MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 142524d4152ef9eab917f159cc911cc968ee1fa6e27a0d5ba19bcea86e40a55f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RecordBreaker
Vendor detections: 10
| SHA256 hash: | 142524d4152ef9eab917f159cc911cc968ee1fa6e27a0d5ba19bcea86e40a55f |
|---|---|
| SHA3-384 hash: | dcafba24158c6f1f0a179365039899a6e7132e810dd2e92a56a1b32dd8775dc1a52e2d5d03493d71f8e09e996cdf1b10 |
| SHA1 hash: | a97846ebcdf70a3fae4e5d2cfa88b654e9b263c7 |
| MD5 hash: | a8ab0daa3b9c121542c8e976f5321482 |
| humanhash: | utah-missouri-washington-mexico |
| File name: | file |
| Download: | download sample |
| Signature | RecordBreaker |
| File size: | 36'864 bytes |
| First seen: | 2022-10-26 14:46:23 UTC |
| Last seen: | 2022-10-26 18:21:09 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 768:vILF0NtZiBMFfEmr+BCK7PFl+nK01e7Nv62n3gYRNG1:vILe1D+BC3KH7NeYRNG1 |
| Threatray | 785 similar samples on MalwareBazaar |
| TLSH | T172F2F841B3D1CE82E56D6632C4A3466207B0FD09D5A26B6B099C7F2FDC657700AB3F4A |
| TrID | 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) |
| File icon (PE): |  |
| dhash icon | 69ccd4d49696cc71 (13 x Adware.Adload, 8 x CoinMiner, 7 x ValleyRAT) |
| Reporter |  andretavare5 |
| Tags: | exe recordbreaker |
andretavare5
Sample downloaded from https://vk.com/doc733883836_657599408?hash=SNRqmYsfOIE0RR6r62nzQGObRdlzn3s4XsGqVWn5F98&dl=G4ZTGOBYGM4DGNQ:1666795041:J0gUtSiAAKIiVFzP5JotPJZbdGU6Zx7MCd79BkUzviT&api=1&no_preview=1#orig1kIndicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| http://89.185.85.151/ | https://threatfox.abuse.ch/ioc/950023/ |
Intelligence
File Origin
# of uploads :
117
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-10-26 14:48:35 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Suspicious
Maliciousness:
Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Creating a file in the system32 subdirectories
Creating a file
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Verdict:
Malicious
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Privateloader
Status:
Malicious
First seen:
2022-10-26 15:22:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
18 of 26 (69.23%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
raccoon
Similar samples:
+ 775 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
7/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
142524d4152ef9eab917f159cc911cc968ee1fa6e27a0d5ba19bcea86e40a55f
MD5 hash:
a8ab0daa3b9c121542c8e976f5321482
SHA1 hash:
a97846ebcdf70a3fae4e5d2cfa88b654e9b263c7
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | RaccoonV2 |
|---|---|
| Author: | @_FirehaK <yara@firehak.com> |
| Description: | Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). |
| Reference: | https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/ |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Dropped by
PrivateLoader
Delivery method
Distributed via drive-by
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.