MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41686ad7861e37227ef1e467c075c844beee3e7c5fbdf9fbad39b9172f4a0c23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	41686ad7861e37227ef1e467c075c844beee3e7c5fbdf9fbad39b9172f4a0c23
SHA3-384 hash:	9bdd9690ce042d959a5270b4978f93996da493b97f1fbd95053671bf178fb5c42f8062873f8fcc0d173540fdfcb0ec5a
SHA1 hash:	57f9dd829648ac3c123d3922231b343a27e03166
MD5 hash:	13fd3c9cd13274dc2c442e340ba6d42b
humanhash:	bluebird-double-west-kentucky
File name:	file
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	144'384 bytes
First seen:	2022-11-15 14:27:32 UTC
Last seen:	2022-11-15 16:52:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	105b3d3dce8c379a1983687521d7187c (6 x RedLineStealer, 1 x RecordBreaker)
ssdeep	3072:DpubsXR144r2Qey6tIxFFYNcTxnZ/2y9Ua:DW4b4QpKtIxFFpFncVa
Threatray	1'041 similar samples on MalwareBazaar
TLSH	T1EDE38C2374E0C1E1C462D6FABCE4A215B66EE092DBDC8C1337DD891D2AF798015B616F
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	jstrosch
Tags:	exe recordbreaker

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

26f3ab3022c32610a89a7299d0074351.exe

Verdict:

Malicious activity

Analysis date:

2022-11-15 13:50:48 UTC

Tags:

installer evasion loader trojan rat redline raccoon recordbreaker amadey stealer vidar miner tofsee

Link:

https://app.any.run/tasks/df86bfd7-92e0-4c61-b05e-32c93779635d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/334344/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.23950.20528.12897.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Сreating synchronization primitives

Sending an HTTP POST request

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6373a1f407c3f5e84a014626/reports/b6ff4205-bc88-4c15-83fe-87b1b62d148f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/98bd4141-5951-41d0-9cfb-b11df7c13225

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1114130

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes to foreign memory regions

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/41686ad7861e37227ef1e467c075c844beee3e7c5fbdf9fbad39b9172f4a0c23/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-11-15 14:28:08 UTC

File Type:

PE (Exe)

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ifugvv4gdy3se7xr4rt4a5oiis7o4pt4l667t65nhg4rol2kbqrq._file

Verdict:

malicious

Label(s):

raccoon

RecordBreaker

336b80e664594044e7419504f02fc4fdcb5beb4751c858a3c051c155163186f0

RecordBreaker

70b5392192a57314e1c7793599439b518dbf2a0affcbd849cecf779063bd792a

RecordBreaker

cc88f88bd55a2e3c3809a59c3dd3fa16f197ff1abc3adc25704ae0b09aee955f

RecordBreaker

e1ff33ee4dab36c7f0cf9e8abf6f1ce95fbe23e3b02d076b56d720f98cc163f0

RecordBreaker

fb11f896656add0e7c905184da708ce61451ceaa2b01b06d261eaf04e3edc2c8

RecordBreaker

ff764f0ab5f7a6c6fc5358a3bcc556e6d1e96fb80b9c2030f8f46b2d51ef241a

RecordBreaker

+ 1'031 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:53508e7dc4e08bd33122d190a04a1200 spyware stealer

Link:

https://tria.ge/reports/221115-rsz24aec68/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Uses the VBS compiler for execution

Downloads MZ/PE file

Raccoon

Malware Config

C2 Extraction:

http://45.15.156.105/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0b2fa8b6-c203-497f-8e50-59e5139909c1

Unpacked files

SH256 hash:

46f100ad02fc2a001fb072edcf41384f500bccb36c3c81f494110006fd8a2b58

MD5 hash:

2414d2dd93198f67891b2eac8ae0ae5b

SHA1 hash:

e62085dace4ff13096e2cffadce3ef839a94a14f

Link:

https://www.unpac.me/results/10e04456-e762-46bc-8a1a-ad9d88908eb9/

SH256 hash:

41686ad7861e37227ef1e467c075c844beee3e7c5fbdf9fbad39b9172f4a0c23

MD5 hash:

13fd3c9cd13274dc2c442e340ba6d42b

SHA1 hash:

57f9dd829648ac3c123d3922231b343a27e03166

Link:

https://www.unpac.me/results/10e04456-e762-46bc-8a1a-ad9d88908eb9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/41686ad7861e37227ef1e467c075c844beee3e7c5fbdf9fbad39b9172f4a0c23

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

exe 41686ad7861e37227ef1e467c075c844beee3e7c5fbdf9fbad39b9172f4a0c23

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/334344/

URLhaus

https://urlhaus.abuse.ch/url/2412900/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample