MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3898534fa62f5a8f169c66900f183e5637e7c4f9be8c46591568ff489bc432d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3898534fa62f5a8f169c66900f183e5637e7c4f9be8c46591568ff489bc432d4
SHA3-384 hash: 5f9beab27b1b835798c0b549ec6f0b779f744a821aedea392b9026f83f481b36377d6b97e89a1799c54059771563c197
SHA1 hash: e28a03d8c62eae2687d8d8f6b6ccb73377bc1a48
MD5 hash: f7f6eb480fe715733e509d0489171c18
humanhash: timing-alaska-saturn-kitten
File name:f7f6eb480fe715733e509d0489171c18.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'073'152 bytes
First seen:2024-07-06 02:20:11 UTC
Last seen:2024-07-06 03:15:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7cb37de62912478a2e91ceb50989c83e (2 x RecordBreaker)
ssdeep 24576:BW9a/w9mj+Nhf+x+eswsX08cjwPBXMX7pCeg8nr5G79Bgx+:BWYWNQUe3sX0OPuXV1vnAwx+
TLSH T1163533E75762F2F6E88745BDC121A685E87AB10FC54324A1BA71C8CED1B43D51C8B32B
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://95.169.205.186/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://95.169.205.186/ https://threatfox.abuse.ch/ioc/1295016/

Intelligence

File Origin
# of uploads :
2
# of downloads :
401
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
3898534fa62f5a8f169c66900f183e5637e7c4f9be8c46591568ff489bc432d4.exe
Verdict:
Malicious activity
Analysis date:
2024-07-06 02:22:26 UTC
Tags:
stealer raccoon recordbreaker loader exfiltration
Link:
https://app.any.run/tasks/42bad7fb-6dd6-421b-b4af-92ef7a3124a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.15925.15493.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6688ab193b2ddaaafa49687dwin10vpnfull_triage
Tags:
Infostealer Network Static Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
microsoft_visual_cc monero packed packed packed upx
Link:
https://www.filescan.io/uploads/6688aa0fef9fdf64aa72e3ba/reports/794bb2fb-b94f-424f-b7b7-1193ecc00ea9/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3898534fa62f5a8f169c66900f183e5637e7c4f9be8c46591568ff489bc432d4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/740aefd9-54f7-42d3-b1eb-ca7cd497438a
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1468462
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3898534fa62f5a8f169c66900f183e5637e7c4f9be8c46591568ff489bc432d4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3898534fa62f5a8f169c66900f183e5637e7c4f9be8c46591568ff489bc432d4/
Threat name:
Win64.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2024-07-05 19:57:25 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hcmfgt5gf5ni6fu4m2ia6gb6ky36prhzx2gemwivnd7urg6eglka._file
Verdict:
unknown
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:23b7de51bb42a569733f1e26dbce63ba stealer upx
Link:
https://tria.ge/reports/240706-cszzrsshmj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
UPX packed file
Raccoon
Raccoon Stealer V2 payload
Malware Config
C2 Extraction:
http://95.169.205.186:80/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3cd7e0e9-95d1-45aa-9691-e64470feb054
Unpacked files
SH256 hash:
5e2aa782129c57e486bc4662eecb7ccacf204f05b21c27387c6cec31d1ca205f
MD5 hash:
c494c98067c5c1612c31b613f126f15b
SHA1 hash:
fb320552cb92ca99bf9296b05b43cad04b68c24a
Link:
https://www.unpac.me/results/52f9fe97-0d4e-4513-925e-a9ede7dedcc0/
SH256 hash:
3898534fa62f5a8f169c66900f183e5637e7c4f9be8c46591568ff489bc432d4
MD5 hash:
f7f6eb480fe715733e509d0489171c18
SHA1 hash:
e28a03d8c62eae2687d8d8f6b6ccb73377bc1a48
Link:
https://www.unpac.me/results/52f9fe97-0d4e-4513-925e-a9ede7dedcc0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/3898534fa62f5a8f169c66900f183e5637e7c4f9be8c46591568ff489bc432d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 3898534fa62f5a8f169c66900f183e5637e7c4f9be8c46591568ff489bc432d4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2935013/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptGenRandom

Comments