MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47c43c3ea712d82820dcdc399010fdf39306346d31cb9a95892e44c6fa725ac5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47c43c3ea712d82820dcdc399010fdf39306346d31cb9a95892e44c6fa725ac5
SHA3-384 hash: f88d3b82ed0bf411e8a6f7e98896896b9218426584543c5c58ed9f8ff96f97b50a81c81efdadf2a91e5ef2f9a6e95d82
SHA1 hash: ad057966d5a657fa91f5d15abac07a212b544531
MD5 hash: ca46e14a6e6b470a36e624e613c152c9
humanhash: shade-nebraska-echo-delta
File name:setup (.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:4'044'528 bytes
First seen:2022-08-11 15:20:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa32974ca6c4da742c6f56ca33f35ee1 (22 x RedLineStealer, 3 x Formbook, 2 x RecordBreaker)
ssdeep 98304:ItaYu9k7L5JJFbsvtXJGuKmMBwsb1KicDKgCDlj:OaYFL/bsvjzHs5fSKll
TLSH T17416232702251105D4DFDD3ACA33BEE171F70BFB5BC2B4785AE969C627264D1B202A93
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter tech_skeech
Tags:exe recordbreaker

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.106.92.14/ https://threatfox.abuse.ch/ioc/842535/

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
setup (.exe
Verdict:
Malicious activity
Analysis date:
2022-08-11 15:19:54 UTC
Tags:
trojan raccoon recordbreaker loader
Link:
https://app.any.run/tasks/0ba93ce4-ce55-41ab-ab3a-b82095bcb739

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/298016/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.22915.7085.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28688/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/62f51e9ff6ec33747d986b41/reports/06b5b729-be31-48cd-8119-116f85551d49/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cd54459c-eccc-4a0c-a8c0-72aeaef97618
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1050043
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47c43c3ea712d82820dcdc399010fdf39306346d31cb9a95892e44c6fa725ac5/
Threat name:
Win32.Trojan.RaccoonSteal
Create hunting rule
Status:
Malicious
First seen:
2022-08-11 15:21:19 UTC
File Type:
PE (Exe)
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i7cdypvhclmcqig43q4zaeh56ojqmndnghfzvfmjfzcmn6tsllcq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220811-srbhsabba5/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
25df27d2824c8f4c63e0e9262ee331d6c42e3df4d48c83de03ee8112050eb70c
MD5 hash:
d04898a46080fe6cfc00ff978e8c4209
SHA1 hash:
321e4785e4e76ebb46b487c74d82b1d5a31a60e3
Detections:
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/d01b3608-65dc-40fa-9b87-e48f0fc78ff4/
SH256 hash:
9a7621c3097498ed86fbc8762e63bfe6f7f5e751b656b1e776cab3fac11bb1b1
MD5 hash:
bb21fb655dd62965282b414138cc990d
SHA1 hash:
2029f2ce99c039c85dca1220df0a555232fe720f
Link:
https://www.unpac.me/results/d01b3608-65dc-40fa-9b87-e48f0fc78ff4/
SH256 hash:
47c43c3ea712d82820dcdc399010fdf39306346d31cb9a95892e44c6fa725ac5
MD5 hash:
ca46e14a6e6b470a36e624e613c152c9
SHA1 hash:
ad057966d5a657fa91f5d15abac07a212b544531
Link:
https://www.unpac.me/results/d01b3608-65dc-40fa-9b87-e48f0fc78ff4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/47c43c3ea712/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/47c43c3ea712d82820dcdc399010fdf39306346d31cb9a95892e44c6fa725ac5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 47c43c3ea712d82820dcdc399010fdf39306346d31cb9a95892e44c6fa725ac5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/298016/

Comments