MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30a261fb001f66df09d1eb84f378b8d43e61a13770de476601ea9d4457b7a8cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30a261fb001f66df09d1eb84f378b8d43e61a13770de476601ea9d4457b7a8cb
SHA3-384 hash: 3ceb8c81d314e6e63b15008f98521d08e501d9eac0b4948ea47850ae2fccda2aa53d7c4801e1c24df8affd347548f788
SHA1 hash: a87d3b4eae78311a673f0e6cc60b80a60228b88e
MD5 hash: 2cb8116e30e7f3f3615d1f763f690abc
humanhash: pennsylvania-friend-fish-pluto
File name:2cb8116e30e7f3f3615d1f763f690abc
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:2'426'439 bytes
First seen:2022-11-02 11:31:33 UTC
Last seen:2022-11-02 14:13:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash db35ea5c80fc8389ab141cd45083bdd3 (17 x RedLineStealer, 1 x RecordBreaker, 1 x DCRat)
ssdeep 24576:KwpJSYrYccLcHe/M4P8QugVQONZNGRbZ01TGimwL/sasXDv09l3RuQ55313a:KwpONiRbZ01TGimwz9l3k
Threatray 2'987 similar samples on MalwareBazaar
TLSH T15AB50A03AA8B1E75DDD277B451CB633AA738ED30CA2A9B7FF608C43559532C46C1A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe recordbreaker

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
2cb8116e30e7f3f3615d1f763f690abc
Verdict:
Malicious activity
Analysis date:
2022-11-02 11:35:02 UTC
Tags:
trojan raccoon recordbreaker loader stealer evasion
Link:
https://app.any.run/tasks/e0440a7f-1207-4ca9-9f3d-0efae133828b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/327123/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.46118.22188.635.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/47402/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm overlay packed spyeye
Link:
https://www.filescan.io/uploads/63625536a5db8d309cbc5a63/reports/2ba37191-02a1-4859-8584-19aab15eb2b8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce8345f9-3b82-4117-b25d-5cefdec297be
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1103209
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30a261fb001f66df09d1eb84f378b8d43e61a13770de476601ea9d4457b7a8cb/
Threat name:
Win32.Spyware.Aurorastealer
Create hunting rule
Status:
Malicious
First seen:
2022-11-01 03:16:48 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gcrgd6yad5tn6cor5ocpg6fy2q7gdijxodpeozqb5kouiv5xvdfq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
RecordBreaker
15cea3c23e9d0f1ec3a748746bd425d642ae25b042b1b36c8364f721235f0f0d
RecordBreaker
1c56c07df6ccba54d407a496430c23203d50ceb540465b9e1d6749f1908a8454
RecordBreaker
583ea691fc0e5af4c9097e620d1615ae1cc47ca328fac174588e66abc375ed79
RecordBreaker
da271da1daacb415125be5ab9eacc9fdf9738776c83fc512c146e467d5930ded
RecordBreaker
+ 2'977 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:e734a12bc6119609a0b6a8bee6270055 stealer
Link:
https://tria.ge/reports/221102-nnad4abeb4/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Raccoon
Malware Config
C2 Extraction:
http://89.185.85.53/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c55880d4-8bb7-445d-bb0b-d788feaa6b46
Unpacked files
SH256 hash:
787936566531cbdef8f9ad133e1745de5d59e0b187919a9fb1e64fff4f4742c8
MD5 hash:
109eca7829104a7f4ad7305424f38833
SHA1 hash:
8de5e6d40c82d4d835c9d5709739ff98c02bd08d
Detections:
raccoonstealer
Create hunting rule
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/bb65fd58-3cd2-4fdc-a730-d56a292ed626/
SH256 hash:
30a261fb001f66df09d1eb84f378b8d43e61a13770de476601ea9d4457b7a8cb
MD5 hash:
2cb8116e30e7f3f3615d1f763f690abc
SHA1 hash:
a87d3b4eae78311a673f0e6cc60b80a60228b88e
Link:
https://www.unpac.me/results/bb65fd58-3cd2-4fdc-a730-d56a292ed626/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30a261fb001f66df09d1eb84f378b8d43e61a13770de476601ea9d4457b7a8cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution).
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:recordbreaker_win_generic
Create hunting rule
Author:_kphi
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 30a261fb001f66df09d1eb84f378b8d43e61a13770de476601ea9d4457b7a8cb

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/327123/

Comments


Avatar
zbet commented on 2022-11-02 11:31:41 UTC

url : hxxp://jhtmuw1v.beget.tech/build/A.exe