MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 432c2a73d8964d29b539c57e5c7f2d5eda6d4eef667c02e95b4c26a1c37d58e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	432c2a73d8964d29b539c57e5c7f2d5eda6d4eef667c02e95b4c26a1c37d58e9
SHA3-384 hash:	e83d7ca15e3a29e5929192e0f79f1cadfaf22f1bfb8b1a84b81745c802c8d41e797bca21d9782180bccc8ec143014c10
SHA1 hash:	6bdf37f9bcab9340a1658a27a11ea96b9f290a0d
MD5 hash:	9494e546b003b80987a521858553242c
humanhash:	burger-island-uniform-november
File name:	9494e546b003b80987a521858553242c.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	263'680 bytes
First seen:	2023-08-02 09:08:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a01249a11ad56cc27bb7173ed6438e32 (1 x RedLineStealer, 1 x Smoke Loader, 1 x RecordBreaker)
ssdeep	3072:NnRF0+Pf2fNuZIeYY8ltlyOqMf3Z+e8AnJgwjtIMmC4lHD7j1s:NRF3X2VuZVYTltJ/+e8AnJZtIMrOx
Threatray	1'355 similar samples on MalwareBazaar
TLSH	T1AD44AE2276D0C072E0A756315871C6922F7BBC62AB7196CB33983F3A5E712C01E7A757
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	70d0dec8d0d8d2dd (1 x RecordBreaker)
Reporter	abuse_ch
Tags:	exe recordbreaker

Intelligence

File Origin

# of uploads :

# of downloads :

307

Origin country :

Vendor Threat Intelligence

Malware family:

raccoon

ID:

File name:

9494e546b003b80987a521858553242c.exe

Verdict:

Malicious activity

Analysis date:

2023-08-02 09:20:13 UTC

Tags:

stealer raccoon recordbreaker raccoon_stealer loader

Link:

https://app.any.run/tasks/efdb8262-aac1-447a-acaf-2a45f107897f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/439818/

Detection(s):

Win.Dropper.Tofsee-10007166-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

Creating a file

Sending a custom TCP request

Reading critical registry keys

Query of malicious DNS domain

Stealing user critical data

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

glupteba greyware packed

Link:

https://www.filescan.io/uploads/64ca1d398b880a9fc6430425/reports/0e41921d-48d8-4a67-b20f-a59a2e46aafb/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/432c2a73d8964d29b539c57e5c7f2d5eda6d4eef667c02e95b4c26a1c37d58e9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/302f7523-d4c9-4c9c-a14a-bbafa1a42f14

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1284286

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/432c2a73d8964d29b539c57e5c7f2d5eda6d4eef667c02e95b4c26a1c37d58e9/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-07-31 18:57:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=imwcu46yszgstnjzyv7fy7znl3ng2txpmz6af2k3jqtkdq35lduq._file

Verdict:

malicious

Label(s):

raccoon

RecordBreaker

2513cf6aa56a6fb9c84061ac04c8df3e225258638f9f0d40ce898a9096f93e9b

RecordBreaker

4b4e2cb90f19ec78d76ee50e62baf1d609efa74716f92cc1f42921716372553a

RecordBreaker

66aba326f753f1d952e03cdae48806b64965572b400a9ad38da882d55515a2d5

RecordBreaker

c25b20c4ab2e5957feab51543819bb8778ffcd493128fa59c14587c17571f20a

RecordBreaker

c4395ae438ce235952f56642e133750c1fbcfc01275e77402425f549cdd2805d

RecordBreaker

ca2b5c5792b601cf1f3f9951078a220cca8a11953b2d8dc506b7114ecf641d8b

RecordBreaker

f47935627a5be41526be384d115b1f291d854063d0b31bee2c9c11dc65695438

RecordBreaker

+ 1'345 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:c610d498a9c34173052f3f4fcea051af spyware stealer

Link:

https://tria.ge/reports/230802-k4glkafa4y/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Raccoon

Raccoon Stealer payload

Malware Config

C2 Extraction:

http://galandskiyher1.com:80/

Unpacked files

SH256 hash:

7124f69beb84a0876ca18c361f19026db1b18650a52ca8d2fa4c21e770d40d33

MD5 hash:

d327bf2f4e4a2cd2ec1d05297071e71d

SHA1 hash:

0f88563521a39689fe869097d298b60cc55edcf0

Detections:

raccoonstealer

Link:

https://www.unpac.me/results/cc5864d3-a388-4c19-87f2-69a2fd3b7f69/

Parent samples :

c4395ae438ce235952f56642e133750c1fbcfc01275e77402425f549cdd2805d
432c2a73d8964d29b539c57e5c7f2d5eda6d4eef667c02e95b4c26a1c37d58e9

SH256 hash:

432c2a73d8964d29b539c57e5c7f2d5eda6d4eef667c02e95b4c26a1c37d58e9

MD5 hash:

9494e546b003b80987a521858553242c

SHA1 hash:

6bdf37f9bcab9340a1658a27a11ea96b9f290a0d

Link:

https://www.unpac.me/results/cc5864d3-a388-4c19-87f2-69a2fd3b7f69/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/432c2a73d896/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/432c2a73d8964d29b539c57e5c7f2d5eda6d4eef667c02e95b4c26a1c37d58e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MALWARE_Win_RaccoonV2 Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon Stealer 2.0, also referred to as RecordBreaker

Rule name:	RaccoonV2 Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution).
Reference:	https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/