MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20ed01a8e1ec898ec25499b5ac18d8522226e08c1ff8baffc327e63a6e46c919. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 6 File information Comments

SHA256 hash:	20ed01a8e1ec898ec25499b5ac18d8522226e08c1ff8baffc327e63a6e46c919
SHA3-384 hash:	917f8f7aec205d4e1c9a2cd0c9642507f637a8e2a94e3ff9116dc9300be37e20ca92e6529510cde82b68482616c2a00e
SHA1 hash:	57d9f5334ed9d1036a71a5670158fe4b9d9cfd79
MD5 hash:	4a7c01c347ed9416940ed8597da69e27
humanhash:	jupiter-mars-skylark-saturn
File name:	file
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	4'963'280 bytes
First seen:	2022-10-10 13:22:17 UTC
Last seen:	2022-10-10 14:19:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	49152:rZUJgcrkXw03C/V+H+5mf2B3+nkTQK4AUF5L/vEjF:VsgcwXr3CIe5IYTQK4RnLHEZ
Threatray	623 similar samples on MalwareBazaar
TLSH	T119368A2067F4FBAA8F58E7F64107E22046F14CE9722C9907AF8B7675240EF59B7825C1
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	69ccd4d49696cc71 (13 x Adware.Adload, 8 x CoinMiner, 7 x ValleyRAT)
Reporter	andretavare5
Tags:	exe recordbreaker

andretavare5

Sample downloaded from http://kaisashop.online/install.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://77.73.133.7/	https://threatfox.abuse.ch/ioc/872739/

Intelligence

File Origin

# of uploads :

# of downloads :

230

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/318433/

Detection(s):

MiscreantPunch.SingleXOR.EXE.79.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the system32 subdirectories

Creating a file

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated overlay packed

Link:

https://www.filescan.io/uploads/63441cb8dbe426a948bd311d/reports/f51b994d-ac71-480c-a69e-57d87b83d9b1/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/02185c3b-2b12-445c-aa62-8209f07464cf

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1087285

Signature

C2 URLs / IPs found in malware configuration

DLL side loading technique detected

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/20ed01a8e1ec898ec25499b5ac18d8522226e08c1ff8baffc327e63a6e46c919/

Threat name:

ByteCode-MSIL.Trojan.Privateloader

Status:

Malicious

First seen:

2022-10-10 13:23:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=edwqdkhb5sey5qsutg22yggykircnyemd74lv76de7tdu3sgzemq._file

Verdict:

malicious

Label(s):

raccoon

RecordBreaker

15f34133a747b4493e5a5ca3ac04a6bf9823bb5841884f5cab8ccf086c8ba13e

RecordBreaker

27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20

RecordBreaker

296d3abb689416d5c47bb8edd555c81b9cf81f80fc9179b14aa6b68c8c8e10ab

RecordBreaker

80bf09424e359558567c85c94e70c8ee4c13d2676f4d52b694da1692c34f0f06

RecordBreaker

aa39655b046e5dff029236ee67d80d3106f2e05f11bd3ee1ebeb41d40321c988

RecordBreaker

df7cfb28f642a2341b0cf3d5626ec787a7afb0aacd3e6806b7a0caa3a6dd73ee

RecordBreaker

f93ba32f22e747dec19ebdf57fc8b1f775feca04f70a69d0660b905956b246f4

RecordBreaker

+ 613 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:bd3a3a503834ef8e836d8a99d1ecff54 agilenet spyware stealer

Link:

https://tria.ge/reports/221010-qmskdscbdq/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Downloads MZ/PE file

Raccoon

Malware Config

C2 Extraction:

http://77.73.133.7/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/70879af7-fc04-4097-8162-b1dbbf3f3b7c

Unpacked files

SH256 hash:

ce445043a237004a00feff39797f0c1032e4ebe8c5c55c8b98d070cd8682a507

MD5 hash:

4c4a782a63e152aeb8abfa13d0981e65

SHA1 hash:

b17fee51a8ff9a53a69f1d1db867c6ae1e01be86

Link:

https://www.unpac.me/results/f10d9486-d9fd-4cb5-93aa-78b02c788dc0/

SH256 hash:

d51774a96236ec45d70952e531236d03d59f6f3f00326702253a059abe05b5ac

MD5 hash:

7d0b80d550b77ac8afe85ac40a5b20f9

SHA1 hash:

931fa81c543f443666612cc7aed553a1027e8c5c

Detections:

raccoonstealer

win_recordbreaker_auto

Link:

https://www.unpac.me/results/f10d9486-d9fd-4cb5-93aa-78b02c788dc0/

Parent samples :

a3936faf800dc63de810fa733d33001cdfc381208a5a69102f079d442b1f0071
ee04ca5183cfc25a745102b84f8c3fd504a34fc94e7bff0e09351f45754dd71a
20ed01a8e1ec898ec25499b5ac18d8522226e08c1ff8baffc327e63a6e46c919
c2283fa67f9c570588fbe02ade91f2b4fd9109ddf06d029af8c7e7c47d3579d2
36f5c9bdab307ac6f14fcf0bb1025b32a388da11d89fd654e02a7be82542e15c
2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa

SH256 hash:

4f80ddfe49b270f801ab44aa899153bbe2a0fb93abed0f9fc992f74ff6ab4fde

MD5 hash:

f4ba8570299eabf8fe2d02cc1dc0606a

SHA1 hash:

5d7add32313074f5a1e9b4ab379298dee8b6217e

Link:

https://www.unpac.me/results/f10d9486-d9fd-4cb5-93aa-78b02c788dc0/

SH256 hash:

54dc802c4076b220d28c9a334e383febdf73725d740edce398e5350cf1830e39

MD5 hash:

d0f3acb023b2027fbf3f52ca8263be48

SHA1 hash:

091dc4f5c014f893374416b4d1b83c474fdfad4c

Link:

https://www.unpac.me/results/f10d9486-d9fd-4cb5-93aa-78b02c788dc0/

SH256 hash:

20ed01a8e1ec898ec25499b5ac18d8522226e08c1ff8baffc327e63a6e46c919

MD5 hash:

4a7c01c347ed9416940ed8597da69e27

SHA1 hash:

57d9f5334ed9d1036a71a5670158fe4b9d9cfd79

Link:

https://www.unpac.me/results/f10d9486-d9fd-4cb5-93aa-78b02c788dc0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/20ed01a8e1ec898ec25499b5ac18d8522226e08c1ff8baffc327e63a6e46c919

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	RaccoonV2 Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:	https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/

Rule name:	recordbreaker_win_generic Create hunting rule
Author:	_kphi

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_recordbreaker_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/318433/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample