MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5985c61ccf1e28e1421c0d18db0c744f3990afe987e559a1c45c7faae0e2db9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 14

Intelligence 14 IOCs YARA 11 File information Comments

SHA256 hash:	5985c61ccf1e28e1421c0d18db0c744f3990afe987e559a1c45c7faae0e2db9f
SHA3-384 hash:	93437d1ab3fd154e16ef174a48846a71df1e668e458fa68d88cc78d9cfca31f8b88bb5edeb670fd2439d0ba63679df4d
SHA1 hash:	2bad12fe8b318acc3809cf829c3dffbdf7a8b822
MD5 hash:	f5806e54fd7830f4a8e3c420c3eb1101
humanhash:	california-oregon-lake-asparagus
File name:	f5806e54fd7830f4a8e3c420c3eb1101.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	1'601'536 bytes
First seen:	2023-09-12 08:50:13 UTC
Last seen:	2023-09-12 09:34:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep	12288:4gJ2SRJxnufXOs3vYGbZvwqVYr7+LZQe5mjvmWfDVIgNCuedRa5BRvRlYIo2ZnbW:pnuf+s3N9xE7+LmecjuW6uQapo28M1
Threatray	269 similar samples on MalwareBazaar
TLSH	T17F758D1037989656E09F12769276842482F4FDC7B7A3F7861F903ADA0C737D48E192EB
TrID	49.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 20.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.7% (.SCR) Windows screen saver (13097/50/3) 7.0% (.EXE) Win64 Executable (generic) (10523/12/4) 4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	22498e17233b1641 (1 x RecordBreaker)
Reporter	abuse_ch
Tags:	exe recordbreaker

abuse_ch

RecordBreaker C2:
http://94.142.138.114/

Intelligence

File Origin

# of uploads :

# of downloads :

377

Origin country :

Vendor Threat Intelligence

Malware family:

raccoon

ID:

File name:

f5806e54fd7830f4a8e3c420c3eb1101.exe

Verdict:

Malicious activity

Analysis date:

2023-09-12 08:52:24 UTC

Tags:

stealer raccoon recordbreaker loader

Link:

https://app.any.run/tasks/64385959-938c-4390-9e47-002988cdc743

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Raccoon

Link:

https://www.capesandbox.com/analysis/448109/

Detection(s):

SecuriteInfo.com.IL.Trojan.MSILZilla.28754.24743.12101.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Creating a window

Stealing user critical data

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

net net_reactor obfuscated packed packed stealer

Link:

https://www.filescan.io/uploads/650026771a86bbaa1f824660/reports/80721462-4a74-4991-8fa2-094590b1bdef/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/5985c61ccf1e28e1421c0d18db0c744f3990afe987e559a1c45c7faae0e2db9f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/91ae820e-63ca-44e0-91af-fc2efc3aa1e1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5985c61ccf1e28e1421c0d18db0c744f3990afe987e559a1c45c7faae0e2db9f/

Threat name:

ByteCode-MSIL.Spyware.Raccoonstealer

Status:

Malicious

First seen:

2023-09-12 08:51:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lgc4mhgpdyuocqq4bumnwdduj44zbl7jq7svtioelr72vyhc3opq._file

Verdict:

malicious

Label(s):

raccoon

RecordBreaker

4bdfd777b579da177959f5854c16f8201e1501e0cf9394f4cfef13cd999fb9d9

RecordBreaker

69d090774ce99b248f9e76d50312cfcbc7cc8c333f390a0fdffc95f62d7a9631

RecordBreaker

78bad359d0652879dec380fee12b68cc4e14e4f63f8c4e23e7b75bb5338d5924

RecordBreaker

8d5f481be0bb03f0e59effda0fc86a0c9a7da2fb8964f2b4d00530f24231fc7c

RecordBreaker

9803731e075df4e1c00bc1e62794f1cf8f68158681020b50d37c008e03ba723d

RecordBreaker

d97e8c4b846f1743bae248137e96b7ed4c241ef71aaa2227347e71f509f0cd78

RecordBreaker

+ 259 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon stealer

Link:

https://tria.ge/reports/230912-kr6d6adg35/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Raccoon

Raccoon Stealer payload

Unpacked files

SH256 hash:

b8b16f78e9983786cdb6e2d3e88b8ce2d4df91cf81914e116a06d2dc44867bfe

MD5 hash:

93e4bfcc0194084b7c5cc50751d41e12

SHA1 hash:

c83090a793ab7deaaf9c6b5bdffbb97d7477a5d6

Link:

https://www.unpac.me/results/72050982-a527-44c5-98ef-e0f70270edce/

SH256 hash:

42373da057360920ceff56613cf6c6fe35ce77558186a7e7079d8496026c4da0

MD5 hash:

f8e5cd44617af157345670f9102a1b1f

SHA1 hash:

a0cc7426cf51ef05c77c79222f548188d16f6d77

Link:

https://www.unpac.me/results/72050982-a527-44c5-98ef-e0f70270edce/

SH256 hash:

bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808

MD5 hash:

7a7927bac28be846b2fd2a5d10ba0676

SHA1 hash:

67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d

Link:

https://www.unpac.me/results/72050982-a527-44c5-98ef-e0f70270edce/

Parent samples :

fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f

SH256 hash:

5985c61ccf1e28e1421c0d18db0c744f3990afe987e559a1c45c7faae0e2db9f

MD5 hash:

f5806e54fd7830f4a8e3c420c3eb1101

SHA1 hash:

2bad12fe8b318acc3809cf829c3dffbdf7a8b822

Link:

https://www.unpac.me/results/72050982-a527-44c5-98ef-e0f70270edce/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5985c61ccf1e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5985c61ccf1e28e1421c0d18db0c744f3990afe987e559a1c45c7faae0e2db9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MALWARE_Win_RaccoonV2 Create hunting rule
Author:	ditekSHen
Description:	Detects Raccoon Stealer 2.0, also referred to as RecordBreaker

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	msil_suspicious_use_of_strreverse Create hunting rule
Author:	dr4k0nia
Description:	Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_NET_Msil_Suspicious_Use_StrReverse Create hunting rule
Author:	dr4k0nia, modified by Florian Roth
Description:	Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:	https://github.com/dr4k0nia/yara-rules