MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 317574e01a15f40b8d4cbb281d1af7f453cffa74c2345f6e4e4de7e2e36d7a22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 6 File information Comments

SHA256 hash:	317574e01a15f40b8d4cbb281d1af7f453cffa74c2345f6e4e4de7e2e36d7a22
SHA3-384 hash:	bf7afcf2c82f0cd977aa4c9d2aea33f4d2e369400e947bca2308dd0dead5a711d0cf2a3bbb48953de99dbf1f851aba35
SHA1 hash:	be88ed206d3942b71785961c2df5cc3d2a1b7f5a
MD5 hash:	2f7f8c8950993061f7440e35bc086d24
humanhash:	cardinal-green-stream-spaghetti
File name:	317574e01a15f40b8d4cbb281d1af7f453cffa74c2345f6e4e4de7e2e36d7a22
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	155'648 bytes
First seen:	2022-09-12 09:09:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	768:a8FJHPo7c1XCErHYJPjE9whHI3tQp9pYINZ/eHeM1q3FdfPJZpfXxxeN11LdH7Bj:Djp3zYVFhHI3ty3YucInPxXWBSOt
Threatray	390 similar samples on MalwareBazaar
TLSH	T1EFE353A8174EEF70CBDC16B4CE32710326B45D4A26165E33DD7E3E1BF999A8625C0E84
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	b072d0dcbebaa2a2 (8 x RecordBreaker, 7 x RedLineStealer, 3 x ArkeiStealer)
Reporter	Anonymous
Tags:	exe recordbreaker

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://5.45.67.19/	https://threatfox.abuse.ch/ioc/849434/

Intelligence

File Origin

# of uploads :

# of downloads :

437

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

raccoon

ID:

File name:

317574e01a15f40b8d4cbb281d1af7f453cffa74c2345f6e4e4de7e2e36d7a22

Verdict:

Malicious activity

Analysis date:

2022-09-12 09:15:44 UTC

Tags:

trojan raccoon recordbreaker loader stealer

Link:

https://app.any.run/tasks/93a9cf11-1ebb-4a50-8875-4681942bce83

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/309461/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a file

Connecting to a non-recommended domain

Sending an HTTP POST request

Sending an HTTP GET request

Reading critical registry keys

Stealing user critical data

Sending an HTTP GET request to an infection source

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/631ef7e7f7a861bd9220ad5e/reports/3c641f5d-6cb2-4126-b8f0-cd86cc29945b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cfa70a78-91a7-493d-bc76-49f3d7a69638

Result

Threat name:

AsyncRAT, Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1068740

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected AsyncRAT

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/317574e01a15f40b8d4cbb281d1af7f453cffa74c2345f6e4e4de7e2e36d7a22/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gf2xjya2cx2axdkmxmub2gxx6rj476tuyi2f63sojxt6fy3npira._file

Verdict:

malicious

Label(s):

raccoon

masslogger

RecordBreaker

61e9483a13f0e4d906031e1db890424d3f7916710c80ba1d7da968f986fa9764

RecordBreaker

6da056b3e14e136e17890c04f270ed1decbca6d67eb0f0fed914569e4fba8a92

RecordBreaker

7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97

RecordBreaker

7fa1b425c7bc7f04e84aae8b76cd1e6d1db56dab966ff273b5101816525f61c4

RecordBreaker

8129a8a2a4c77198a9a65c393cfc37f8f6ab83842a9c9f430ab1186db9cd0771

RecordBreaker

829f67338d9165358ffdab748662e90f6f6962711dee0e670faacd61517d20ff

RecordBreaker

8f22fed63b011354380ce229b053b3b9167d66d37506acd6288886cf526edefe

RecordBreaker

b22de3458444455c80b7d79c6d4e2b5925867930ce51ed641cc909b45297c8bb

RecordBreaker

+ 380 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:9e336aa6e0b76ace8b9097289cf499e6 discovery spyware stealer

Link:

https://tria.ge/reports/220912-k42azagfgn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Raccoon

Malware Config

C2 Extraction:

http://5.45.67.19/

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/21431f90-94e9-425d-943e-37c992dc0f27

Unpacked files

SH256 hash:

317574e01a15f40b8d4cbb281d1af7f453cffa74c2345f6e4e4de7e2e36d7a22

MD5 hash:

2f7f8c8950993061f7440e35bc086d24

SHA1 hash:

be88ed206d3942b71785961c2df5cc3d2a1b7f5a

Link:

https://www.unpac.me/results/a359e2bc-255a-45cc-8a54-1116414fbfc3/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/317574e01a15/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.38

Link:

https://yomi.yoroi.company/submissions/317574e01a15f40b8d4cbb281d1af7f453cffa74c2345f6e4e4de7e2e36d7a22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	RaccoonV2 Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:	https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/

Rule name:	recordbreaker_win_generic Create hunting rule
Author:	_kphi

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_recordbreaker_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/309461/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample