MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 155da40d99790b973c85db891b0860e89979ae241637db97148f90c2b33d8cc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	155da40d99790b973c85db891b0860e89979ae241637db97148f90c2b33d8cc7
SHA3-384 hash:	9f7da30197cd93cec6ef2cc4b2cd8c1a56fbfe8fc58369e7be6ad193b3b111f8b4394dff5ca5a02b9959291b19066a87
SHA1 hash:	e96b11e2bd1603cd99f6f96c671cb0c95d73e62c
MD5 hash:	48f3182df20d1cd5f186013b5d52e9a3
humanhash:	nitrogen-kentucky-april-aspen
File name:	file
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	2'604'829 bytes
First seen:	2022-10-17 20:25:48 UTC
Last seen:	2022-10-17 21:15:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a93cea5329220fb90674a1f0bde2cd0e (40 x RedLineStealer, 7 x RecordBreaker, 2 x ErbiumStealer)
ssdeep	24576:oKw4MA8/R3BL7o+w0Y1Yj002XLMw96KZd2B8Z0b5bpD69vI/H/313LGXC79lyIlz:ofAAnL7o+awbAI/H/313aoNl3D
Threatray	690 similar samples on MalwareBazaar
TLSH	T1BCC52A135A8B0D75DDD23BB4A1CB633EA734ED30CA3A9B7BB608C43959532C56C1A742
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe recordbreaker

andretavare5

Sample downloaded from http://77.73.134.38/MyNewFileChr.exe

Intelligence

File Origin

# of uploads :

# of downloads :

382

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/321132/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.154054.22748.26311.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/43529/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug anti-vm overlay packed spyeye

Link:

https://www.filescan.io/uploads/634dba5c36b2f81d638452ed/reports/d1505153-e984-4563-8f41-04fe69a3b032/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6f2d02d9-ae9b-4a56-ab47-0c55621dbe2c

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1092286

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

DLL side loading technique detected

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/155da40d99790b973c85db891b0860e89979ae241637db97148f90c2b33d8cc7/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-10-17 20:26:12 UTC

File Type:

PE (Exe)

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cvo2idmzpefzopef3oerwcda5cmxtlrecy35xfyur6imfmz5rtdq._file

Verdict:

malicious

Label(s):

raccoon

RecordBreaker

296d3abb689416d5c47bb8edd555c81b9cf81f80fc9179b14aa6b68c8c8e10ab

RecordBreaker

2eb8a3cb622a19952d8f271155c5a8ec344325410d74103ce042c46eab05d84a

RecordBreaker

313f623a348593e28c62e89f2ffec407ef4cc9a92ddaf88b0eb1eb5756e423a9

RecordBreaker

9d91cbc0bff07a1c1749886482c8defb287c1a2528e60d6f7100e6030470c482

RecordBreaker

fd9057972eae84d688262e24b1d87082b18cf567da4bf172df8fe955cee8f75d

RecordBreaker

+ 680 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:ce21570f8b07f4e68bfb7f44917635b1 spyware stealer

Link:

https://tria.ge/reports/221017-y7t8qadcek/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Uses the VBS compiler for execution

Downloads MZ/PE file

Raccoon

Malware Config

C2 Extraction:

http://77.73.133.7/

Unpacked files

SH256 hash:

245a0614bdffbf022231b350870e647884c7d4f319645137f74a1ffa4fdc1ccf

MD5 hash:

12d1fe32e001f5ad07d82df4012a0904

SHA1 hash:

2a1fe9dee3e1277894381e564977f092558ca35c

Detections:

raccoonstealer

win_recordbreaker_auto

Link:

https://www.unpac.me/results/5194cfcc-ec16-4b9e-9c99-5e46853f7063/

SH256 hash:

155da40d99790b973c85db891b0860e89979ae241637db97148f90c2b33d8cc7

MD5 hash:

48f3182df20d1cd5f186013b5d52e9a3

SHA1 hash:

e96b11e2bd1603cd99f6f96c671cb0c95d73e62c

Link:

https://www.unpac.me/results/5194cfcc-ec16-4b9e-9c99-5e46853f7063/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/155da40d9979/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/155da40d99790b973c85db891b0860e89979ae241637db97148f90c2b33d8cc7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	RaccoonV2 Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:	https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/

Rule name:	recordbreaker_win_generic Create hunting rule
Author:	_kphi

Rule name:	win_recordbreaker_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/321132/

URLhaus

https://urlhaus.abuse.ch/url/2355246/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample