MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f051c962be1a23fa36caeae13781b0258562a1786e6cb94f85d5aa722160f67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f051c962be1a23fa36caeae13781b0258562a1786e6cb94f85d5aa722160f67
SHA3-384 hash: 25560f386555c3480c0d6da3d7eb3da939cbbc23b81863dd60bb825ed9758ac60f8e332fad0b5c4859d69ddbf4c327b5
SHA1 hash: bd00058ee286fdf1a06fdcae8e77df69326ad682
MD5 hash: d579549068a8b62182a2772be6d761c4
humanhash: sink-rugby-aspen-alpha
File name:file
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:753'664 bytes
First seen:2023-06-26 02:32:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:qZRmY7z2r1WtDJ+FmmXjlEnDs2yAciYg+KxdOtdbyM:q/L7ttDJomclEnYtAcmc
Threatray 1'256 similar samples on MalwareBazaar
TLSH T118F45A007454C615E5EF02F980B34638FAE2D793D22291A8BEAC93FB0FA393D9767545
TrID 59.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.6% (.SCR) Windows screen saver (13097/50/3)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon fce4f4f4f4d4f4f4 (1 x RecordBreaker)
Reporter andretavare5
Tags:exe recordbreaker


Avatar
andretavare5
Sample downloaded from https://vk.com/doc808950829_663370595?hash=shZybDXhXJCDtBsHz2eiK3Q7w1rFuIPnKZTPGYiBXZP&dl=sIEAZ80JfTGDtIXWtsPBVihBgsi8wYWRGVMfh9V3Cgg&api=1&no_preview=1#house

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
US US
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-26 02:33:59 UTC
Tags:
raccoon recordbreaker trojan loader stealer
Link:
https://app.any.run/tasks/79e5858d-48b9-4c0b-8ea5-798fdd0400b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/402734/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.91267.16793.25495.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
lolbin obfuscated packed regsvcs.exe
Link:
https://www.filescan.io/uploads/6498f8de04bae722a2dcb055/reports/ff752b24-7d70-4af2-ad3a-19f3a2d90062/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1f051c962be1a23fa36caeae13781b0258562a1786e6cb94f85d5aa722160f67
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/220027b7-328c-46d7-8e35-f9778c736537
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1261191
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f051c962be1a23fa36caeae13781b0258562a1786e6cb94f85d5aa722160f67/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-24 20:44:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
133
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4crzfrl4grd7i3mv2xbg6a3ajmfmkqxq3tmxfhylvnkoiqwb5tq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256
RecordBreaker
57c9630ff4575c0881314c5f31f4177249c84218642cef6c3896fbc6337c380a
RecordBreaker
659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
RecordBreaker
6da056b3e14e136e17890c04f270ed1decbca6d67eb0f0fed914569e4fba8a92
RecordBreaker
7fa1b425c7bc7f04e84aae8b76cd1e6d1db56dab966ff273b5101816525f61c4
RecordBreaker
8129a8a2a4c77198a9a65c393cfc37f8f6ab83842a9c9f430ab1186db9cd0771
RecordBreaker
960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63
RecordBreaker
db0d7b2975ad69353f3bb5b20c8c13c8ca8ab0ab9ae601b350c676a445871a1f
RecordBreaker
e441f76f21f624136a63e22a03fe2f32674d47e9869091524eb5037303e60a51
RecordBreaker
+ 1'246 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon stealer
Link:
https://tria.ge/reports/230626-c1vp1sgf91/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Raccoon
Raccoon Stealer payload
Unpacked files
SH256 hash:
121bdd2c04d32b3c10ab33e1e5a3d40680e99c31a70d55451157548142392e65
MD5 hash:
eb936dc608a8acf0a4ad22147968cad2
SHA1 hash:
7be57c4eae2e89eb35f3519d72e884d4c1cefabd
Link:
https://www.unpac.me/results/daa07628-a6a0-4eda-a5fc-9407e5cfea78/
SH256 hash:
bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808
MD5 hash:
7a7927bac28be846b2fd2a5d10ba0676
SHA1 hash:
67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d
Link:
https://www.unpac.me/results/daa07628-a6a0-4eda-a5fc-9407e5cfea78/
Parent samples :
fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f
SH256 hash:
a4902d988dbaf10b4eec3f3d582177c3299cbf3a37604a5631059b343a0322af
MD5 hash:
4124a94f668d2b41b57bfb71101988d1
SHA1 hash:
4cdebb77d8b631e930a3c250b2f1d8f8fe5ae145
Link:
https://www.unpac.me/results/daa07628-a6a0-4eda-a5fc-9407e5cfea78/
SH256 hash:
121bdd2c04d32b3c10ab33e1e5a3d40680e99c31a70d55451157548142392e65
MD5 hash:
eb936dc608a8acf0a4ad22147968cad2
SHA1 hash:
7be57c4eae2e89eb35f3519d72e884d4c1cefabd
Link:
https://www.unpac.me/results/daa07628-a6a0-4eda-a5fc-9407e5cfea78/
SH256 hash:
bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808
MD5 hash:
7a7927bac28be846b2fd2a5d10ba0676
SHA1 hash:
67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d
Link:
https://www.unpac.me/results/daa07628-a6a0-4eda-a5fc-9407e5cfea78/
Parent samples :
fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f
SH256 hash:
a4902d988dbaf10b4eec3f3d582177c3299cbf3a37604a5631059b343a0322af
MD5 hash:
4124a94f668d2b41b57bfb71101988d1
SHA1 hash:
4cdebb77d8b631e930a3c250b2f1d8f8fe5ae145
Link:
https://www.unpac.me/results/daa07628-a6a0-4eda-a5fc-9407e5cfea78/
SH256 hash:
121bdd2c04d32b3c10ab33e1e5a3d40680e99c31a70d55451157548142392e65
MD5 hash:
eb936dc608a8acf0a4ad22147968cad2
SHA1 hash:
7be57c4eae2e89eb35f3519d72e884d4c1cefabd
Link:
https://www.unpac.me/results/daa07628-a6a0-4eda-a5fc-9407e5cfea78/
SH256 hash:
bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808
MD5 hash:
7a7927bac28be846b2fd2a5d10ba0676
SHA1 hash:
67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d
Link:
https://www.unpac.me/results/daa07628-a6a0-4eda-a5fc-9407e5cfea78/
Parent samples :
fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f
SH256 hash:
a4902d988dbaf10b4eec3f3d582177c3299cbf3a37604a5631059b343a0322af
MD5 hash:
4124a94f668d2b41b57bfb71101988d1
SHA1 hash:
4cdebb77d8b631e930a3c250b2f1d8f8fe5ae145
Link:
https://www.unpac.me/results/daa07628-a6a0-4eda-a5fc-9407e5cfea78/
SH256 hash:
1f051c962be1a23fa36caeae13781b0258562a1786e6cb94f85d5aa722160f67
MD5 hash:
d579549068a8b62182a2772be6d761c4
SHA1 hash:
bd00058ee286fdf1a06fdcae8e77df69326ad682
Link:
https://www.unpac.me/results/daa07628-a6a0-4eda-a5fc-9407e5cfea78/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1f051c962be1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f051c962be1a23fa36caeae13781b0258562a1786e6cb94f85d5aa722160f67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pe_imphash
Create hunting rule
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution).
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/402734/

Comments