MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21f4bd9962eb074a176ce10f16309868ec36fbb26a323a8e2f08affa98a8f72c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21f4bd9962eb074a176ce10f16309868ec36fbb26a323a8e2f08affa98a8f72c
SHA3-384 hash: 049936c958bdc3abcb2ce4ee141aee8ae808748b32bfeb688f20e5abdbf43e823ac79ee8e74cef17e004aee27c933879
SHA1 hash: fc220e8d2339962d318b033ff79c590dd7594ee9
MD5 hash: 2a32e505ae967bcffbab3c56ff8904d2
humanhash: double-fifteen-magazine-network
File name:2a32e505ae967bcffbab3c56ff8904d2.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'245'696 bytes
First seen:2022-10-30 10:30:34 UTC
Last seen:2022-10-30 13:10:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b5f0f18aac36409a08519634008f3b24 (12 x RedLineStealer, 1 x ArkeiStealer, 1 x RecordBreaker)
ssdeep 24576:BbMBpjiJfMCFeTc7BRvQPXVixltOsyKCco4THOavPyB:BqGJkL6oPYxltOsyhaa
Threatray 885 similar samples on MalwareBazaar
TLSH T114459E22F98380B2DDF311F1D1ADA61D615EA0700F3259CB5A44A6F8ADF05D22E36F97
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://88.119.171.205/

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2a32e505ae967bcffbab3c56ff8904d2.exe
Verdict:
Malicious activity
Analysis date:
2022-10-30 10:31:27 UTC
Tags:
loader stealer
Link:
https://app.any.run/tasks/e3dbf44f-d44c-4c93-8176-037f313e36a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326091/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.93075.10334.23258.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware redline
Link:
https://www.filescan.io/uploads/635e5266ce1f43143c2a0b9e/reports/114c55c0-9320-43ba-a6ef-75d22039a0f5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/629c2b73-c9db-4753-9a77-bff5a74dea70
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1101214
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21f4bd9962eb074a176ce10f16309868ec36fbb26a323a8e2f08affa98a8f72c/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2022-10-26 13:03:27 UTC
File Type:
PE (Exe)
AV detection:
21 of 25 (84.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eh2l3glc5mduuf3m4ehrmmeyndwdn65snizdvdrpbcx7vgfi64wa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
142524d4152ef9eab917f159cc911cc968ee1fa6e27a0d5ba19bcea86e40a55f
RecordBreaker
64f9fa160bc97c437ad094a77ffdd68e0be3ae5372c40922b39f580c9ebc801c
RecordBreaker
70b5392192a57314e1c7793599439b518dbf2a0affcbd849cecf779063bd792a
RecordBreaker
99b0dac266ed96c1ae6a9b32b624e4697e1bac4348144376e737bf8e292e35f5
RecordBreaker
b993ca2a752e9bd918f76db3cff5b987977821bd5874c3d867ad16d82156682f
RecordBreaker
e1ff33ee4dab36c7f0cf9e8abf6f1ce95fbe23e3b02d076b56d720f98cc163f0
RecordBreaker
+ 875 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221030-mkc55sgban/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Unpacked files
SH256 hash:
4275ab50c6de504c1543b1e61b0efe7e8b62314bf1b6ad56e407748328e33283
MD5 hash:
1e91ecb3bfdb96f1421357476106fbd8
SHA1 hash:
834b8ece6c8bb5d01c05a8e8090bab13247bb100
Link:
https://www.unpac.me/results/0244c4df-7556-4831-a5b0-5c03b0f27773/
SH256 hash:
21f4bd9962eb074a176ce10f16309868ec36fbb26a323a8e2f08affa98a8f72c
MD5 hash:
2a32e505ae967bcffbab3c56ff8904d2
SHA1 hash:
fc220e8d2339962d318b033ff79c590dd7594ee9
Link:
https://www.unpac.me/results/0244c4df-7556-4831-a5b0-5c03b0f27773/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/21f4bd9962eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21f4bd9962eb074a176ce10f16309868ec36fbb26a323a8e2f08affa98a8f72c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution).
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/326091/

Comments