MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34152438d403ffd235136105882c53d8df17c8db8e67dbd90d30f4413abc7163. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34152438d403ffd235136105882c53d8df17c8db8e67dbd90d30f4413abc7163
SHA3-384 hash: e342a05cf1f5ffb00040c9c2ffacbf548bc91c02b79b0057d8b9087e3be3a42da27dcf5cb2dfcb8117404d59e705c99b
SHA1 hash: f35d4fb83f8101570e63def9fe83c236e54f5b87
MD5 hash: ac11a8d7df5779aee38f4ddb95b193c6
humanhash: sink-july-december-burger
File name:ac11a8d7df5779aee38f4ddb95b193c6.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'506'304 bytes
First seen:2022-08-01 13:19:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c90eb94245b983a65e2bc9930622774 (3 x RecordBreaker)
ssdeep 24576:rk8gmqh7swb4tnsvkZYVFVVWYgbUf8vaz+WOucFveC:rWB7rFDp1cFm
Threatray 66 similar samples on MalwareBazaar
TLSH T175656C32B2C28437D1732B7C9D6BB69999357E102E3C844B7BE41E8C1F396913D29297
TrID 69.4% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.4% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
0.3% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter abuse_ch
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
1
# of downloads :
380
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295605/
Detection(s):
SecuriteInfo.com.VHO.Trojan-Spy.Win32.Stealer.gen.18435.7170.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27984/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/62e7d3826336465f2a014854/reports/6b064900-4178-4c18-95ba-323621c51a1a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a4229bd-3517-4116-8de0-56efecd03742
Result
Threat name:
CryptOne, Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1044192
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected CryptOne packer
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34152438d403ffd235136105882c53d8df17c8db8e67dbd90d30f4413abc7163/
Threat name:
Win32.Ransomware.CerberCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 07:43:52 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gqksioguap75enitmecyqlct3dprpsg3rzt5xwingd2ecov4ofrq._file
Verdict:
malicious
Similar samples:
15021b22e43f3522e7da1ba69256c9d9cda849794d44aa1e58cabc3282818362
RecordBreaker
287dc092e02a5c76b02c4142357f6a4a5c9a420430b616a1d14dfe0266875ecd
RecordBreaker
3427583e84dda3d92aab9f9b9050d7cfe9bcb43094acc08f02f0166f310702cc
RecordBreaker
379f0a0338acd2c1cb5561c09a703659c12a64d7d6f344e554fef4e5208b495f
RecordBreaker
3e75d91d07dce3cbf0f867ea91d5ac804eb371afa2b327b862f3c5324b694e46
RecordBreaker
45aebea9d7e8dfe9d950cc6cf90b5c6e023bd90ef810d8dfde5c9462c642617a
RecordBreaker
4aef47d61ecc806146b5b389605cbe45c3a605317178657b1d2112f2c7a5ae2c
RecordBreaker
9bc8a9f52041123c3c471dd111a2ce0ee39eaf5e59d7949826d08601a3511f10
RecordBreaker
aba02213b0f3c686aa3b4a32104cc1b95748ff3ec926d3030cfb5b88a9b930db
RecordBreaker
e7924441cf355557372d5d058eeb30341f9bb4be80f54449ea66b288d183b928
RecordBreaker
+ 56 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:afb5c633c4650f69312baef49db9dfa4 discovery spyware stealer
Link:
https://tria.ge/reports/220801-qk4vmshgel/
Behaviour
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Raccoon Stealer payload
Malware Config
C2 Extraction:
http://77.73.132.84
Unpacked files
SH256 hash:
1f23f1af9db2031755cd3c1a0bb8ced265a92434ea3bbc9f7a51e9884ee75a53
MD5 hash:
86d1d4cac77a9cb7a224a4a4dab5f366
SHA1 hash:
3014daed6c0aea82db8c8ac7c233b8d842335eaa
Link:
https://www.unpac.me/results/a728ffe5-68aa-4000-99b6-da7e5545672d/
SH256 hash:
34152438d403ffd235136105882c53d8df17c8db8e67dbd90d30f4413abc7163
MD5 hash:
ac11a8d7df5779aee38f4ddb95b193c6
SHA1 hash:
f35d4fb83f8101570e63def9fe83c236e54f5b87
Link:
https://www.unpac.me/results/a728ffe5-68aa-4000-99b6-da7e5545672d/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/34152438d403/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34152438d403ffd235136105882c53d8df17c8db8e67dbd90d30f4413abc7163

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 34152438d403ffd235136105882c53d8df17c8db8e67dbd90d30f4413abc7163

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2263228/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/295605/

Comments