MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 595aefb01f819eeef533258c04af5487164119bdd92bcd735a26de9f5935832d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 595aefb01f819eeef533258c04af5487164119bdd92bcd735a26de9f5935832d
SHA3-384 hash: 914e4f8bb6018c9707c5674cfdb2af78ef913a4b8a4bcc2090d9c311a070b85610ac260037e3262b2ee6fa08e3272a7f
SHA1 hash: c81c725574d10ae463eded47c6592b5e3130f537
MD5 hash: 9f27c6f115a1d6e235f924c9ddff389a
humanhash: potato-blossom-salami-zulu
File name:9f27c6f115a1d6e235f924c9ddff389a
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:232'960 bytes
First seen:2023-10-02 18:39:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8fec1822a77f67d0edd5b706c96f40bc (6 x Smoke Loader, 3 x Stealc, 3 x Glupteba)
ssdeep 3072:WVSdFy0/mDsbutPFlE59epTj5SnDqXo9ubqTTZ5ctffy6JpvboB:UtBDntdoaKWWKi6Jpv
Threatray 44 similar samples on MalwareBazaar
TLSH T1EF34D02132E1C072D6AB46785974CBA07E7EFC3217A4869F3714867E6F202D1AB76317
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0206040119181000 (1 x RecordBreaker)
Reporter zbetcheckin
Tags:32 exe recordbreaker

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/452758/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/651b0e507e001f82cf77330e/reports/625cbcd7-0adb-46f5-a029-c4d9b6ff5184/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/595aefb01f819eeef533258c04af5487164119bdd92bcd735a26de9f5935832d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe479782-900f-40f7-8c68-94acc580ab61
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318223
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/595aefb01f819eeef533258c04af5487164119bdd92bcd735a26de9f5935832d/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 18:08:26 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
22 of 23 (95.65%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfno7ma7qgpo55jtewgajl2uq4lecgn53ev42422e3pj6wjvqmwq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1406293eef687c73d84fff0be7d1a47bc973b79fb4b208dc4a31f311684e2bf8
RecordBreaker
39c1944344d6709fd7caa9539c0f02577c260ef9cd67ae3ec6551c81d97eb2a0
RecordBreaker
84d1b1f0588cac4fb502da345ed7ee3bae4000b7f6b096a7bc797789c1fe8120
RecordBreaker
981923aeeddd4c6f2b68c6b1c0e80f6b4ca6495e200562f371215e37cb7885ac
RecordBreaker
abcbbdb2a2eb219a82c3f446f74ac6ef93a3deb11e4c277dee8c106792d7b783
RecordBreaker
e5e5abe00e82ad616e13abd1768769dc8d31b4e1a5b79955219cea34c395e9df
RecordBreaker
fe83636233da5eeb406ddcd43a4beb5ed9629797073fba5415c2b4450aad0647
RecordBreaker
+ 34 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:9c05379df6f1d02ae49f9ee18aad8c17 stealer
Link:
https://tria.ge/reports/231002-xama6sfe42/
Behaviour
Raccoon
Raccoon Stealer payload
Malware Config
C2 Extraction:
http://5.78.80.43:8388/
Unpacked files
SH256 hash:
f78f031d50c388e06bafe028fa1ac9416507f3d7e804b3a67cd02300db2df532
MD5 hash:
4ccc583c6a5cc1dde3917d7c3e2c63b3
SHA1 hash:
7e7eb58434261122af33fcdb084de96bf27fe205
Link:
https://www.unpac.me/results/e35cc6fb-15b5-4559-bdde-b2d0aa33a64e/
SH256 hash:
595aefb01f819eeef533258c04af5487164119bdd92bcd735a26de9f5935832d
MD5 hash:
9f27c6f115a1d6e235f924c9ddff389a
SHA1 hash:
c81c725574d10ae463eded47c6592b5e3130f537
Link:
https://www.unpac.me/results/e35cc6fb-15b5-4559-bdde-b2d0aa33a64e/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/595aefb01f81/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/595aefb01f819eeef533258c04af5487164119bdd92bcd735a26de9f5935832d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 595aefb01f819eeef533258c04af5487164119bdd92bcd735a26de9f5935832d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2715904/
Cape
Cape
https://www.capesandbox.com/analysis/452758/

Comments


Avatar
zbet commented on 2023-10-02 18:39:02 UTC

url : hxxp://128.140.101.188/hipe.exe