MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a53c1d7e6761dbe6b6ae5788cc6ffbbe78794d1eabc736251cce47c13ccfcc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a53c1d7e6761dbe6b6ae5788cc6ffbbe78794d1eabc736251cce47c13ccfcc3
SHA3-384 hash: aaffe703d1fc53c4f2697a580d7bb8c70b56d98999d3d6a8cc41537c792199dc116b136bdfb0ae76e313d8b55f6f424f
SHA1 hash: 53cefb2945a37889b5442cc45aea28dea8a5ac22
MD5 hash: 8d013b4129e9f90f841a494190847b31
humanhash: connecticut-montana-illinois-uncle
File name:8d013b4129e9f90f841a494190847b31.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:754'760 bytes
First seen:2022-10-29 16:50:31 UTC
Last seen:2022-11-15 20:58:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 12288:OS7vhV8dsyhucBzpzsr84zykKlj1tQowfxAiMNCXMfoufjuKLtnY3jIqP:VVEspUzxs4+Wlj1TZnJfo2TwEqP
TLSH T176F41253F1C982B5F8781B3018FA05C35736BCB58EB0766F3198A16D49F3192A23972B
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f8f89c9693d2ece4 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://31.41.244.153/

Intelligence

File Origin
# of uploads :
2
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
8d013b4129e9f90f841a494190847b31.exe
Verdict:
Malicious activity
Analysis date:
2022-10-29 16:53:49 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/4a6fc9c5-e680-4428-8235-1d9375879305

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/325914/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62696407.20145.260.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Searching for the window
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
DNS request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/46652/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll anti-vm overlay packed rundll32.exe setupapi.dll shell32.dll smoke stealer
Link:
https://www.filescan.io/uploads/635d59f6a5db8d309cbbd483/reports/d6e444e7-d25a-47f5-8b3b-e50a57dc653b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1203bca3-e217-4ac2-a4c3-c110e01bc1ab
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1100981
Signature
C2 URLs / IPs found in malware configuration
DLL reload attack detected
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 733642 Sample: y5I6SjP0AW.exe Startdate: 29/10/2022 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected Raccoon Stealer v2 2->67 69 3 other signatures 2->69 10 y5I6SjP0AW.exe 1 5 2->10         started        12 rundll32.exe 2->12         started        process3 process4 14 cmd.exe 1 10->14         started        17 dllhost.exe 10->17         started        signatures5 87 Obfuscated command line found 14->87 89 Uses ping.exe to sleep 14->89 91 Drops PE files with a suspicious file extension 14->91 93 Uses ping.exe to check the status of other devices and networks 14->93 19 cmd.exe 2 14->19         started        23 conhost.exe 14->23         started        25 PING.EXE 1 14->25         started        process6 file7 47 C:\Users\user\AppData\...\Adventure.exe.pif, PE32 19->47 dropped 71 Obfuscated command line found 19->71 73 Uses ping.exe to sleep 19->73 27 Adventure.exe.pif 1 19->27         started        32 find.exe 1 19->32         started        34 tasklist.exe 1 19->34         started        36 4 other processes 19->36 signatures8 process9 dnsIp10 61 QUzxMmlJARu.QUzxMmlJARu 27->61 57 C:\Users\user\AppData\...\hnlbrMmmQY.dll, PE32 27->57 dropped 79 DLL reload attack detected 27->79 81 Found API chain indicative of debugger detection 27->81 83 Found API chain indicative of sandbox detection 27->83 85 2 other signatures 27->85 38 Adventure.exe.pif 24 27->38         started        43 MpCmdRun.exe 1 32->43         started        file11 signatures12 process13 dnsIp14 59 31.41.244.153, 49705, 80 AEROEXPRESS-ASRU Russian Federation 38->59 49 C:\Users\user\AppData\...\vcruntime140.dll, PE32 38->49 dropped 51 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 38->51 dropped 53 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 38->53 dropped 55 4 other files (none is malicious) 38->55 dropped 75 Tries to harvest and steal browser information (history, passwords, etc) 38->75 77 Tries to steal Crypto Currency Wallets 38->77 45 conhost.exe 43->45         started        file15 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a53c1d7e6761dbe6b6ae5788cc6ffbbe78794d1eabc736251cce47c13ccfcc3/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Suspicious
First seen:
2022-10-29 16:23:38 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
11 of 26 (42.31%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ljj4dv7goyo3423k4v4izrx7xptypfgr5k6hgysrztshye6m7tbq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221029-vcs6dsffhl/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a39dda23714360392e4b419b9eca54dab56e7e8d2d3f6a2b30c97cb2b7d3e186
MD5 hash:
65ccc76417732b02c2a92b784a1532b2
SHA1 hash:
cb75a04ae78642f274acd1fd9d15bf3f1d22f082
Link:
https://www.unpac.me/results/ffa05fc6-47a0-4a46-b608-8f9ef10d2848/
SH256 hash:
5a53c1d7e6761dbe6b6ae5788cc6ffbbe78794d1eabc736251cce47c13ccfcc3
MD5 hash:
8d013b4129e9f90f841a494190847b31
SHA1 hash:
53cefb2945a37889b5442cc45aea28dea8a5ac22
Link:
https://www.unpac.me/results/ffa05fc6-47a0-4a46-b608-8f9ef10d2848/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a53c1d7e6761dbe6b6ae5788cc6ffbbe78794d1eabc736251cce47c13ccfcc3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 5a53c1d7e6761dbe6b6ae5788cc6ffbbe78794d1eabc736251cce47c13ccfcc3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2387961/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/325914/

Comments