MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12567de24a8dbc6c0103aa263217ad240098d7545e32546f35fd5b791b1869fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12567de24a8dbc6c0103aa263217ad240098d7545e32546f35fd5b791b1869fa
SHA3-384 hash: 09f8496751fee6ac673d5cfadb113e4484448b2e058ae1c3c7984c5e233b5ff4acd7b047ac6647dee984a9fc4ada4800
SHA1 hash: c467e04766a9b952d7f6a7e4465d780027ac05d5
MD5 hash: ba80c9649a837ac276764b32e451f8b4
humanhash: social-carpet-four-lion
File name:BA80C9649A837AC276764B32E451F8B4.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:122'880 bytes
First seen:2023-01-10 23:10:19 UTC
Last seen:2023-01-11 01:09:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 89766042e29aed5fce63c7340618b000 (6 x RecordBreaker, 3 x RaccoonStealer)
ssdeep 1536:H0jcjzCB6WeKjhKY/hINnAsmLps3K6iAGuSayJCPieRMRGpq5:+cjzCB6WfhK4IULps3K6RbSlCPiSE75
Threatray 226 similar samples on MalwareBazaar
TLSH T132C37291D8D6BC12C69100315DC7F773A72DAE392CF4E80FA2985EF07EA40657E5E982
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://213.252.247.188/

Intelligence

File Origin
# of uploads :
2
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BA80C9649A837AC276764B32E451F8B4.exe
Verdict:
No threats detected
Analysis date:
2023-01-10 23:12:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e6b96232-7f42-488d-abab-e81b05be8763

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351730/
Detection(s):
SecuriteInfo.com.Variant.Lazy.256797.14274.26546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay raccoon raccoonstealer
Link:
https://www.filescan.io/uploads/63bdf08706f34cc0fa5314cf/reports/b28f2cb2-38c7-467b-adb7-21fdf1274196/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bb41f327-0758-4536-8597-dffc1475260d
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1147721
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 780453 Sample: tOJQFd8pbR.bin Startdate: 09/01/2023 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 3 other signatures 2->56 8 tOJQFd8pbR.exe 30 2->8         started        process3 dnsIp4 40 213.252.247.188, 49696, 80 IST-ASLT Lithuania 8->40 42 89.208.104.172, 49700, 80 PSKSET-ASRU Russian Federation 8->42 44 77.73.134.24, 49699, 80 FIBEROPTIXDE Kazakhstan 8->44 32 C:\Users\user\AppData\Roaming\g21w72CD.exe, PE32+ 8->32 dropped 34 C:\Users\user\AppData\Local\...\f66X7c6w.exe, MS-DOS 8->34 dropped 36 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 8->36 dropped 38 6 other files (4 malicious) 8->38 dropped 60 Tries to harvest and steal browser information (history, passwords, etc) 8->60 62 Tries to steal Crypto Currency Wallets 8->62 64 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->64 13 f66X7c6w.exe 8->13         started        17 g21w72CD.exe 2 8->17         started        file5 signatures6 process7 dnsIp8 46 youtube-ui.l.google.com 142.250.184.46, 443, 49701 GOOGLEUS United States 13->46 48 www.youtube.com 13->48 66 Multi AV Scanner detection for dropped file 13->66 68 Tries to harvest and steal browser information (history, passwords, etc) 13->68 70 Sets debug register (to hijack the execution of another thread) 13->70 72 Tries to evade debugger and weak emulator (self modifying code) 13->72 19 cmd.exe 1 13->19         started        74 Query firmware table information (likely to detect VMs) 17->74 76 Machine Learning detection for dropped file 17->76 78 Queries temperature or sensor information (via WMI often done to detect virtual machines) 17->78 80 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->80 22 cmd.exe 1 17->22         started        signatures9 process10 signatures11 58 Uses schtasks.exe or at.exe to add and modify task schedules 19->58 24 conhost.exe 19->24         started        26 choice.exe 1 19->26         started        28 conhost.exe 22->28         started        30 schtasks.exe 1 22->30         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12567de24a8dbc6c0103aa263217ad240098d7545e32546f35fd5b791b1869fa/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-01-07 22:18:19 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjlh3yskrw6gyaidvitdef5neqajrv2ulyzfi3zv7vnxsgyynh5a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0278ab4f0298aa6e8066c14cf2b0063a09ac96e8bac365ddf192092dc17b42af
RecordBreaker
226ed812358dd933659606de6a4c7effa16b4eb2c2003b9125a76097f36a7637
RecordBreaker
2d5230d6ceaa896bb1174f6a63c5d0bb3575a7e1d8f2cd5d736b3b70d2c5ba71
RecordBreaker
3e84d664aa9fa55735c98f2e91c58b9bdb6630014b151fb69b23da124912d369
RecordBreaker
4c98097c2e234a8cb19327c9ddaa9b8c8669dd0f0a95fd71912282e6f0cf50d5
RecordBreaker
656f5c1e8367a0b6e34dbf8e5740be127b4ffaa74a22a2164fcd68eff45580ff
RecordBreaker
6ad67b7dd47d2e625f7a143be485695dd20648a2363bd91ac079556624712354
RecordBreaker
6dc10241f07d88ce686151f7c47c4e7ed0b182e5e221cdd3ed24af496a691af8
RecordBreaker
c035175a412100bdd59753f1bb7fb311513affdd095beeb7c8d10e68788d03f2
RecordBreaker
+ 216 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230110-2586msdg3s/
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e741663c-b61d-447b-9b64-82f4465cef99
Unpacked files
SH256 hash:
12567de24a8dbc6c0103aa263217ad240098d7545e32546f35fd5b791b1869fa
MD5 hash:
ba80c9649a837ac276764b32e451f8b4
SHA1 hash:
c467e04766a9b952d7f6a7e4465d780027ac05d5
Link:
https://www.unpac.me/results/98b9a043-d5f2-4864-80d4-60966828c3d4/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/12567de24a8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/12567de24a8dbc6c0103aa263217ad240098d7545e32546f35fd5b791b1869fa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351730/

Comments