MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 13

Intelligence 13 IOCs YARA 7 File information Comments

SHA256 hash:	2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa
SHA3-384 hash:	f6154e5a7ded983c8c27c40ebd6e153c6a8a22c45abd51de8e30ea53c0f1bdeea56a0bc883c7eb0ae23f887759a58859
SHA1 hash:	58520459530dcd3f840825b540d02b0a86590b86
MD5 hash:	7185834758af3441e82bba85cd5b8ff0
humanhash:	nebraska-seven-kentucky-two
File name:	file
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	805'792 bytes
First seen:	2022-10-12 10:29:49 UTC
Last seen:	2022-10-12 16:54:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:26UqGLpGLMMMHMMMvMMZMMMKzbKXOMMHMMMvMMZMMMKzbKXT7GLMMMHMMMvMMZM0:Z6MMHMMMvMMZMMMFOMMHMMMvMMZMMMFi
Threatray	651 similar samples on MalwareBazaar
TLSH	T18805AEC2F385D8A5C49941718833CA264677ED1E8D244A3B31AE7B1E3E773C36266D1B
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	c271cc9cae8de972 (24 x Skeeeyah, 7 x RedLineStealer, 2 x RecordBreaker)
Reporter	andretavare5
Tags:	exe recordbreaker

andretavare5

Sample downloaded from http://77.73.134.38/MyNewFileChr.exe

Intelligence

File Origin

# of uploads :

127

# of downloads :

243

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/319309/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Launching a process

Creating a file

Сreating synchronization primitives

Sending an HTTP POST request

Sending an HTTP GET request

Reading critical registry keys

Creating a file in the system32 subdirectories

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm obfuscated overlay packed

Link:

https://www.filescan.io/uploads/6346972caab5b3e31a6ab9b3/reports/d01a99cb-c0fc-459b-b671-fc0de7c240c4/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/84f8c14c-72f3-4898-bfdd-999848df5860

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1089394

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa/

Threat name:

Win32.Trojan.Recordbreaker

Status:

Malicious

First seen:

2022-10-12 10:30:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

361

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fwhkciynnwmu726tl3pmehzjr37h4grkn525actjca2zqdzquwva._file

Verdict:

malicious

Label(s):

raccoon

RecordBreaker

27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20

RecordBreaker

313f623a348593e28c62e89f2ffec407ef4cc9a92ddaf88b0eb1eb5756e423a9

RecordBreaker

36f5c9bdab307ac6f14fcf0bb1025b32a388da11d89fd654e02a7be82542e15c

RecordBreaker

928377073c45f7fb59591af49620d5afc581ce27c4727f7aa77fd23af85b0145

RecordBreaker

a3936faf800dc63de810fa733d33001cdfc381208a5a69102f079d442b1f0071

RecordBreaker

ee04ca5183cfc25a745102b84f8c3fd504a34fc94e7bff0e09351f45754dd71a

RecordBreaker

+ 641 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:bd3a3a503834ef8e836d8a99d1ecff54 spyware stealer

Link:

https://tria.ge/reports/221012-mjs5zadceq/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Uses the VBS compiler for execution

Downloads MZ/PE file

Raccoon

Malware Config

C2 Extraction:

http://77.73.133.7/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ae0eebc9-a4d5-4af9-8d1e-75af08d26dd5

Unpacked files

SH256 hash:

d51774a96236ec45d70952e531236d03d59f6f3f00326702253a059abe05b5ac

MD5 hash:

7d0b80d550b77ac8afe85ac40a5b20f9

SHA1 hash:

931fa81c543f443666612cc7aed553a1027e8c5c

Detections:

raccoonstealer

win_recordbreaker_auto

Link:

https://www.unpac.me/results/5b4feaa1-6c31-4df0-85f9-f023c0dd162e/

Parent samples :

a3936faf800dc63de810fa733d33001cdfc381208a5a69102f079d442b1f0071
ee04ca5183cfc25a745102b84f8c3fd504a34fc94e7bff0e09351f45754dd71a
20ed01a8e1ec898ec25499b5ac18d8522226e08c1ff8baffc327e63a6e46c919
c2283fa67f9c570588fbe02ade91f2b4fd9109ddf06d029af8c7e7c47d3579d2
36f5c9bdab307ac6f14fcf0bb1025b32a388da11d89fd654e02a7be82542e15c
2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa

SH256 hash:

2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa

MD5 hash:

7185834758af3441e82bba85cd5b8ff0

SHA1 hash:

58520459530dcd3f840825b540d02b0a86590b86

Link:

https://www.unpac.me/results/5b4feaa1-6c31-4df0-85f9-f023c0dd162e/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2d8ea1230d6d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	RaccoonV2 Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:	https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/

Rule name:	recordbreaker_win_generic Create hunting rule
Author:	_kphi

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_recordbreaker_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/319309/

URLhaus

https://urlhaus.abuse.ch/url/2355246/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample