MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55062426c1293d24d180597db4abc81a94f3d465d63032bf6c74ad3a0e752043. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55062426c1293d24d180597db4abc81a94f3d465d63032bf6c74ad3a0e752043
SHA3-384 hash: e457d4e69bc5351c7b4785077d7a32edbe88075175ccc875704347f131256daf8c20e46dcfe92f0979f61f53534d744f
SHA1 hash: 4f8a6d8e738a936d6b4629c998fdaa2e46c3d82a
MD5 hash: d0b0cfbb450acf64e6476a0a1c0bbe88
humanhash: nuts-red-rugby-nebraska
File name:55062426C1293D24D180597DB4ABC81A94F3D465D6303.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'677'312 bytes
First seen:2022-10-25 23:05:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep 24576:oyAFYb9lwJ04s7nINrpH0+ljBvpFg/kTQX0A6bJ81sNJGxG/EfnRGVyJn8SZW:v3PV9IppH1zvpm8Ple1wgoZVM
Threatray 11'870 similar samples on MalwareBazaar
TLSH T134759AC173819067E8975A705E93C38A9729FCD1BE74718B3364F34E0A3AED29E69701
TrID 83.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
7.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://82.115.223.5/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://82.115.223.5/ https://threatfox.abuse.ch/ioc/948866/
http://45.15.156.16/ https://threatfox.abuse.ch/ioc/948867/

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
55062426C1293D24D180597DB4ABC81A94F3D465D6303.exe
Verdict:
No threats detected
Analysis date:
2022-10-25 23:08:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9306ee53-c9c5-403b-9a52-6089bd903c7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324141/
Detection(s):
SecuriteInfo.com.decompression.bomb.29185.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Launching a process
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45492/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bcb3815b-1ea0-456e-8018-4eed0ab58e87
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097941
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 730592 Sample: 55062426C1293D24D180597DB4A... Startdate: 26/10/2022 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 9 other signatures 2->61 9 55062426C1293D24D180597DB4ABC81A94F3D465D6303.exe 1 3 2->9         started        12 rundll32.exe 2->12         started        process3 file4 45 C:\Users\user\AppData\Local\...\SETUP_~1.EXE, PE32 9->45 dropped 14 SETUP_~1.EXE 5 9->14         started        process5 file6 47 C:\Users\...\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe, PE32 14->47 dropped 71 Multi AV Scanner detection for dropped file 14->71 73 Creates HTML files with .exe extension (expired dropper behavior) 14->73 75 Encrypted powershell cmdline option found 14->75 18 SETUP_~1.EXE 42 14->18         started        23 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 3 14->23         started        25 powershell.exe 17 14->25         started        27 powershell.exe 15 14->27         started        signatures7 process8 dnsIp9 49 45.15.156.16, 49705, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 18->49 51 82.115.223.5, 49706, 80 MIDNET-ASTK-TelecomRU Russian Federation 18->51 53 dl.uploadgram.me 176.9.247.226, 443, 49707 HETZNER-ASDE Germany 18->53 37 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 18->37 dropped 39 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 18->39 dropped 41 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 18->41 dropped 43 4 other files (2 malicious) 18->43 dropped 63 Tries to harvest and steal browser information (history, passwords, etc) 18->63 65 Tries to steal Crypto Currency Wallets 18->65 67 Machine Learning detection for dropped file 23->67 69 Encrypted powershell cmdline option found 23->69 29 powershell.exe 23->29         started        31 conhost.exe 25->31         started        33 conhost.exe 27->33         started        file10 signatures11 process12 process13 35 conhost.exe 29->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55062426c1293d24d180597db4abc81a94f3d465d63032bf6c74ad3a0e752043/
Threat name:
Win64.Trojan.Witch
Create hunting rule
Status:
Malicious
First seen:
2022-09-15 01:37:07 UTC
File Type:
PE+ (Exe)
Extracted files:
37
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kudcijwbfe6sjumalf63jk6idkkphvdf2yydfp3moswtudtvebbq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
masslogger
Create hunting rule
Similar samples:
1894ee1e31d02ce95f3fb5bfaaeade0718232866702e70bd19a70a0a15a3343c
RecordBreaker
3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5
RecordBreaker
68feb6c25b2ce057bdc2c97119f10b980a864b7c3306e785bbbff1ab8ca4197f
RecordBreaker
6df1711427805cf33f297bd481fb8fdf3f04e92d25553b15060161bf972b334a
RecordBreaker
8521e3233e06f24fba25d22c491806de948d89b2d572a9003e4fd1cc19e32a3b
RecordBreaker
b206c2d164d66dcd9fad4cffdcb28d73eb64d2f663f1de6fb90cc10b47665c41
RecordBreaker
bcca18fef46e71ff82ff342dbd50f09b9ea768edc5e328fbf85241fcf615507d
RecordBreaker
c75b21d9f3189b648b2b83dae0fb48e49eb5458e8c3c5cfbdbcac460b43acc32
RecordBreaker
+ 11'860 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:smokeloader botnet:eee94d533c0441c732ed7e18e494bdc6 backdoor discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/221025-23dlysebhj/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Detects Smokeloader packer
Raccoon
SmokeLoader
Malware Config
C2 Extraction:
http://45.15.156.16/
http://82.115.223.5/
http://82.115.223.6/
http://45.15.156.17/
http://82.115.223.7/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1fc40acd-4b0e-483a-ac6f-f4e0d28b4244
Unpacked files
SH256 hash:
55062426c1293d24d180597db4abc81a94f3d465d63032bf6c74ad3a0e752043
MD5 hash:
d0b0cfbb450acf64e6476a0a1c0bbe88
SHA1 hash:
4f8a6d8e738a936d6b4629c998fdaa2e46c3d82a
Link:
https://www.unpac.me/results/56c68a68-d65a-45f1-8175-d70f068f740f/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/55062426c129/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55062426c1293d24d180597db4abc81a94f3d465d63032bf6c74ad3a0e752043

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324141/

Comments