarks: IObit
OriginalFilename: ASCUpgrade.exe
ProductName: Advanced SystemCare
ProductVersion: 14.0.0.0
Comments:

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 2022-Nov-20 11:00:45
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
46091
46592
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.98618
.rdata
53248
10450
10752
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.72552
.data
65536
1464
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT
69632
4
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.0407808
.grwgb0
73728
3493482
3493888
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.87257
.grwgb1
3567616
872
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.361405
.grwgb2
3571712
2985968
2985984
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.87668
.rsrc
6557696
366421
366592
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.09793

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.42588
1128
UNKNOWN
UNKNOWN
RT_ICON
2
4.30318
2440
UNKNOWN
UNKNOWN
RT_ICON
3
4.21117
4264
UNKNOWN
UNKNOWN
RT_ICON
4
3.97655
9640
UNKNOWN
UNKNOWN
RT_ICON
5
3.88931
16936
UNKNOWN
UNKNOWN
RT_ICON
6
3.73638
38056
UNKNOWN
UNKNOWN
RT_ICON
7
4.08284
270376
UNKNOWN
UNKNOWN
RT_ICON
MEIBIG
4.05282
4136
UNKNOWN
UNKNOWN
RT_BITMAP
MEICANTCONTINUE
1.98704
1064
UNKNOWN
UNKNOWN
RT_BITMAP
MEICLOSE
3.81538
1064
UNKNOWN
UNKNOWN
RT_BITMAP

Imports

KERNEL32.dll
KERNEL32.dll (#2)
KERNEL32.dll (#3)
USER32.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RACCOON coral_island_launcher.exe

Process information

PID
CMD
Path
Indicators
Parent process
3280"C:\Users\admin\AppData\Local\Temp\Coral_Island_Launcher.exe" C:\Users\admin\AppData\Local\Temp\Coral_Island_Launcher.exe
Explorer.EXE
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
Upgrader
Exit code:
0
Version:
14.2.0.43
Modules
Images
c:\users\admin\appdata\local\temp\coral_island_launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
1 142
Read events
1 122
Write events
20
Delete events
0

Modification events

(PID) Process:(3280) Coral_Island_Launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3280) Coral_Island_Launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3280) Coral_Island_Launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3280) Coral_Island_Launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3280) Coral_Island_Launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3280) Coral_Island_Launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3280) Coral_Island_Launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3280) Coral_Island_Launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3280) Coral_Island_Launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3280) Coral_Island_Launcher.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
Operation:writeName:WpadDecisionReason
Value:
1
Executable files
7
Suspicious files
1
Text files
3
Unknown types
6

Dropped files

PID
Process
Filename
Type
3280Coral_Island_Launcher.exeC:\Users\admin\AppData\LocalLow\Znxi55r4s2WEsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
3280Coral_Island_Launcher.exeC:\Users\admin\AppData\LocalLow\8O9EjBji6t9wsqlite
MD5:49E1E66E8EEFE2553D2ECEC4B7EF1D3E
SHA256:A664C359ACE3BFC149323E5403BB7140A84519043BDBA59B064EBC1BDADD32D4
3280Coral_Island_Launcher.exeC:\Users\admin\AppData\LocalLow\vcruntime140.dllexecutable
MD5:1B171F9A428C44ACF85F89989007C328
SHA256:9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
3280Coral_Island_Launcher.exeC:\Users\admin\AppData\LocalLow\OH9jrgT09DB9sqlite
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087
SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B
3280Coral_Island_Launcher.exeC:\Users\admin\AppData\LocalLow\QKKycTnNWC8Wimage
MD5:5E84398BF9F38BE2C10206D38402ADD3
SHA256:D3F244B8D322B1397B58D45C948512E40EF4F5F5A1F06E37BB350107A203892F
3280Coral_Island_Launcher.exeC:\Users\admin\AppData\LocalLow\CS1Fp47keI1ttext
MD5:E7CE898AADD69F4E4280010B7808116E
SHA256:C9214BB54F10242AA254F0758372A440C8D8F49934021F8F08B6DF9FB377EB02
3280Coral_Island_Launcher.exeC:\Users\admin\AppData\LocalLow\1CUu6DdP2Q8Esqlite
MD5:B8E63E7225C9F4E0A81371F29D6456D8
SHA256:35A6919CE60EA8E0A44934F8B267BDE2C5A063C2E32F22D34724F168C43150C8
3280Coral_Island_Launcher.exeC:\Users\admin\AppData\LocalLow\XfzslJPxpHGwsqlite
MD5:23D08A78BC908C0B29E9800D3D5614E7
SHA256:F6BD7DF5DFAE9FD88811A807DBA14085E00C1B5A6D7CC3D06CC68F6015363D59
3280Coral_Island_Launcher.exeC:\Users\admin\AppData\LocalLow\XfzslJPxpHGw-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3280Coral_Island_Launcher.exeC:\Users\admin\AppData\LocalLow\freebl3.dllexecutable
MD5:15B61E4A910C172B25FB7D8CCB92F754
SHA256:B2AE93D30C8BEB0B26F03D4A8325AC89B92A299E8F853E5CAA51BB32575B06C6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
1
DNS requests
0
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3280
Coral_Island_Launcher.exe
GET
200
45.153.240.247:80
http://45.153.240.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
DE
executable
1.95 Mb
malicious
3280
Coral_Island_Launcher.exe
GET
200
45.153.240.247:80
http://45.153.240.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
DE
executable
248 Kb
malicious
3280
Coral_Island_Launcher.exe
GET
200
45.153.240.247:80
http://45.153.240.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
DE
executable
1.05 Mb
malicious
3280
Coral_Island_Launcher.exe
GET
200
45.153.240.247:80
http://45.153.240.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
DE
executable
78.2 Kb
malicious
3280
Coral_Island_Launcher.exe
GET
200
45.153.240.247:80
http://45.153.240.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
DE
executable
438 Kb
malicious
3280
Coral_Island_Launcher.exe
POST
200
45.153.240.247:80
http://45.153.240.247/
DE
text
6.98 Kb
malicious
3280
Coral_Island_Launcher.exe
POST
200
45.153.240.247:80
http://45.153.240.247/aa20a35bd3c23e22960e907845610211
DE
text
8 b
malicious
3280
Coral_Island_Launcher.exe
GET
200
45.153.240.247:80
http://45.153.240.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
DE
executable
612 Kb
malicious
3280
Coral_Island_Launcher.exe
GET
200
45.153.240.247:80
http://45.153.240.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
DE
executable
668 Kb
malicious
3280
Coral_Island_Launcher.exe
POST
200
45.153.240.247:80
http://45.153.240.247/aa20a35bd3c23e22960e907845610211
DE
text
8 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3280
Coral_Island_Launcher.exe
45.153.240.247:80
combahton GmbH
DE
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3280
Coral_Island_Launcher.exe
A Network Trojan was detected
ET TROJAN Win32/RecordBreaker CnC Checkin M1
3280
Coral_Island_Launcher.exe
A Network Trojan was detected
ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response
3280
Coral_Island_Launcher.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3280
Coral_Island_Launcher.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3280
Coral_Island_Launcher.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3280
Coral_Island_Launcher.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3280
Coral_Island_Launcher.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3280
Coral_Island_Launcher.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3280
Coral_Island_Launcher.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3280
Coral_Island_Launcher.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
No debug info