MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2379723159ed6b1301813d5e06ae76370cb218b7f3b50c4bd4306db1682f2ccc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2379723159ed6b1301813d5e06ae76370cb218b7f3b50c4bd4306db1682f2ccc
SHA3-384 hash: 4235a30bbc99b6983f4674d034225147cc6e1298aa2a48e439a655e6bb16adea6be4bf1dae27873f3eef20b256f10690
SHA1 hash: 3c37827070f8d4eb726f59a0d4f2db0d8f1232ca
MD5 hash: 72ceccc9998a49d984bf8648262304f5
humanhash: stream-artist-bacon-november
File name:72ceccc9998a49d984bf8648262304f5.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:266'752 bytes
First seen:2023-06-04 17:25:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7dd63bd9e1295342f1e09fc97326cbd9 (1 x RecordBreaker)
ssdeep 3072:x6sSW20yS19d7Y5fLagUTxegZtSR/E4jOC:QsSWZ19d7Y55UTx7Zta/
Threatray 931 similar samples on MalwareBazaar
TLSH T18B441A53E2A1BC59E5264B7A8E1EC2F8361DF9518F09F7A6321C6A2F07F0171C1A7712
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00206080c0632100 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://138.201.88.153:8998/

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
72ceccc9998a49d984bf8648262304f5.exe
Verdict:
Malicious activity
Analysis date:
2023-06-04 17:27:43 UTC
Tags:
raccoon recordbreaker trojan loader stealer rat avemaria
Link:
https://app.any.run/tasks/7be3923d-3e79-4f83-a027-25748768933a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/395562/
Detection(s):
SecuriteInfo.com.Win32.RansomX-gen.9187.49.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Searching for the window
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/89324/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
71%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/647cc92a8dfaaecc1f520163/reports/6e276d54-2b25-409b-b341-87fa45ec0fc4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2379723159ed6b1301813d5e06ae76370cb218b7f3b50c4bd4306db1682f2ccc
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0913460b-ac43-4065-8a49-9d623f51cd34
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1248388
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Increases the number of concurrent connection per server for Internet Explorer
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Add file from suspicious location to autostart registry
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 881408 Sample: vvPLiGYO08.exe Startdate: 04/06/2023 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 13 other signatures 2->48 8 vvPLiGYO08.exe 61 2->8         started        process3 dnsIp4 34 138.201.88.153, 49699, 8998 HETZNER-ASDE Germany 8->34 36 edge-block-www-env.dropbox-dns.com 162.125.66.15 DROPBOXUS United States 8->36 38 3 other IPs or domains 8->38 26 C:\Users\user\AppData\Roaming\ZQOo1R1G.exe, PE32 8->26 dropped 28 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 8->28 dropped 30 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 8->30 dropped 32 5 other files (3 malicious) 8->32 dropped 52 Detected unpacking (changes PE section rights) 8->52 54 Detected unpacking (overwrites its own PE header) 8->54 56 Tries to harvest and steal browser information (history, passwords, etc) 8->56 58 Tries to steal Crypto Currency Wallets 8->58 13 ZQOo1R1G.exe 3 2 8->13         started        file5 signatures6 process7 dnsIp8 40 95.216.3.121 HETZNER-ASDE Germany 13->40 60 Detected unpacking (changes PE section rights) 13->60 62 Detected unpacking (overwrites its own PE header) 13->62 64 Machine Learning detection for dropped file 13->64 66 8 other signatures 13->66 17 cmd.exe 1 13->17         started        19 explorer.exe 2 1 13->19 injected signatures9 process10 process11 21 reg.exe 1 1 17->21         started        24 conhost.exe 17->24         started        signatures12 50 Creates an undocumented autostart registry key 21->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2379723159ed6b1301813d5e06ae76370cb218b7f3b50c4bd4306db1682f2ccc/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-06-04 17:26:05 UTC
File Type:
PE (Exe)
Extracted files:
64
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=en4xemkz5vvrgambhvpanltwg4glegfx6o2qys6ugbw3c2bpftga._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
avemaria
Create hunting rule
Similar samples:
23c91e8428a890b37175f1c0fe1466f881bcec938238c4ffc24cd0720ef44ab4
RecordBreaker
3e5717c918b21e2d105b23fa8fed2528541435a24462beb8eb6fca4bd2ad8027
RecordBreaker
4532489becbdf07bc0a932486ab95b497113f5600c7646b635eaea9bcfa430cd
RecordBreaker
7e7d63e3a65bdc7258d659d77b1e66ce07c834ba2897886682e383babfc68da6
RecordBreaker
c7ca2f9065557a6d8fb0c02c75804d386b77ffca4466678b201c09e916afa096
RecordBreaker
ea334e6d6b8c953695cbdb56dd4d1ec6b2269bf241ea7084dc032595e5bca87b
RecordBreaker
+ 921 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat discovery infostealer rat spyware stealer
Link:
https://tria.ge/reports/230604-vzt17sch57/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
79813e3a045ab94e138940d7b4dd84abcb09d5ad064980717a9e045a770969db
MD5 hash:
f22f36fc3d9a7180f85cff1a976feba7
SHA1 hash:
d4f5ec0b3eec650819aea50e33fad7ed2d071c00
Detections:
raccoonstealer
Create hunting rule
Link:
https://www.unpac.me/results/53dbac58-4983-4927-85ce-806167d94a16/
Parent samples :
53e00a4184accd0427b110d614ca18eeb37de902a4c6d2782cfb1f2302f78ada
1efe7e276b7b35248dc5ff09a38e1f85b7c425367385fa51adaeebcca4e54e4c
2379723159ed6b1301813d5e06ae76370cb218b7f3b50c4bd4306db1682f2ccc
SH256 hash:
2379723159ed6b1301813d5e06ae76370cb218b7f3b50c4bd4306db1682f2ccc
MD5 hash:
72ceccc9998a49d984bf8648262304f5
SHA1 hash:
3c37827070f8d4eb726f59a0d4f2db0d8f1232ca
Link:
https://www.unpac.me/results/53dbac58-4983-4927-85ce-806167d94a16/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2379723159ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2379723159ed6b1301813d5e06ae76370cb218b7f3b50c4bd4306db1682f2ccc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/395562/

Comments