MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06b2f4503ff44aeb98aefb8f65f5392c7b90f1ca8dc618a249b866914590a40f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06b2f4503ff44aeb98aefb8f65f5392c7b90f1ca8dc618a249b866914590a40f
SHA3-384 hash: 0c71af459eaf7c9743b7faff2b88b2c30dc6f9b3c61dcaf089da2b11a9b7f50eadcc14dbb863e63d43f16a4e9f3ca17a
SHA1 hash: 377daa11190974f3d6eb166063b28bdfc07f2b7e
MD5 hash: 4aa1e343c1b0f9e5ade449ae7ae63cc4
humanhash: lion-sink-carolina-leopard
File name:4aa1e343c1b0f9e5ade449ae7ae63cc4.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'466'008 bytes
First seen:2022-10-06 22:16:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b3b57d9e3a80b7c12ef37ba03d425598 (1 x RecordBreaker)
ssdeep 24576:6UbwxnD9nhdeyWHy9t2GAYq+yo61j1b/pZWv6ARIFRd9iACg6teNf:VwxDdeyWnG2BFiqJCg6M
TLSH T101650207A3BC893EE7BE8BF7702447157537B5520AF2910A1B5616EF295AFC088B34C6
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0f4f0cccce8d4e8 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker signed

Code Signing Certificate

Organisation:kizlar.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-09-22T21:23:11Z
Valid to:2022-12-21T21:23:10Z
Serial number: 04a1fc09e133d461d35c89be60c1aec5990a
Thumbprint Algorithm:SHA256
Thumbprint: 48d7e4cfd594b5a3048db0974bb00de115b6b08eeb87135ecb1942f985380b82
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RecordBreaker C2:
http://5.2.70.65/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.2.70.65/ https://threatfox.abuse.ch/ioc/872024/

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/317428/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62462456.12785.9662.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Creating a window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41612/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
babar greyware overlay packed
Link:
https://www.filescan.io/uploads/633f53dfc9e2f3435432f9c3/reports/bb341d0d-aa40-4120-aa8d-8627e2906122/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/544cc2ca-f59a-4a26-b13b-7f933a5553ba
Result
Threat name:
Allcome clipbanker, DarkTortilla, Raccoo
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1085366
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Allcome clipbanker
Yara detected DarkTortilla Crypter
Yara detected Raccoon Stealer v2
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 717923 Sample: 7lrZhTxde8.exe Startdate: 07/10/2022 Architecture: WINDOWS Score: 100 132 Multi AV Scanner detection for domain / URL 2->132 134 Malicious sample detected (through community Yara rule) 2->134 136 Antivirus detection for URL or domain 2->136 138 11 other signatures 2->138 10 7lrZhTxde8.exe 2->10         started        13 MoUSO.exe 2->13         started        15 rakeyata ten yepolis rotod dehaji bav quivobi.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 164 Writes to foreign memory regions 10->164 166 Allocates memory in foreign processes 10->166 168 Injects a PE file into a foreign processes 10->168 20 InstallUtil.exe 65 10->20         started        170 Antivirus detection for dropped file 13->170 172 Multi AV Scanner detection for dropped file 13->172 174 Machine Learning detection for dropped file 13->174 25 MoUSO.exe 13->25         started        27 InstallUtil.exe 15->27         started        100 172.217.16.196 GOOGLEUS United States 17->100 176 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->176 29 MoUSO.exe 17->29         started        31 MoUSO.exe 17->31         started        33 MoUSO.exe 17->33         started        35 2 other processes 17->35 signatures5 process6 dnsIp7 102 5.2.70.65 LITESERVERNL Netherlands 20->102 104 45.15.156.11 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 20->104 106 2 other IPs or domains 20->106 80 C:\Users\user\AppData\Local\...\cNvxRZf9.exe, PE32+ 20->80 dropped 82 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 20->82 dropped 84 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 20->84 dropped 86 7 other files (5 malicious) 20->86 dropped 140 Tries to harvest and steal browser information (history, passwords, etc) 20->140 142 DLL side loading technique detected 20->142 144 Tries to steal Crypto Currency Wallets 20->144 37 cNvxRZf9.exe 94 20->37         started        42 8R42k9oT.exe 3 20->42         started        44 n7GinAX8.exe 15 3 20->44         started        file8 signatures9 process10 dnsIp11 108 163.181.56.170 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 37->108 110 163.181.92.229 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 37->110 116 4 other IPs or domains 37->116 88 C:\Users\user\...\notification_helper.exe, PE32+ 37->88 dropped 90 C:\Users\user\AppData\...\mojo_core.dll, PE32+ 37->90 dropped 92 C:\Users\user\AppData\Roaming\...\libEGL.dll, PE32+ 37->92 dropped 96 9 other files (8 malicious) 37->96 dropped 146 Multi AV Scanner detection for dropped file 37->146 148 Query firmware table information (likely to detect VMs) 37->148 150 Tries to harvest and steal browser information (history, passwords, etc) 37->150 152 Tries to detect sandboxes / dynamic malware analysis system (registry check) 37->152 46 chrome.exe 37->46         started        112 192.168.11.1 unknown unknown 42->112 94 rakeyata ten yepol...aji bav quivobi.exe, PE32 42->94 dropped 154 Machine Learning detection for dropped file 42->154 156 Uses schtasks.exe or at.exe to add and modify task schedules 42->156 48 rakeyata ten yepolis rotod dehaji bav quivobi.exe 42->48         started        51 cmd.exe 42->51         started        53 schtasks.exe 42->53         started        114 142.250.186.132 GOOGLEUS United States 44->114 158 Antivirus detection for dropped file 44->158 160 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->160 162 Injects a PE file into a foreign processes 44->162 55 n7GinAX8.exe 44->55         started        file12 signatures13 process14 dnsIp15 59 chrome.exe 46->59         started        61 chrome.exe 46->61         started        76 2 other processes 46->76 124 Writes to foreign memory regions 48->124 126 Allocates memory in foreign processes 48->126 128 Injects a PE file into a foreign processes 48->128 63 InstallUtil.exe 48->63         started        130 Uses ping.exe to check the status of other devices and networks 51->130 66 PING.EXE 51->66         started        68 conhost.exe 51->68         started        70 chcp.com 51->70         started        72 conhost.exe 53->72         started        118 104.21.17.54 CLOUDFLARENETUS United States 55->118 98 C:\Users\user\AppData\Local\cache\MoUSO.exe, PE32 55->98 dropped 74 schtasks.exe 55->74         started        file16 signatures17 process18 dnsIp19 120 89.22.225.242 INETLTDTR Russian Federation 63->120 122 127.0.0.1 unknown unknown 66->122 78 conhost.exe 74->78         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06b2f4503ff44aeb98aefb8f65f5392c7b90f1ca8dc618a249b866914590a40f/
Threat name:
Win32.Trojan.RaccoonSteal
Create hunting rule
Status:
Malicious
First seen:
2022-10-01 07:42:08 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2zpiub76rfoxgfo7ohwl5jzfr5zb4okrxdbrisjxbtjcrmquqhq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
asyncrat
Create hunting rule
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:9b19cf60d9bdf65b8a2495aa965456c3 spyware stealer
Link:
https://tria.ge/reports/221006-17cd1sahf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Raccoon
Malware Config
C2 Extraction:
http://5.2.70.65/
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6623f45a-d0f2-404f-8c00-26db8dcf87f8
Unpacked files
SH256 hash:
feddb715649f03c1eb33cf6b487281e5f7eb1fc009cacd6ff2c27e13e8ee1cbc
MD5 hash:
3906364fb825117b10b1b01309954bfd
SHA1 hash:
48bc6b302841d69d6b2a5b493c09238e43742007
Detections:
raccoonstealer
Create hunting rule
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/eb682c18-ba70-4a09-899e-e739f950103f/
Parent samples :
06b2f4503ff44aeb98aefb8f65f5392c7b90f1ca8dc618a249b866914590a40f
df7cfb28f642a2341b0cf3d5626ec787a7afb0aacd3e6806b7a0caa3a6dd73ee
fa5ac27700f443ba8bc0509f2ce8c1c0be408e3dbca55a07de27f7d1bcb5de16
c7d3d775fda24b3244022a1488315c51a55d54e155b8e788583c0d50a4a9f5e9
23b137ce3bf552461beac7baf3a449a620010feac5cf69a1864e40b5efa04c2d
1227762670b7f30a26b51d681acad249a14986f375f5d659ef36e25e4e8bef1b
SH256 hash:
ccff956112a6c63ed4a1838d48c5a75bdbff72350c590585e46b856bc6bcea9f
MD5 hash:
fae4103daf1926c403c2ebef7be63831
SHA1 hash:
6c62152926a2ad0dd99fdcd4e3d69f2ecd5041c9
Link:
https://www.unpac.me/results/eb682c18-ba70-4a09-899e-e739f950103f/
SH256 hash:
06b2f4503ff44aeb98aefb8f65f5392c7b90f1ca8dc618a249b866914590a40f
MD5 hash:
4aa1e343c1b0f9e5ade449ae7ae63cc4
SHA1 hash:
377daa11190974f3d6eb166063b28bdfc07f2b7e
Link:
https://www.unpac.me/results/eb682c18-ba70-4a09-899e-e739f950103f/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/06b2f4503ff4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.43
Link:
https://yomi.yoroi.company/submissions/06b2f4503ff44aeb98aefb8f65f5392c7b90f1ca8dc618a249b866914590a40f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317428/

Comments