analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Setup.eexe

Full analysis: https://app.any.run/tasks/a84a498b-80ac-4e78-9ceb-70c6ccd8a897
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 05, 2022, 17:06:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
raccoon
trojan
recordbreaker
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8D2F35E845E15472C6D1AD20889A377D

SHA1:

A6ED0EF63AF22ABACCA84C99F043173716560C0B

SHA256:

41917221696D458C412F1073F3B1C8B618CD994970F43362CDBDB972E20196CB

SSDEEP:

98304:CA/hR3AuPapObj9wYh4KpylT3/Ma29R68sI775DV3VVG0kDfiefR1elXWvaeboor:lFykjnhMzV2LHzBkDjf9NPVN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RACCOON was detected

      • Setup.eexe.exe (PID: 1816)

    • Drops the executable file immediately after the start

      • Setup.eexe.exe (PID: 1816)

    • RACCOON detected by memory dumps

      • Setup.eexe.exe (PID: 1816)

    • Loads dropped or rewritten executable

      • Setup.eexe.exe (PID: 1816)

  • SUSPICIOUS

    • Connects to the server without a host name

      • Setup.eexe.exe (PID: 1816)

    • Process requests binary or script from the Internet

      • Setup.eexe.exe (PID: 1816)

    • Executable content was dropped or overwritten

      • Setup.eexe.exe (PID: 1816)

    • Process drops SQLite DLL files

      • Setup.eexe.exe (PID: 1816)

    • Process drops Mozilla's DLL files

      • Setup.eexe.exe (PID: 1816)

  • INFO

    • Drops a file that was compiled in debug mode

      • Setup.eexe.exe (PID: 1816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Raccoon

(PID) Process(1816) Setup.eexe.exe
Keys
xordabb58cb2c7e3778b722715b6eed054f
C2 (1)http://77.73.134.30/
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2022-Oct-20 11:04:41
Detected languages:
  • Chinese - PRC
  • English - United States
CompanyName: IObit
FileDescription: Browser Anti-Tracking
FileVersion: 16.0.0.18
InternalName: BrowserCleaner.exe
LegalCopyright: © IObit. All rights reserved.
LegalTrademarks: IObit
OriginalFilename: BrowserCleaner.exe
ProductName: Advanced SystemCare
ProductVersion: 16.0
Comments: -

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 2022-Oct-20 11:04:41
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
46091
0
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata
53248
10402
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data
65536
1464
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT
69632
4
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.0407808
.mhh0
73728
3536126
0
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.mhh1
3612672
872
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.27856
.mhh2
3616768
6166928
6167040
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.96519
.rsrc
9785344
166181
166400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.63657

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.45546
1128
UNKNOWN
UNKNOWN
RT_ICON
2
5.39061
4264
UNKNOWN
UNKNOWN
RT_ICON
3
5.18373
9640
UNKNOWN
UNKNOWN
RT_ICON
4
5.32544
16936
UNKNOWN
UNKNOWN
RT_ICON
5
5.28403
67624
UNKNOWN
UNKNOWN
RT_ICON
6
7.78171
64683
UNKNOWN
UNKNOWN
RT_ICON
EFHGJHDGERTUYTITUF
2.79908
90
UNKNOWN
UNKNOWN
RT_GROUP_ICON
1 (#2)
3.36177
848
UNKNOWN
Chinese - PRC
RT_VERSION
1 (#3)
4.91161
381
UNKNOWN
English - United States
RT_MANIFEST

Imports

KERNEL32.dll
KERNEL32.dll (#2)
KERNEL32.dll (#3)
USER32.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RACCOON setup.eexe.exe

Process information

PID
CMD
Path
Indicators
Parent process
1816"C:\Users\admin\Desktop\Setup.eexe.exe" C:\Users\admin\Desktop\Setup.eexe.exe
Explorer.EXE
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
Browser Anti-Tracking
Version:
16.0.0.18
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\setup.eexe.exe
c:\windows\system32\user32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
Raccoon
(PID) Process(1816) Setup.eexe.exe
Keys
xordabb58cb2c7e3778b722715b6eed054f
C2 (1)http://77.73.134.30/
Total events
1 149
Read events
1 129
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
1
Text files
3
Unknown types
6

Dropped files

PID
Process
Filename
Type
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\T94V4mn774Xximage
MD5:CAB7C58B883E3EC6838A60EF415C8644
SHA256:14FE3F115F96DCE95A66B59C74CC7E624F0CBC5DAA6804909E01353CF921CA13
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\cF4B7209nvX9-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\Tx2BuCIR99Z0sqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\K267j2sPp3fDsqlite
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087
SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\3quU4bBB10Rhsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\TC26X9PavI7ktext
MD5:E7CE898AADD69F4E4280010B7808116E
SHA256:C9214BB54F10242AA254F0758372A440C8D8F49934021F8F08B6DF9FB377EB02
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\J2e9x38GOd5Hsqlite
MD5:49E1E66E8EEFE2553D2ECEC4B7EF1D3E
SHA256:A664C359ACE3BFC149323E5403BB7140A84519043BDBA59B064EBC1BDADD32D4
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\freebl3.dllexecutable
MD5:15B61E4A910C172B25FB7D8CCB92F754
SHA256:B2AE93D30C8BEB0B26F03D4A8325AC89B92A299E8F853E5CAA51BB32575B06C6
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\vcruntime140.dllexecutable
MD5:1B171F9A428C44ACF85F89989007C328
SHA256:9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
1816Setup.eexe.exeC:\Users\admin\AppData\LocalLow\msvcp140.dllexecutable
MD5:1FB93933FD087215A3C7B0800E6BB703
SHA256:2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1816
Setup.eexe.exe
GET
200
77.73.134.30:80
http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
KZ
executable
248 Kb
malicious
1816
Setup.eexe.exe
GET
200
77.73.134.30:80
http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
KZ
executable
438 Kb
malicious
1816
Setup.eexe.exe
GET
89.208.104.172:80
http://89.208.104.172/412.exe
RU
malicious
1816
Setup.eexe.exe
GET
200
77.73.134.30:80
http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
KZ
executable
1.95 Mb
malicious
1816
Setup.eexe.exe
POST
200
77.73.134.30:80
http://77.73.134.30/
KZ
text
7.57 Kb
malicious
1816
Setup.eexe.exe
GET
200
77.73.134.30:80
http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
KZ
executable
1.05 Mb
malicious
1816
Setup.eexe.exe
GET
200
77.73.134.30:80
http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
KZ
executable
612 Kb
malicious
1816
Setup.eexe.exe
GET
200
77.73.134.30:80
http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
KZ
executable
668 Kb
malicious
1816
Setup.eexe.exe
POST
200
77.73.134.30:80
http://77.73.134.30/07b63438148ab7e88adc635c6eb464de
KZ
text
8 b
malicious
1816
Setup.eexe.exe
GET
200
77.73.134.30:80
http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
KZ
executable
78.2 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
77.73.134.30:80
Partner LLC
KZ
malicious
1816
Setup.eexe.exe
89.208.104.172:80
AEZA GROUP Ltd
NL
malicious
1816
Setup.eexe.exe
77.73.134.30:80
Partner LLC
KZ
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
1816
Setup.eexe.exe
A Network Trojan was detected
ET MALWARE Known Malicious User-Agent (x) Win32/Tracur.A or OneStep Adware Related
1816
Setup.eexe.exe
A Network Trojan was detected
ET TROJAN Win32/RecordBreaker CnC Checkin
1816
Setup.eexe.exe
A Network Trojan was detected
ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response
1816
Setup.eexe.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
1816
Setup.eexe.exe
A Network Trojan was detected
ET MALWARE Spyware User-Agent (XXX)
1816
Setup.eexe.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1816
Setup.eexe.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
1816
Setup.eexe.exe
A Network Trojan was detected
ET MALWARE Spyware User-Agent (XXX)
1816
Setup.eexe.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
1816
Setup.eexe.exe
A Network Trojan was detected
ET MALWARE Spyware User-Agent (XXX)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.eexe