MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 542135e092c67c70b1fb7910134e2a6fbecc0044bd8b7ae78d4d03e7ce3249ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 542135e092c67c70b1fb7910134e2a6fbecc0044bd8b7ae78d4d03e7ce3249ef
SHA3-384 hash: e2500d11af326080de5fd50d55536b45fd4f9a8dabb29be1263032805672daacc1ebc818fd38df6acdde4ec0db7b53ad
SHA1 hash: 18fb70ec7bce20f410ef6dd61de874eb2a8ebd7f
MD5 hash: de602f147ed1c9f534be8bf01f0a34da
humanhash: wisconsin-eight-nitrogen-low
File name:de602f147ed1c9f534be8bf01f0a34da.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:190'464 bytes
First seen:2023-06-15 05:30:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3865ca37561d2aa29b9e83d3d87488fe (4 x RedLineStealer, 1 x TeamBot, 1 x Tofsee)
ssdeep 3072:splHSc+Ik/FxGQdAGJTLGlQAtx0z8cLBhu/dLdf6ZNJcczDeL:MHNJajK8L4sz8MuTfeNJ
Threatray 14 similar samples on MalwareBazaar
TLSH T10A14BE1272E0E871E47657314CB9CBA46A6FF8120F34A69B375C1B2F1E722E19E36345
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0162626a62626a48 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://149.255.35.140/

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
de602f147ed1c9f534be8bf01f0a34da.exe
Verdict:
Malicious activity
Analysis date:
2023-06-15 05:31:48 UTC
Tags:
raccoon recordbreaker trojan loader stealer
Link:
https://app.any.run/tasks/ec54c7ef-7f35-415d-8f7a-f8727835f3ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/399008/
Detection(s):
Sanesecurity.Malware.29525.BadIN.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90790/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/648aa21675931fcf7f14c230/reports/e0e66ac7-fbde-485c-a95d-7d3079df80ab/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/542135e092c67c70b1fb7910134e2a6fbecc0044bd8b7ae78d4d03e7ce3249ef
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c224cd5b-1c63-49bf-874d-d053a86a1019
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1255020
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 888040 Sample: 95b3PKNWql.exe Startdate: 15/06/2023 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 6 other signatures 2->76 10 95b3PKNWql.exe 26 2->10         started        15 R.exe 2->15         started        process3 dnsIp4 64 149.255.35.140, 49699, 80 HVC-ASUS Netherlands 10->64 66 cdn.discordapp.com 162.159.135.233, 443, 49700 CLOUDFLARENETUS United States 10->66 56 C:\Users\user\AppData\Roaming\pzdI583b.exe, PE32+ 10->56 dropped 58 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 10->58 dropped 60 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 10->60 dropped 62 5 other files (3 malicious) 10->62 dropped 86 Detected unpacking (changes PE section rights) 10->86 88 Detected unpacking (overwrites its own PE header) 10->88 90 Tries to harvest and steal browser information (history, passwords, etc) 10->90 92 Tries to steal Crypto Currency Wallets 10->92 17 pzdI583b.exe 5 10->17         started        file5 signatures6 process7 file8 54 C:\ProgramData\SonyProduction\R.exe, PE32+ 17->54 dropped 78 Detected unpacking (changes PE section rights) 17->78 80 Machine Learning detection for dropped file 17->80 82 Adds a directory exclusion to Windows Defender 17->82 21 cmd.exe 1 17->21         started        24 powershell.exe 19 17->24         started        26 powershell.exe 19 17->26         started        signatures9 process10 signatures11 84 Uses schtasks.exe or at.exe to add and modify task schedules 21->84 28 R.exe 14 4 21->28         started        32 conhost.exe 21->32         started        34 timeout.exe 1 21->34         started        36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        process12 dnsIp13 68 179.43.140.168, 443, 49702, 49703 PLI-ASCH Panama 28->68 94 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->94 96 Machine Learning detection for dropped file 28->96 98 Adds a directory exclusion to Windows Defender 28->98 40 cmd.exe 1 28->40         started        42 powershell.exe 28->42         started        44 powershell.exe 28->44         started        signatures14 process15 process16 46 conhost.exe 40->46         started        48 schtasks.exe 40->48         started        50 conhost.exe 42->50         started        52 conhost.exe 44->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/542135e092c67c70b1fb7910134e2a6fbecc0044bd8b7ae78d4d03e7ce3249ef/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-15 05:31:05 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kqqtlyesyz6hbmp3peibgtrkn67myacexwfxvz4njub6ptrsjhxq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1efe7e276b7b35248dc5ff09a38e1f85b7c425367385fa51adaeebcca4e54e4c
RecordBreaker
53ea06f8e6db1b09239111275f338bd703fd15bd38a3b8956f1df19c1f5b9f9f
RecordBreaker
68393678ccf5bdc8d7075290a5ee4da24c878a6b11f45cf2342c442ca9aa09ca
RecordBreaker
79564fca4784cf3f6056a6909a630f14c8b7836174fa2032ff60009761f36aee
RecordBreaker
b185566c7a557c05928d4342fbe95c63ea5eb10822818aab33826db3dda56f11
RecordBreaker
bd8164f6460bc87be9354020ef41e523243c6f7fce9be655413ee9c891d62c0c
RecordBreaker
c01bcd2fee216131267cbaf603d48dfaf7647bba122674042739a10676a8e44c
RecordBreaker
cf959b4f5e8dbd5b8c13bca917931c6b02ace3cc3835f6f1d88405095c69e393
RecordBreaker
de250df1e7489a671f81a4c2e6d8d878fc8e0a31dfe36b6a716fda90d5b16bb0
RecordBreaker
e10f1e70fa84b2d135123e72e4c46770d9f663f0c2036e3e7a4e7a3bf8cd5f96
RecordBreaker
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230615-f7pzwseg34/
Unpacked files
SH256 hash:
e67f21004aa39c8dd8edeec62374cd46c241fb21243c92e297aae8a3771e219f
MD5 hash:
526f98deb3833fa357b3ac95a4e0091f
SHA1 hash:
3fcf02c75a0da388e59ef4a9e5c1aca375c36958
Detections:
raccoonstealer
Create hunting rule
Link:
https://www.unpac.me/results/559913e2-8e8e-4b6a-8776-176c8f1e9c21/
Parent samples :
542135e092c67c70b1fb7910134e2a6fbecc0044bd8b7ae78d4d03e7ce3249ef
db926403044468770e30a5d653fb83c5b262f91682ce6553ee32287c02753c4f
SH256 hash:
542135e092c67c70b1fb7910134e2a6fbecc0044bd8b7ae78d4d03e7ce3249ef
MD5 hash:
de602f147ed1c9f534be8bf01f0a34da
SHA1 hash:
18fb70ec7bce20f410ef6dd61de874eb2a8ebd7f
Link:
https://www.unpac.me/results/559913e2-8e8e-4b6a-8776-176c8f1e9c21/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/542135e092c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/542135e092c67c70b1fb7910134e2a6fbecc0044bd8b7ae78d4d03e7ce3249ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/399008/

Comments