MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64f9fa160bc97c437ad094a77ffdd68e0be3ae5372c40922b39f580c9ebc801c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64f9fa160bc97c437ad094a77ffdd68e0be3ae5372c40922b39f580c9ebc801c
SHA3-384 hash: 01db6aa5146d0339a8bcf2a34d2692e2de1610521053c6e869525a038bc15fdc0a6982c32a800adbbdbba76c9c2e5f3a
SHA1 hash: f39600b92c1c14bc5ca6d01f26e96f9ef825bfe7
MD5 hash: 141d51aae098d5b01a9710aa9a201e2e
humanhash: mirror-fifteen-mexico-single
File name:141d51aae098d5b01a9710aa9a201e2e.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'602'144 bytes
First seen:2022-10-27 23:35:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c2322398823bf1223321ef3211baef5e (2 x RecordBreaker)
ssdeep 24576:kPcMwDW3zs9mXFJf85Uq4bB0Li8q0FcHcrZJ92+yZQrfDFqNCk18JCI4EsbYP:k1wajs6Jf85g0Oj0Fc8NJo3gDf0YP
TLSH T1EF75021BEAC9BD8FDEE5DBB08B2B578555772E71B61043BD34100EC0A1F15E20B5A23A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 008ab2bebe9ec2c0 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker signed

Code Signing Certificate

Organisation:*.infomaniak.ch
Issuer:Sectigo RSA Domain Validation Secure Server CA
Algorithm:sha256WithRSAEncryption
Valid from:2022-06-01T00:00:00Z
Valid to:2023-06-14T23:59:59Z
Serial number: 5d7a59ca51127f92c9912e6821f21c01
Thumbprint Algorithm:SHA256
Thumbprint: e90c8db7773756e793cc1fbe2b1d539e5a8195db483ff1930b43983f78a51cf9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RecordBreaker C2:
http://185.143.223.72/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.143.223.72/ https://threatfox.abuse.ch/ioc/950967/

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
141d51aae098d5b01a9710aa9a201e2e.exe
Verdict:
Malicious activity
Analysis date:
2022-10-28 01:08:51 UTC
Tags:
loader stealer
Link:
https://app.any.run/tasks/146d5bb2-eb8c-4583-bf3c-4606201c5282

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/325276/
Detection(s):
SecuriteInfo.com.Win32.SpywareX-gen.521.5375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Сreating synchronization primitives
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/46185/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae8852c8-8c95-4601-b776-dfc35d22915e
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1099928
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64f9fa160bc97c437ad094a77ffdd68e0be3ae5372c40922b39f580c9ebc801c/
Threat name:
Win32.Trojan.Fugrafa
Create hunting rule
Status:
Malicious
First seen:
2022-10-25 00:05:03 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mt47ufqlzf6eg6wqsstx77owryf6hlstolcasivtt5mazhv4qaoa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/221027-3lj8vaecfn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Unpacked files
SH256 hash:
a630139039958d7f827d3238d7ee3bb4e5d7dc3f6a00dd5b54a5903be858f844
MD5 hash:
12292c8727c14a521c1dd7d61c9f6c3d
SHA1 hash:
5ca5ffb49627d156766f779dd57fe04c6fb4f5c4
Link:
https://www.unpac.me/results/e18409da-1249-4cc2-ad9a-c14e9c86dbba/
SH256 hash:
381f63b91af20942ee1f5d7ce8c87557c239d1a2b1a139caa7ccf2a93e4127d4
MD5 hash:
b703a706d339972f6df664bc868db5b8
SHA1 hash:
45872d5064678cbdbe1b7c7d6040b6d2fc1e09e6
Link:
https://www.unpac.me/results/e18409da-1249-4cc2-ad9a-c14e9c86dbba/
SH256 hash:
64f9fa160bc97c437ad094a77ffdd68e0be3ae5372c40922b39f580c9ebc801c
MD5 hash:
141d51aae098d5b01a9710aa9a201e2e
SHA1 hash:
f39600b92c1c14bc5ca6d01f26e96f9ef825bfe7
Link:
https://www.unpac.me/results/e18409da-1249-4cc2-ad9a-c14e9c86dbba/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/64f9fa160bc9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64f9fa160bc97c437ad094a77ffdd68e0be3ae5372c40922b39f580c9ebc801c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution).
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/325276/

Comments