MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0aaaeeb2a4317258353d646cadba368cef0d2e477b3e559f656aff75a3a40946. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0aaaeeb2a4317258353d646cadba368cef0d2e477b3e559f656aff75a3a40946
SHA3-384 hash: 9b06d50aebdc33e45f1f1fad3cb21a6c04ee8995e16c368858bfcbea6266db692281fe43e0b829b9d87ac44223c2f4ab
SHA1 hash: 14a93f10708e193a32d79b8366343ab94d5a50fc
MD5 hash: 79ffb1c5df972dfadfdbed09e415f623
humanhash: fifteen-pasta-alpha-sodium
File name:79ffb1c5df972dfadfdbed09e415f623.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:12'861'440 bytes
First seen:2023-02-26 06:35:35 UTC
Last seen:2023-02-26 08:33:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ba71c93bfaf8a292238017b3a884ad39 (2 x RecordBreaker)
ssdeep 393216:AjNH3AoQ2YeZtvoI18SxZJNTecv2IUEv9rYh9uoRPjSHoPolr:cOer18SrJNTecvpHlshcIPjqogl
Threatray 87 similar samples on MalwareBazaar
TLSH T109D633E322654189F0C5CE327727BCD5B1F16F7A0641AD3C30DA7AF91236996B202E5B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 786c64e4c2e8e4c0 (1 x RecordBreaker, 1 x CryptBot, 1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://37.220.87.66/

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
79ffb1c5df972dfadfdbed09e415f623.exe
Verdict:
Malicious activity
Analysis date:
2023-02-26 06:39:47 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/ba8abf5f-c0d5-40ff-b0f4-da1ff8c7809c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369767/
Detection(s):
SecuriteInfo.com.Variant.Lazy.268505.2420.29277.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connecting to a non-recommended domain
Sending an HTTP POST request
Sending a custom TCP request
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63fafdd45d47c2515e803219/reports/249b81a6-09f4-40e4-b62f-7e267a85dd10/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0aaaeeb2a4317258353d646cadba368cef0d2e477b3e559f656aff75a3a40946
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3b62e52-bbe1-4182-b5e1-4e6959b1482c
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1182516
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found potential ransomware demand text
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 815347 Sample: l2L5sjfgB1.exe Startdate: 26/02/2023 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Multi AV Scanner detection for domain / URL 2->37 39 Antivirus detection for URL or domain 2->39 41 6 other signatures 2->41 7 l2L5sjfgB1.exe 26 2->7         started        process3 dnsIp4 29 77.73.134.24, 49698, 80 FIBEROPTIXDE Kazakhstan 7->29 31 37.220.87.66, 49697, 80 ARTEM-CATV-ASRU Russian Federation 7->31 33 77.73.134.35, 49699, 80 FIBEROPTIXDE Kazakhstan 7->33 21 C:\Users\user\AppData\Roaming\7W4pkzUc.exe, PE32+ 7->21 dropped 23 C:\Users\user\AppData\Roaming\48p9taEd.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 7->25 dropped 27 6 other files (4 malicious) 7->27 dropped 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->43 45 Tries to harvest and steal browser information (history, passwords, etc) 7->45 47 Tries to evade analysis by execution special instruction (VM detection) 7->47 49 2 other signatures 7->49 12 48p9taEd.exe 1 7->12         started        15 7W4pkzUc.exe 7->15         started        file5 signatures6 process7 signatures8 51 Machine Learning detection for dropped file 12->51 53 Writes to foreign memory regions 12->53 55 Allocates memory in foreign processes 12->55 57 Injects a PE file into a foreign processes 12->57 17 AppLaunch.exe 4 12->17         started        19 conhost.exe 12->19         started        59 Antivirus detection for dropped file 15->59 61 Multi AV Scanner detection for dropped file 15->61 63 Tries to harvest and steal browser information (history, passwords, etc) 15->63 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0aaaeeb2a4317258353d646cadba368cef0d2e477b3e559f656aff75a3a40946/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-02-22 04:24:18 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
17 of 39 (43.59%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bkvo5mvegfzfqnj5mrwk3orwrtxq2lshpm7flh3fnl7xli5ebfda._file
Verdict:
malicious
Similar samples:
1b8f84f3e94abdd467e3794e336d0beb69bc52c4cef4def0c83a01727936397b
RecordBreaker
2485066b0a47ef5a72bed598787fc60afa1e15727e0fcb987ba47c9e100a01b1
RecordBreaker
3456b3d72716fa65c41d3b6d8ddd5e6c365cfb8c7fd298a57be5f30b6caf28dd
RecordBreaker
37b90013b2b05efd0ff943fb6b3173bc802d5cc7eb0d24801ee5c298f30b5b3d
RecordBreaker
48b226bb739aac1a4f9d90b898aeae795dff4a2035ae2805b8a43ba11ddaa667
RecordBreaker
cd7f075fc5ca8ef703f71de1d9f195e01e9a3433668f0a54898b4d88ea85587b
RecordBreaker
d429c7f575a65bc5bb031d953315379f8a2b2bcd8bbb9c40b4a1f1d005a10370
RecordBreaker
e487cc9c5d05a910d82c833029b1dc9ac00e5729ad05d1dcfafaa4fc64496b6d
RecordBreaker
+ 77 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230226-hcxglafh5v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
46f4dacea8e93a2959d20e7af9bb4e64a1eb8cffe2e959f425ace1fce4ea5f6f
MD5 hash:
fdbe6178d54de94e3f4af22d7e55ab7f
SHA1 hash:
8a8f50ec9bb989dd7338fa3b2a91312b58343197
Link:
https://www.unpac.me/results/520d1997-a215-4801-80e9-34469925f7c1/
SH256 hash:
0aaaeeb2a4317258353d646cadba368cef0d2e477b3e559f656aff75a3a40946
MD5 hash:
79ffb1c5df972dfadfdbed09e415f623
SHA1 hash:
14a93f10708e193a32d79b8366343ab94d5a50fc
Link:
https://www.unpac.me/results/520d1997-a215-4801-80e9-34469925f7c1/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0aaaeeb2a431/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0aaaeeb2a4317258353d646cadba368cef0d2e477b3e559f656aff75a3a40946

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369767/

Comments