File name:

Setup.eexe

Full analysis: https://app.any.run/tasks/a84a498b-80ac-4e78-9ceb-70c6ccd8a897
Verdict: Malicious activity
Threats:

Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019.

Analysis date: December 05, 2022, 17:06:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
raccoon
trojan
recordbreaker
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8D2F35E845E15472C6D1AD20889A377D

SHA1:

A6ED0EF63AF22ABACCA84C99F043173716560C0B

SHA256:

41917221696D458C412F1073F3B1C8B618CD994970F43362CDBDB972E20196CB

SSDEEP:

98304:CA/hR3AuPapObj9wYh4KpylT3/Ma29R68sI775DV3VVG0kDfiefR1elXWvaeboor:lFykjnhMzV2LHzBkDjf9NPVN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • RACCOON detected by memory dumps

      • Setup.eexe.exe (PID: 1816)
    • RACCOON was detected

      • Setup.eexe.exe (PID: 1816)
    • Drops the executable file immediately after the start

      • Setup.eexe.exe (PID: 1816)
    • Loads dropped or rewritten executable

      • Setup.eexe.exe (PID: 1816)
  • SUSPICIOUS

    • Connects to the server without a host name

      • Setup.eexe.exe (PID: 1816)
    • Process drops Mozilla's DLL files

      • Setup.eexe.exe (PID: 1816)
    • Process drops SQLite DLL files

      • Setup.eexe.exe (PID: 1816)
    • Process requests binary or script from the Internet

      • Setup.eexe.exe (PID: 1816)
    • Executable content was dropped or overwritten

      • Setup.eexe.exe (PID: 1816)
  • INFO

    • Drops a file that was compiled in debug mode

      • Setup.eexe.exe (PID: 1816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Raccoon

(PID) Process(1816) Setup.eexe.exe
Keys
xordabb58cb2c7e3778b722715b6eed054f
C2 (1)http://77.73.134.30/
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2022-Oct-20 11:04:41
Detected languages:
  • Chinese - PRC
  • English - United States
CompanyName: IObit
FileDescription: Browser Anti-Tracking
FileVersion: 16.0.0.18
InternalName: BrowserCleaner.exe
LegalCopyright: © IObit. All rights reserved.
LegalTrademarks: IObit
OriginalFilename: BrowserCleaner.exe
ProductName: Advanced SystemCare
ProductVersion: 16.0
Comments:

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 2022-Oct-20 11:04:41
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
46091
0
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata
53248
10402
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data
65536
1464
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT
69632
4
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.0407808
.mhh0
73728
3536126
0
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.mhh1
3612672
872
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.27856
.mhh2
3616768
6166928
6167040
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.96519
.rsrc
9785344
166181
166400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.63657

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.45546
1128
UNKNOWN
UNKNOWN
RT_ICON
2
5.39061
4264
UNKNOWN
UNKNOWN
RT_ICON
3
5.18373
9640
UNKNOWN
UNKNOWN
RT_ICON
4
5.32544
16936
UNKNOWN
UNKNOWN
RT_ICON
5
5.28403
67624
UNKNOWN
UNKNOWN
RT_ICON
6
7.78171
64683
UNKNOWN
UNKNOWN
RT_ICON
EFHGJHDGERTUYTITUF
2.79908
90
UNKNOWN
UNKNOWN
RT_GROUP_ICON
1 (#2)
3.36177
848
UNKNOWN
Chinese - PRC
RT_VERSION
1 (#3)
4.91161
381
UNKNOWN
English - United States
RT_MANIFEST

Imports

KERNEL32.dll
KERNEL32.dll (#2)
KERNEL32.dll (#3)
USER32.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RACCOON setup.eexe.exe

Process information

PID
CMD
Path
Indicators
Parent process
1816"C:\Users\admin\Desktop\Setup.eexe.exe" C:\Users\admin\Desktop\Setup.eexe.exe
Explorer.EXE
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
Browser Anti-Tracking
Version:
16.0.0.18
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\setup.eexe.exe
c:\windows\system32\user32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
Raccoon
(PID) Process(1816) Setup.eexe.exe
Keys
xordabb58cb2c7e3778b722715b6eed054f
C2 (1)http://77.73.134.30/
Total events
1 149
Read events
1 129
Write events
20
Delete events
0

Modification events

(PID) Process:(1816) Setup.eexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1816) Setup.eexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1816) Setup.eexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1816) Setup.eexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1816) Setup.eexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1816) Setup.eexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1816) Setup.eexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1816) Setup.eexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1816) Setup.eexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1816) Setup.eexe.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
Executable files
7
Suspicious files
1
Text files
3
Unknown types
6

Dropped files

PID
Process
Filename
Type
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\mozglue.dllexecutable
MD5:F07D9977430E762B563EAADC2B94BBFA
SHA256:4191FAF7E5EB105A0F4C5C6ED3E9E9C71014E8AA39BBEE313BC92D1411E9E862
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\freebl3.dllexecutable
MD5:15B61E4A910C172B25FB7D8CCB92F754
SHA256:B2AE93D30C8BEB0B26F03D4A8325AC89B92A299E8F853E5CAA51BB32575B06C6
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\softokn3.dllexecutable
MD5:63A1FE06BE877497C4C2017CA0303537
SHA256:44BE3153C15C2D18F49674A092C135D3482FB89B77A1B2063D01D02985555FE0
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\cF4B7209nvX9-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\K267j2sPp3fDsqlite
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087
SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\cF4B7209nvX9sqlite
MD5:23D08A78BC908C0B29E9800D3D5614E7
SHA256:F6BD7DF5DFAE9FD88811A807DBA14085E00C1B5A6D7CC3D06CC68F6015363D59
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\T94V4mn774Xximage
MD5:CAB7C58B883E3EC6838A60EF415C8644
SHA256:14FE3F115F96DCE95A66B59C74CC7E624F0CBC5DAA6804909E01353CF921CA13
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\3quU4bBB10Rhsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\J2e9x38GOd5Hsqlite
MD5:49E1E66E8EEFE2553D2ECEC4B7EF1D3E
SHA256:A664C359ACE3BFC149323E5403BB7140A84519043BDBA59B064EBC1BDADD32D4
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\9X6VmsYC5OCptext
MD5:16137445CEBCECA2926FE761FCDDF5B5
SHA256:186D99A8E7BC4C3DF1D05706836F19C42A53BECE231CF7F1256BE1F09079C7D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
3
DNS requests
0
Threats
25

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1816
Setup.eexe.exe
POST
200
77.73.134.30:80
http://77.73.134.30/
KZ
text
7.57 Kb
malicious
1816
Setup.eexe.exe
GET
200
77.73.134.30:80
http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
KZ
executable
1.95 Mb
malicious
1816
Setup.eexe.exe
GET
200
77.73.134.30:80
http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
KZ
executable
438 Kb
malicious
1816
Setup.eexe.exe
GET
200
77.73.134.30:80
http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
KZ
executable
78.2 Kb
malicious
1816
Setup.eexe.exe
GET
200
77.73.134.30:80
http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
KZ
executable
668 Kb
malicious
1816
Setup.eexe.exe
GET
200
77.73.134.30:80
http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
KZ
executable
1.05 Mb
malicious
1816
Setup.eexe.exe
POST
200
77.73.134.30:80
http://77.73.134.30/07b63438148ab7e88adc635c6eb464de
KZ
text
8 b
malicious
1816
Setup.eexe.exe
GET
200
77.73.134.30:80
http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
KZ
executable
248 Kb
malicious
1816
Setup.eexe.exe
GET
200
77.73.134.30:80
http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
KZ
executable
612 Kb
malicious
1816
Setup.eexe.exe
POST
200
77.73.134.30:80
http://77.73.134.30/07b63438148ab7e88adc635c6eb464de
KZ
text
8 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
77.73.134.30:80
Partner LLC
KZ
malicious
1816
Setup.eexe.exe
77.73.134.30:80
Partner LLC
KZ
malicious
1816
Setup.eexe.exe
89.208.104.172:80
AEZA GROUP Ltd
NL
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
1816
Setup.eexe.exe
A Network Trojan was detected
ET MALWARE Known Malicious User-Agent (x) Win32/Tracur.A or OneStep Adware Related
1816
Setup.eexe.exe
A Network Trojan was detected
ET TROJAN Win32/RecordBreaker CnC Checkin
1816
Setup.eexe.exe
A Network Trojan was detected
ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response
1816
Setup.eexe.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
1816
Setup.eexe.exe
A Network Trojan was detected
ET MALWARE Spyware User-Agent (XXX)
1816
Setup.eexe.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1816
Setup.eexe.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
1816
Setup.eexe.exe
A Network Trojan was detected
ET MALWARE Spyware User-Agent (XXX)
1816
Setup.eexe.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
1816
Setup.eexe.exe
A Network Trojan was detected
ET MALWARE Spyware User-Agent (XXX)
No debug info