MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36f5c9bdab307ac6f14fcf0bb1025b32a388da11d89fd654e02a7be82542e15c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	36f5c9bdab307ac6f14fcf0bb1025b32a388da11d89fd654e02a7be82542e15c
SHA3-384 hash:	4e1e911fd42d5a3c2ca263cb783865bbba1255a6946e983224c6274ff09af37ea1b53ea5dc0e1e1af81449beedbb8d3b
SHA1 hash:	5c315a31d3e3863141129157642e8945eb935113
MD5 hash:	9ae4eba0bab39e30e096e9bf5b6236b3
humanhash:	mockingbird-nuts-charlie-march
File name:	9ae4eba0bab39e30e096e9bf5b6236b3
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	117'712 bytes
First seen:	2022-10-12 04:28:11 UTC
Last seen:	2022-10-12 10:26:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	3072:QJPCCpNH+lPrUcvglSpo5LlhhxHE9A6W+c4nwA:gPXqlIcYQS/aZWZuwA
Threatray	648 similar samples on MalwareBazaar
TLSH	T10AB3BF96A3805EEBD1CA81389D97C465BA7BC7140422F707478E8A2D6F3F3CB8586364
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter	zbetcheckin
Tags:	32 exe recordbreaker

Intelligence

File Origin

# of uploads :

# of downloads :

234

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/319165/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Launching a process

Creating a file

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm obfuscated overlay packed racealer

Link:

https://www.filescan.io/uploads/6346428e85e82ed6ff0e99c2/reports/bc207405-168d-4df4-b0f6-a6c7618e557e/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/21905b3b-6752-4757-bfd4-4d76615c13a1

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1088523

Signature

C2 URLs / IPs found in malware configuration

DLL side loading technique detected

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/36f5c9bdab307ac6f14fcf0bb1025b32a388da11d89fd654e02a7be82542e15c/

Threat name:

Win32.Trojan.RealProtectPENGSD

Status:

Malicious

First seen:

2022-10-11 21:57:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g324tpnlgb5mn4kpz4f3cas3gkryrwqr3cp5mvhafj56qjkc4foa._file

Verdict:

malicious

Label(s):

raccoon

RecordBreaker

18b95067afbf09d4cfc59fb069af4a7f75609371b0b67e18b023cca57e46237c

RecordBreaker

27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20

RecordBreaker

928377073c45f7fb59591af49620d5afc581ce27c4727f7aa77fd23af85b0145

RecordBreaker

a3936faf800dc63de810fa733d33001cdfc381208a5a69102f079d442b1f0071

RecordBreaker

ee04ca5183cfc25a745102b84f8c3fd504a34fc94e7bff0e09351f45754dd71a

RecordBreaker

f93ba32f22e747dec19ebdf57fc8b1f775feca04f70a69d0660b905956b246f4

RecordBreaker

+ 638 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:bd3a3a503834ef8e836d8a99d1ecff54 spyware stealer

Link:

https://tria.ge/reports/221012-e38e1acdfj/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Uses the VBS compiler for execution

Downloads MZ/PE file

Raccoon

Malware Config

C2 Extraction:

http://77.73.133.7/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/46815a42-177b-46db-9f4f-89bfdf1239b5

Unpacked files

SH256 hash:

d51774a96236ec45d70952e531236d03d59f6f3f00326702253a059abe05b5ac

MD5 hash:

7d0b80d550b77ac8afe85ac40a5b20f9

SHA1 hash:

931fa81c543f443666612cc7aed553a1027e8c5c

Detections:

raccoonstealer

win_recordbreaker_auto

Link:

https://www.unpac.me/results/ac2b93f3-b766-41af-bee3-77012c3cab3d/

Parent samples :

a3936faf800dc63de810fa733d33001cdfc381208a5a69102f079d442b1f0071
ee04ca5183cfc25a745102b84f8c3fd504a34fc94e7bff0e09351f45754dd71a
20ed01a8e1ec898ec25499b5ac18d8522226e08c1ff8baffc327e63a6e46c919
c2283fa67f9c570588fbe02ade91f2b4fd9109ddf06d029af8c7e7c47d3579d2
36f5c9bdab307ac6f14fcf0bb1025b32a388da11d89fd654e02a7be82542e15c
2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa

SH256 hash:

36f5c9bdab307ac6f14fcf0bb1025b32a388da11d89fd654e02a7be82542e15c

MD5 hash:

9ae4eba0bab39e30e096e9bf5b6236b3

SHA1 hash:

5c315a31d3e3863141129157642e8945eb935113

Link:

https://www.unpac.me/results/ac2b93f3-b766-41af-bee3-77012c3cab3d/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/36f5c9bdab30/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/36f5c9bdab307ac6f14fcf0bb1025b32a388da11d89fd654e02a7be82542e15c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	RaccoonV2 Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:	https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/

Rule name:	recordbreaker_win_generic Create hunting rule
Author:	_kphi

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_recordbreaker_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

exe 36f5c9bdab307ac6f14fcf0bb1025b32a388da11d89fd654e02a7be82542e15c

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2355246/

Cape

https://www.capesandbox.com/analysis/319165/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample