MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ee4cefacf38cfc2928f412ee4d23e2254c8265754d8eb4b86e331f2ca8616e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 13

Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash:	1ee4cefacf38cfc2928f412ee4d23e2254c8265754d8eb4b86e331f2ca8616e5
SHA3-384 hash:	e6499f611fe47c7ef7848947facce90329c8194747e539d32abfb2afd8c733d63cccab867de47a933eb473efc29d0476
SHA1 hash:	b7f73375d8f4246a9974ca72b4fe150f7fd2fc55
MD5 hash:	524b292f1499d13b7acc1af8f6e0161b
humanhash:	don-hamper-september-bluebird
File name:	524b292f1499d13b7acc1af8f6e0161b.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	622'592 bytes
First seen:	2022-08-07 17:20:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	222c367e9ac4d337d94bcf41d218e853 (4 x RecordBreaker)
ssdeep	12288:U7hEmjpxH7rbl+6ji1aFDfPY9O2KCJcxeoo53Sc:IpTnJ+6cWDuqsd
Threatray	138 similar samples on MalwareBazaar
TLSH	T1D4D47D33B1E08433D2762B7C9E5B53A89C2A7E106D78B84A2FE41D8C5F3D6913939197
TrID	68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.3% (.SCR) Windows screen saver (13101/52/3) 0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	abuse_ch
Tags:	exe recordbreaker

abuse_ch

RecordBreaker C2:
http://77.73.132.74/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://77.73.132.74/	https://threatfox.abuse.ch/ioc/841804/

Intelligence

File Origin

# of uploads :

# of downloads :

379

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

524b292f1499d13b7acc1af8f6e0161b.exe

Verdict:

Malicious activity

Analysis date:

2022-08-07 17:23:19 UTC

Tags:

loader stealer

Link:

https://app.any.run/tasks/a60e69e4-ae39-40f6-b9fa-fd1338e14acc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/296996/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.30397.7913.UNOFFICIAL

SecuriteInfo.com.Trojan.Win32.Save.a.24366.13777.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/28305/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger

Link:

https://www.filescan.io/uploads/62eff4816336465f2a21460d/reports/2ced805b-fcd3-4ea7-8221-c46d1d502532/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e4a344da-d5ed-4260-9eb4-6fdc02631354

Result

Threat name:

CryptOne, Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1047543

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected CryptOne packer

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1ee4cefacf38cfc2928f412ee4d23e2254c8265754d8eb4b86e331f2ca8616e5/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2022-08-07 17:21:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d3sm56wphdh4feupiexojur6ejkmqjsxktmows4g4my7fsugc3sq._file

Verdict:

malicious

RecordBreaker

22539844faca3d0029a5421ecc146979eb16ac4257fe8011a84f0686052f5b19

RecordBreaker

3427583e84dda3d92aab9f9b9050d7cfe9bcb43094acc08f02f0166f310702cc

RecordBreaker

5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b

RecordBreaker

85599a173b0e02feec2e6a0260166da49b870cb8d87c2b0beb1e79473e921d83

RecordBreaker

9bc8a9f52041123c3c471dd111a2ce0ee39eaf5e59d7949826d08601a3511f10

RecordBreaker

a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e677e003d3adf74f4e9ec

RecordBreaker

b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110

RecordBreaker

e733cbcaee33c4e99d99f2a3b82e2530e10dac7106edfaea681a98abb04f92b6

RecordBreaker

e7924441cf355557372d5d058eeb30341f9bb4be80f54449ea66b288d183b928

RecordBreaker

+ 128 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:afb5c633c4650f69312baef49db9dfa4 stealer

Link:

https://tria.ge/reports/220807-vwzghsgbc5/

Behaviour

Raccoon

Raccoon Stealer payload

Malware Config

C2 Extraction:

http://77.73.132.74

Unpacked files

SH256 hash:

ac235a673e0ea2bfb0d2e6f2b8253699ffa4ea618e4d910f556e2ecbb5c25c0e

MD5 hash:

d28fd6744208e7fb03ae3ab8663961ae

SHA1 hash:

ddc4d920c5ddab6d8521aa1abbbea11e7f09e421

Link:

https://www.unpac.me/results/081ddcfa-3a93-4f22-b5fa-4933efdae4b5/

Parent samples :

8a631481dec5c4bfde1b90e812868a5edd093f44ebbb0625f91e6548c500ef67
3df88f2029a31f78dd274a199c37a0295aeed62e8dbe3b111e5e078058e97e08
72a40d2a9f86e23a04a0748441fb122b7c931e1b58b2cba7ca2f5fd7c3ffd4b0
dd867eaf8b2afabdee44b3abe0c40ef727e9d5d7c5092a7a2be398e077c1ce03
36f0665c83b2c0b2968654d6f982d886500abfffb470c72e44331eade368e656
c2edb4657f300a58da83f9a6874575eec3e14622aedd1fe6f2e50d4a844f4e8b

SH256 hash:

1ee4cefacf38cfc2928f412ee4d23e2254c8265754d8eb4b86e331f2ca8616e5

MD5 hash:

524b292f1499d13b7acc1af8f6e0161b

SHA1 hash:

b7f73375d8f4246a9974ca72b4fe150f7fd2fc55

Link:

https://www.unpac.me/results/081ddcfa-3a93-4f22-b5fa-4933efdae4b5/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1ee4cefacf38/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1ee4cefacf38cfc2928f412ee4d23e2254c8265754d8eb4b86e331f2ca8616e5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

exe 1ee4cefacf38cfc2928f412ee4d23e2254c8265754d8eb4b86e331f2ca8616e5

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2263228/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/296996/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample