MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56ffdec72c8253b40e9d3b98d7469579073a064408278519336d6f48a37480bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56ffdec72c8253b40e9d3b98d7469579073a064408278519336d6f48a37480bd
SHA3-384 hash: d2cc733a88cb658f21ffad6569c033fb347ded0d43aa339fedcb3bf15dfbab7de44b24906b7988d9686e17c151ba16f4
SHA1 hash: e89c438ba9f7958b228c3004142ee8d442f538b7
MD5 hash: a8b1dc7e35717035f24c09effed7d0c0
humanhash: wolfram-fourteen-social-moon
File name:a8b1dc7e35717035f24c09effed7d0c0.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'532'416 bytes
First seen:2022-09-13 16:30:53 UTC
Last seen:2022-09-13 16:53:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:lM3OjRcxTEk9SLJzQJHx6vMdSQYFLKJNohAtxAE6uBGYLD:23OjqKWfFsvMdSrFLKJNoaLAkBGY
Threatray 388 similar samples on MalwareBazaar
TLSH T16365AE153A1D6BEAEAB283F57491266053FF790930EAD3281DE355F03165F5A83C0E2B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://213.252.244.27/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://213.252.244.27/ https://threatfox.abuse.ch/ioc/849528/

Intelligence

File Origin
# of uploads :
2
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309762/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.30826.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Creating a file
Sending an HTTP POST request
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/6320b0c6ba7b8113dd5b0bb0/reports/d85c72cf-3ae1-40ea-a801-77cc533aa581/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08b9a968-2722-49ba-a546-cbdffe50bdaf
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1069673
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56ffdec72c8253b40e9d3b98d7469579073a064408278519336d6f48a37480bd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-09-13 16:31:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3755rzmqjj3idu5homnoruvpedtubsebatykgjtnvxuri3uqc6q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
209a53f3bf3914f9324083785621e84d231e41a40eb5b224cd0d90f1788417d9
RecordBreaker
57154e873b6bebab85bdf3e656fe7fa117c5cf3c14926c22c4cac143622f779d
RecordBreaker
647c4d0f6b9b7817dac9d3ee9c2efd9c9409d6cd4a43fa66bd9d43601537d56b
RecordBreaker
68ac2d5bd9270f9ed2396cddf25c6b2734b42b938ff0ae19964d43616553e7da
RecordBreaker
7fa1b425c7bc7f04e84aae8b76cd1e6d1db56dab966ff273b5101816525f61c4
RecordBreaker
8129a8a2a4c77198a9a65c393cfc37f8f6ab83842a9c9f430ab1186db9cd0771
RecordBreaker
8acf3d9eea531ae8c1ab8eabe3f22206f3771c6c25ed577a6c0010b0a43cfcc0
RecordBreaker
c145721cdaf2ddac4fb96f3f37f56987751731734723436314137c8186f2b34f
RecordBreaker
e3f6666bcc343098a21a2c52ee8a63d03c042b9dfd4cb1dfbf984c6d0e985da0
RecordBreaker
f8fbc50db8de41fbcf7dcf31883c086b50d0cc74fbbd94979893fc26c9898f76
RecordBreaker
+ 378 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:07d468da7e028431301ff9d78ba706e1 discovery spyware stealer
Link:
https://tria.ge/reports/220913-t1c9eabhal/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Malware Config
C2 Extraction:
http://213.252.244.27
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/284a7c1c-993d-4419-bcdc-24d2e0cf01ad
Unpacked files
SH256 hash:
3d5144ec246cddafd61440ad44b076bcfbffb4e205f200bcfcd7c9ccfa3bd9a2
MD5 hash:
61edd4ed4b0c4c9dbbc1c24ffe67ec41
SHA1 hash:
9890a1022b946b6d737ebaecb154d95035b41a01
Link:
https://www.unpac.me/results/1628ce21-7b0c-4a4f-9ca4-5b5282c09d9e/
SH256 hash:
56ffdec72c8253b40e9d3b98d7469579073a064408278519336d6f48a37480bd
MD5 hash:
a8b1dc7e35717035f24c09effed7d0c0
SHA1 hash:
e89c438ba9f7958b228c3004142ee8d442f538b7
Link:
https://www.unpac.me/results/1628ce21-7b0c-4a4f-9ca4-5b5282c09d9e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56ffdec72c82/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56ffdec72c8253b40e9d3b98d7469579073a064408278519336d6f48a37480bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:recordbreaker_win_generic
Create hunting rule
Author:_kphi
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 56ffdec72c8253b40e9d3b98d7469579073a064408278519336d6f48a37480bd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2299833/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/309762/

Comments