MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 199a20b72c4eb70450a036e25f8abc1eae9b0ba5ab269651d25480b909ac6168. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 199a20b72c4eb70450a036e25f8abc1eae9b0ba5ab269651d25480b909ac6168
SHA3-384 hash: dfab0bb819cf8fbff6f5aa5332698f33aef42cf15499164c2cec306bdc82ab7c603921ff3c85b90dbdf7b60f959fec22
SHA1 hash: bdbb1cb65db56922bdab468e47a4b4ecfad9bc13
MD5 hash: 811f64ea53b76f4e63f3baa9cbf449af
humanhash: sierra-georgia-speaker-beer
File name:811f64ea53b76f4e63f3baa9cbf449af
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:608'256 bytes
First seen:2022-11-25 02:44:21 UTC
Last seen:2022-11-25 04:28:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:+wbZEYGhNrkgCpLQX1/5kdPHT2/OdMuuTCUdsmGNN3vSkiLEOPtttbpXbqYr0IB/:lAkbp8
Threatray 1'135 similar samples on MalwareBazaar
TLSH T1CFD4BADC726076DFC917C476DAA91C68FBA074BB831F4213902715ADAA5E887CF580F2
TrID 30.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
12.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe recordbreaker

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
811f64ea53b76f4e63f3baa9cbf449af
Verdict:
Malicious activity
Analysis date:
2022-11-25 02:45:25 UTC
Tags:
raccoon
Link:
https://app.any.run/tasks/95bca5c0-f1ac-40c3-a345-9381f9c617d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338256/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.5138.1279.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending an HTTP POST request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed raccoon
Link:
https://www.filescan.io/uploads/63802c2f559d07a06f474f58/reports/51b86baa-e2fc-4c16-832f-9366c6143121/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e236dc1-30ed-4114-81af-8ec8a48b67a0
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1120826
Signature
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/199a20b72c4eb70450a036e25f8abc1eae9b0ba5ab269651d25480b909ac6168/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2022-11-25 02:45:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dgncbnzmj23qiufag3rf7cv4d2xjwc5fvmtjmuosksalscnmmfua._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
3f0bb49d1d57056e70552c93ecaa2a25da1915cf94f1ac6f4bba541bbb1c10a6
RecordBreaker
485f96a994285faf8adb053bd282512ad651b677ab8fab8b71aa84ee6e38064d
RecordBreaker
65d7cb9e85d954c8404431f3f9ec06413e3c2016c1d746bae126b32866f43465
RecordBreaker
70b5392192a57314e1c7793599439b518dbf2a0affcbd849cecf779063bd792a
RecordBreaker
cc88f88bd55a2e3c3809a59c3dd3fa16f197ff1abc3adc25704ae0b09aee955f
RecordBreaker
e50d7612867722fff23e0bb61ae117b5cfe6fc843e17c8c3a4deb413820170c4
RecordBreaker
ff764f0ab5f7a6c6fc5358a3bcc556e6d1e96fb80b9c2030f8f46b2d51ef241a
RecordBreaker
+ 1'125 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:16465d0e7bfd19684d4e56a43306c91b discovery spyware stealer
Link:
https://tria.ge/reports/221125-c8qq2afc84/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Malware Config
C2 Extraction:
http://79.137.196.11/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c696a3b3-0c7c-4b6f-b8ef-038347d4ef9a
Unpacked files
SH256 hash:
b4f8e3694b1085b847c5ebb454c083e91755e4cb515b2267fad24de6879e5faa
MD5 hash:
663553432762ba2ca0ad45146fb6f7dd
SHA1 hash:
dc4b1c7d48fc720260ee932643acc41fc146de1c
Link:
https://www.unpac.me/results/928b879a-9de5-448c-890d-20073aa362d8/
SH256 hash:
e245c4a7d41e095b5c5136a89e698bd11e452594d864e250607cff2b2efadbab
MD5 hash:
6c991f5490cd23d8df31d89864395b21
SHA1 hash:
a6e3fde5d6f72fce36c5a8955a6025d92efb4356
Link:
https://www.unpac.me/results/928b879a-9de5-448c-890d-20073aa362d8/
SH256 hash:
199a20b72c4eb70450a036e25f8abc1eae9b0ba5ab269651d25480b909ac6168
MD5 hash:
811f64ea53b76f4e63f3baa9cbf449af
SHA1 hash:
bdbb1cb65db56922bdab468e47a4b4ecfad9bc13
Link:
https://www.unpac.me/results/928b879a-9de5-448c-890d-20073aa362d8/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/199a20b72c4e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/199a20b72c4eb70450a036e25f8abc1eae9b0ba5ab269651d25480b909ac6168

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 199a20b72c4eb70450a036e25f8abc1eae9b0ba5ab269651d25480b909ac6168

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2432254/
Cape
Cape
https://www.capesandbox.com/analysis/338256/

Comments


Avatar
zbet commented on 2022-11-25 02:44:26 UTC

url : hxxp://77.73.133.113/lego/okok.exe