MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA3-384 hash: 6df0785a687669c294981b0ffa2d5ccf3e9fa881dc671c163c0567ea3148d9b1c1045d3cd68799b63d425fdbb8d7aa6c
SHA1 hash: 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
MD5 hash: e2ff8a34d2fcc417c41c822e4f3ea271
humanhash: mississippi-six-summer-undress
File name:e2ff8a34d2fcc417c41c822e4f3ea271.bin.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:4'045'752 bytes
First seen:2023-10-25 05:56:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:Vtdn87lWy7rOwZxf8xjptLZMLGPQqXRYAc/yvenXAo/koTl:h85Wy7rBlqpBZ/xXRC6WXAo/pl
Threatray 116 similar samples on MalwareBazaar
TLSH T1C316AE137F9289EDCBF99C7294D791144DAF6EC39A03FB0A4B54519DB0843C88B3DA68
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon bebeaaaaaa8c84a4 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://195.123.218.98/

Intelligence

File Origin
# of uploads :
1
# of downloads :
343
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
13f25b03d873e35fe80088febee67cd8.exe
Verdict:
Malicious activity
Analysis date:
2023-10-25 03:12:07 UTC
Tags:
loader smoke stealer raccoon recordbreaker sinkhole
Link:
https://app.any.run/tasks/07e68e0a-7201-4687-97f0-b4354a505003

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456165/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.7401.21506.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Launching a process
Creating a file
Sending an HTTP POST request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin masquerade packed
Link:
https://www.filescan.io/uploads/6538ae2fe0fdb6ce729b91d4/reports/8711ec04-1f5a-4d8e-a960-37066add872d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6b15a19-d6f7-4b9f-b829-37986412e0d8
Result
Threat name:
Raccoon Stealer v2, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331698
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Raccoon Stealer v2
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
Detection:
recordbreaker
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 04:49:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
62
AV detection:
11 of 23 (47.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j4tfchkavu6xqh7rxvggip4udcz72dcnu23wtip7tlsna7mislia._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1406293eef687c73d84fff0be7d1a47bc973b79fb4b208dc4a31f311684e2bf8
RecordBreaker
595aefb01f819eeef533258c04af5487164119bdd92bcd735a26de9f5935832d
RecordBreaker
abcbbdb2a2eb219a82c3f446f74ac6ef93a3deb11e4c277dee8c106792d7b783
RecordBreaker
ac0db3f8c382fc37ba05bc45a8f5751853b9a37e445f1e7dbef4a0ad65a3ab7b
RecordBreaker
b803f8964ba32cb741ae8f49c57609a81eb155f1af105c430d4ef22c506840b0
RecordBreaker
b981427514cc51902a80d8857ae1ada0bcdec9965d016bfa39f69c760c1d4f35
RecordBreaker
d4224f288dd203d784301459d37aed4a0e908f53b7b60b83c4d7f2b65cc007d1
RecordBreaker
d45926d890eed60099b30c3063bac40b89b219d4d7b7a7253ad312aba81704fc
RecordBreaker
f62d3ac335a3bff0698d08076dd7fb06c806706879fcf66bfc17a25eb7673fdf
RecordBreaker
+ 106 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:zgrat botnet:6a6a005b9aa778f606280c5fa24ae595 rat stealer
Link:
https://tria.ge/reports/231025-gnk29sfe2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Detect ZGRat V1
Raccoon
Raccoon Stealer payload
ZGRat
Malware Config
C2 Extraction:
http://195.123.218.98:80
http://31.192.23
Unpacked files
SH256 hash:
182f57d8c89fee4667fbb3420a9877b8198c4b9d0867660172c13dd9044f6f64
MD5 hash:
626b2239011878b0d6b779006bd66a91
SHA1 hash:
c79ecfe4c27d42c9d8f88a0be738790c56143d7d
Link:
https://www.unpac.me/results/f7f3b883-18b4-4d41-8daf-de42d58c7998/
SH256 hash:
6a26df7ee49de6fec6c5de1f3f7a94075d2dfbc50922e3b30fd8111f2e734f33
MD5 hash:
f45c1512d5a47375e6e396b4d1111e58
SHA1 hash:
8af036b8c60d10e85cf82212930bb04bc0553f36
Link:
https://www.unpac.me/results/f7f3b883-18b4-4d41-8daf-de42d58c7998/
SH256 hash:
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
MD5 hash:
544cd51a596619b78e9b54b70088307d
SHA1 hash:
4769ddd2dbc1dc44b758964ed0bd231b85880b65
Link:
https://www.unpac.me/results/f7f3b883-18b4-4d41-8daf-de42d58c7998/
SH256 hash:
cedff0260252063239b888df7f5f70fa8e05248e8d31296e125268a04960f5de
MD5 hash:
71cf51a0a61d1fe7333377775f1eb8be
SHA1 hash:
388b276fff703566df977308dd4fc9ca449a1c1c
Detections:
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/f7f3b883-18b4-4d41-8daf-de42d58c7998/
SH256 hash:
7d543be8a99598b4c1d66c32bba4a29306c73df91dde8a82b0e6ab7c09ce9731
MD5 hash:
c0b16f378409be8242c4d42d29d56eff
SHA1 hash:
5bcfb377098f976ea44726b6ddf8f358afa24c7f
Link:
https://www.unpac.me/results/f7f3b883-18b4-4d41-8daf-de42d58c7998/
SH256 hash:
4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
MD5 hash:
e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 hash:
926eaf9dd645e164e9f06ddcba567568b3b8bb1b
Link:
https://www.unpac.me/results/f7f3b883-18b4-4d41-8daf-de42d58c7998/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4f26511d40ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/456165/

Comments