MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4aef47d61ecc806146b5b389605cbe45c3a605317178657b1d2112f2c7a5ae2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4aef47d61ecc806146b5b389605cbe45c3a605317178657b1d2112f2c7a5ae2c
SHA3-384 hash: 5c9840a04bceb9761e2d14cad13d0d98aa85ad33389f635447cb90cd6280a2f2b5e0de319567956e8bc63b1ba290f505
SHA1 hash: bae7f3089a327c94548994979ee9026a86033067
MD5 hash: d80c7ce149e80f999686e75a0b86bd7b
humanhash: april-autumn-fish-eighteen
File name:d80c7ce149e80f999686e75a0b86bd7b
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'506'304 bytes
First seen:2022-07-31 14:50:15 UTC
Last seen:2022-07-31 17:33:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c90eb94245b983a65e2bc9930622774 (3 x RecordBreaker)
ssdeep 24576:rk8gmqh7swb4tnsvkZYVFVVWYgbUf8vaz+WOucFveq:rWB7rFDp1cFm
TLSH T141656C32B2C28437D1732B7C9D6BB69999357E102E3C844B7BE41E8C1F396913D29297
TrID 69.4% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.4% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
0.3% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter zbetcheckin
Tags:32 exe recordbreaker

Intelligence

File Origin
# of uploads :
3
# of downloads :
380
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295377/
Detection(s):
SecuriteInfo.com.VHO.Trojan-Spy.Win32.Stealer.gen.21174.3669.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27909/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62e696e3d40ca3666156169d/reports/457e6d22-75dd-43e5-9cbb-7cbb3649425c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3998e7e-6c8d-4963-8e8d-8282e9f8121c
Result
Threat name:
CryptOne, Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043803
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected CryptOne packer
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4aef47d61ecc806146b5b389605cbe45c3a605317178657b1d2112f2c7a5ae2c/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-07-31 14:45:06 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
20 of 26 (76.92%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jlxupvq6zsagcrvvwoewaxf6ixb2mbjrof4gk6y5eejpfr5fvywa._file
Verdict:
malicious
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:afb5c633c4650f69312baef49db9dfa4 discovery spyware stealer
Link:
https://tria.ge/reports/220731-r75wwsheal/
Behaviour
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Raccoon Stealer payload
Malware Config
C2 Extraction:
http://77.73.132.84
Unpacked files
SH256 hash:
1f23f1af9db2031755cd3c1a0bb8ced265a92434ea3bbc9f7a51e9884ee75a53
MD5 hash:
86d1d4cac77a9cb7a224a4a4dab5f366
SHA1 hash:
3014daed6c0aea82db8c8ac7c233b8d842335eaa
Link:
https://www.unpac.me/results/d18d86da-4ef7-4324-9504-0c0c021beb66/
SH256 hash:
4aef47d61ecc806146b5b389605cbe45c3a605317178657b1d2112f2c7a5ae2c
MD5 hash:
d80c7ce149e80f999686e75a0b86bd7b
SHA1 hash:
bae7f3089a327c94548994979ee9026a86033067
Link:
https://www.unpac.me/results/d18d86da-4ef7-4324-9504-0c0c021beb66/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4aef47d61ecc806146b5b389605cbe45c3a605317178657b1d2112f2c7a5ae2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 4aef47d61ecc806146b5b389605cbe45c3a605317178657b1d2112f2c7a5ae2c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2263228/
Cape
Cape
https://www.capesandbox.com/analysis/295377/

Comments


Avatar
zbet commented on 2022-07-31 14:50:17 UTC

url : hxxp://62.204.41.178/newfile.exe