MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1599a612187565c699dfe4f10b04f5621ba04ab053ba1284a008706f0c13d5cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1599a612187565c699dfe4f10b04f5621ba04ab053ba1284a008706f0c13d5cb
SHA3-384 hash: 6b1f7820cf20179a94666a1c49814a266ca98af9015a46fafdc31227a3cc6db088963bbae10385133d10e07e187f30ad
SHA1 hash: 777ad485da8359a3194b8b5f6fad514bffd5cdac
MD5 hash: c5e15dbab0811bd42a6e4d62132ff459
humanhash: winner-snake-emma-queen
File name:ProtonVPN_3.0.5.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:303'616 bytes
First seen:2023-05-13 13:45:06 UTC
Last seen:2023-05-13 22:55:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cb0d32ad83907c8b5d9a97a27bcf3623 (2 x Rhadamanthys, 1 x Stop, 1 x Smoke Loader)
ssdeep 6144:yo4ozSmgUkbkN6eyzrcnEAaz9mdb9/pTqHu8uiHL:ZBSmgUkIa0ELz9mt9/EO8LL
Threatray 31 similar samples on MalwareBazaar
TLSH T1DC549E4372D07971E6621A318E2EC6F4662EFCA18F156BDB2B556A2F0D702F1C572B03
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8ea1a1a1a181a1ba (1 x RecordBreaker)
Reporter ULTRAFRAUD
Tags:exe Raccoon recordbreaker

Intelligence

File Origin
# of uploads :
2
# of downloads :
360
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
ProtonVPN_3.0.5.exe
Verdict:
Malicious activity
Analysis date:
2023-05-13 13:46:58 UTC
Tags:
raccoon recordbreaker trojan loader stealer
Link:
https://app.any.run/tasks/df5f4dc3-53d5-4920-857f-aa2b1fe66373

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388910/
Detection(s):
Win.Packed.Babar-10001332-0
Create hunting rule

Win.Packed.Trojanx-10001393-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed tofsee
Link:
https://www.filescan.io/uploads/645f949b3f7b24f3bbefa823/reports/eadbaa59-ef64-4bfc-af73-2257202d7200/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1599a612187565c699dfe4f10b04f5621ba04ab053ba1284a008706f0c13d5cb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/84426454-f1c2-43dc-b4d4-002921a37676
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232115
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1599a612187565c699dfe4f10b04f5621ba04ab053ba1284a008706f0c13d5cb/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-05-13 13:46:07 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
22 of 24 (91.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cwm2meqyovs4ngo74tyqwbhvmin2asvqko5bfbfabbyg6dat2xfq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
2d46060078a180d844d5c466209b357fecab66cf3bbd01f81222bcb5cc08906f
RecordBreaker
4495f2d6e7ca19027474aa32cae50c81ade7b543afb2393b2c81455c4d72a12c
RecordBreaker
4dfc1a29a46d73e82d985a6ee4b3108580b82c73e0aeb1d16cba214c2d194863
RecordBreaker
79b320749ba393a5745d16d4e4df8eb77224b25e8eb31e062879da32e2b89043
RecordBreaker
8b1f8ccc99f4ce9e05e6471a7df1c9c1e1d4c193d3d4218157f43c11ea7978fa
RecordBreaker
9b0da3cc4aa62aae34e78ec51141088518321b0ae3cd48fca8c7807abd33a3d7
RecordBreaker
ca4ae9f580e4a00f646d216125a86bed4a1f9c327a61194dd77d902d4adadbbd
RecordBreaker
ed31aebbc0ff4d4b3eaa34321b1323f93a738f0e41e08d6dce4b8d529bf77541
RecordBreaker
f0ea6cf3417bf75417b5228b4afd31e5257f65f19d3deb39a39499c15a872c93
RecordBreaker
+ 21 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:5b7eff386f31487f5db4c7f0e4006546 stealer
Link:
https://tria.ge/reports/230513-q2ypysgc64/
Behaviour
Program crash
Raccoon
Malware Config
C2 Extraction:
http://165.232.118.86/
Unpacked files
SH256 hash:
2a3dcb68859948808ce65544a014111b094ac4e3cd417618cec9d6564c7a1070
MD5 hash:
8b6fcacad885793c02ad34bfa9dadd53
SHA1 hash:
8a572c5a4e1c0a31370a15b943c9db642fd65524
Detections:
raccoonstealer
Create hunting rule
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/bd9f0466-d9fd-4d01-98f4-098f0e0fd49f/
SH256 hash:
1599a612187565c699dfe4f10b04f5621ba04ab053ba1284a008706f0c13d5cb
MD5 hash:
c5e15dbab0811bd42a6e4d62132ff459
SHA1 hash:
777ad485da8359a3194b8b5f6fad514bffd5cdac
Link:
https://www.unpac.me/results/bd9f0466-d9fd-4d01-98f4-098f0e0fd49f/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1599a6121875/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1599a612187565c699dfe4f10b04f5621ba04ab053ba1284a008706f0c13d5cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 1599a612187565c699dfe4f10b04f5621ba04ab053ba1284a008706f0c13d5cb

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/388910/
  
URLhaus
https://urlhaus.abuse.ch/url/2631393/
  
Delivery method
Distributed via web download

Comments