MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1

SHA256 hash: 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03
SHA3-384 hash: 0b3c739f4207a2de0873e155f1c25d3c3c4fcea12c9e2e923326f19dc4fb2b2076f359d3d7a82c4dc562116f4cafe9e0
SHA1 hash: 19d9fbfd9b23d4bd435746a524443f1a962d42fa
MD5 hash: 0cfa58846e43dd67b6d9f29e97f6c53e
humanhash: hot-montana-football-network
File name:022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03
Download: download sample
Signature RecordBreaker
File size:56'832 bytes
First seen:2022-06-22 09:58:58 UTC
Last seen:2022-09-19 13:36:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ec5227a81c3e90d891321c143c67557 (6 x RecordBreaker, 2 x RaccoonStealer)
ssdeep 1536:qzwshK8pUMGxo0xwwW9VemFMGfpbbVDzANyCa:wwshK8yMexbW9vJVDzANs
Threatray 34 similar samples on MalwareBazaar
TLSH T11B4307814885EC73C15248B4278D752FDBDEDC022A20F1CBB736F7D746E618249AA39B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter @plebourhis
Tags:exe RaccoonStealer recordbreaker

Intelligence


File Origin
# of uploads :
2
# of downloads :
337
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
–°reating synchronization primitives
Sending an HTTP POST request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Verdict:
Malicious
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
72 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Threat name:
Win32.Infostealer.Coins
Status:
Malicious
First seen:
2022-06-04 09:44:41 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Result
Malware family:
recordbreaker
Score:
  10/10
Tags:
family:recordbreaker stealer suricata
Behaviour
RecordBreaker
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
Malware Config
C2 Extraction:
http://51.195.166.184/
Unpacked files
SH256 hash:
022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03
MD5 hash:
0cfa58846e43dd67b6d9f29e97f6c53e
SHA1 hash:
19d9fbfd9b23d4bd435746a524443f1a962d42fa

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:MAL_Lokibot_Stealer
Description:Detects Lokibot Stealer Variants
Rule name:Recordbreaker
Author:@_FirehaK <yara@firehak.com>
Description:Recordbreaker is an information stealer capable of downloading and executing secondary payloads. It has been spreading through fake software cracks and keygens since May 2022.
Reference:https://twitter.com/_FirehaK/status/1534997159937982464
Rule name:Redline_Stealer_Monitor
Description:Detects RedLine Stealer Variants

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments



Avatar
Jake Goldi commented on 2022-09-20 20:12:24 UTC

https://github.com/taogoldi/YARA/blob/main/stealers/raccoon/raccoon_stealer.yara