MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79ba4f51061dc9ddd3f87739de5f1fea765695f17f3ca05e9bcf8398e5e08863. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79ba4f51061dc9ddd3f87739de5f1fea765695f17f3ca05e9bcf8398e5e08863
SHA3-384 hash: 3311bebf04dc3de0a325e46d47ce14cd58687b16dac62f9fc9c70892526c655a73087028a729c4bad67cd295602a5fdf
SHA1 hash: 22dfa323960c4a7bdf499e169a4a060c0c58afa6
MD5 hash: 0bd42b1d43c4df140cde9354d078f527
humanhash: spring-bakerloo-wolfram-october
File name:0bd42b1d43c4df140cde9354d078f527.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:4'687'360 bytes
First seen:2022-09-27 00:31:59 UTC
Last seen:2022-09-27 04:38:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 98304:nkLlEy5jWOOfZhed1GQqCVjHjrGxu1xZ73Oe9WX:clHWEzVjHQQj73OmWX
TLSH T19F26023BB368A13EC4AA0A310677531055BFF751AC9A8C1E47F8091CCF675621F3A6E6
TrID 61.8% (.EXE) Inno Setup installer (109740/4/30)
23.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.EXE) Win32 Executable (generic) (4505/5/1)
1.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 68aab2aaccccf030 (2 x RecordBreaker, 1 x RedLineStealer, 1 x NetWire)
Reporter abuse_ch
Tags:9178UTuitA24715UTuitA26909 exe fake malwarebytes recordbreaker signed

Code Signing Certificate

Organisation:www.mysterious.com
Issuer:www.mysterious.com
Algorithm:sha256WithRSAEncryption
Valid from:2022-09-22T18:25:44Z
Valid to:2023-09-22T18:45:44Z
Serial number: 5ee26d12897ba8a848c7e302cf3ca96a
Thumbprint Algorithm:SHA256
Thumbprint: 9b281c23b4126eddbf65dde09b3dab6482861edf23a4f239dfb9387e9ac71a6b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RecordBreaker C2:
http://94.131.107.206/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.131.107.206/ https://threatfox.abuse.ch/ioc/851872/

Intelligence

File Origin
# of uploads :
2
# of downloads :
358
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
79ba4f51061dc9ddd3f87739de5f1fea765695f17f3ca05e9bcf8398e5e08863.exe
Verdict:
Malicious activity
Analysis date:
2022-09-27 04:19:49 UTC
Tags:
installer trojan raccoon recordbreaker
Link:
https://app.any.run/tasks/f05bf924-cbd1-4d92-b908-d9017a182c87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313733/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Moving a file to the %temp% subdirectory
Creating a file
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Sending an HTTP GET request
Launching a process
Launching a file downloaded from the Internet
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39355/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6332448495b5342f6cbdbad9/reports/9c941380-7df0-438d-8d19-45b2ba043950/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/58f0dc55-aeed-4adb-8ec1-abcccdec48e4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1077830
Signature
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Disable Windows Defender notifications (registry)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses 7zip to decompress a password protected archive
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 710373 Sample: 1MwPFZa2b5.exe Startdate: 27/09/2022 Architecture: WINDOWS Score: 56 95 Snort IDS alert for network traffic 2->95 97 Multi AV Scanner detection for domain / URL 2->97 99 Multi AV Scanner detection for submitted file 2->99 10 1MwPFZa2b5.exe 2 2->10         started        process3 file4 63 C:\Users\user\AppData\...\1MwPFZa2b5.tmp, PE32 10->63 dropped 113 Obfuscated command line found 10->113 14 1MwPFZa2b5.tmp 5 19 10->14         started        signatures5 process6 file7 71 C:\Users\user\AppData\...\MBSetup.exe (copy), PE32 14->71 dropped 73 C:\Users\user\AppData\Local\...\is-S5DP1.tmp, PE32 14->73 dropped 75 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 14->75 dropped 77 3 other files (none is malicious) 14->77 dropped 17 cmd.exe 3 2 14->17         started        20 MBSetup.exe 4 14->20         started        22 7za.exe 5 14->22         started        process8 signatures9 85 Suspicious powershell command line found 17->85 87 Wscript starts Powershell (via cmd or directly) 17->87 89 Uses ping.exe to sleep 17->89 93 6 other signatures 17->93 24 wscript.exe 1 17->24         started        27 7za.exe 9 17->27         started        30 powershell.exe 15 17 17->30         started        35 3 other processes 17->35 91 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 20->91 33 conhost.exe 22->33         started        process10 dnsIp11 111 Wscript starts Powershell (via cmd or directly) 24->111 37 cmd.exe 1 24->37         started        40 cmd.exe 24->40         started        42 cmd.exe 24->42         started        65 C:\ProgramData\...\compil32_obf.bat, Unicode 27->65 dropped 67 C:\ProgramData\...\ControlSet002.bat, Unicode 27->67 dropped 69 C:\ProgramData\...\ControlSet001_obf.bat, Unicode 27->69 dropped 79 80.92.205.35, 49687, 80 HELIOSNET-ASRU Russian Federation 30->79 81 127.0.0.1 unknown unknown 35->81 83 192.168.2.1 unknown unknown 35->83 file12 signatures13 process14 signatures15 101 Wscript starts Powershell (via cmd or directly) 37->101 103 Uses cmd line tools excessively to alter registry or file data 37->103 105 Adds a directory exclusion to Windows Defender 37->105 44 reg.exe 37->44         started        47 conhost.exe 37->47         started        49 reg.exe 1 1 37->49         started        57 20 other processes 37->57 107 Uses 7zip to decompress a password protected archive 40->107 51 conhost.exe 40->51         started        53 mode.com 40->53         started        55 7za.exe 40->55         started        59 4 other processes 40->59 109 Uses ping.exe to sleep 42->109 61 3 other processes 42->61 process16 signatures17 115 Disable Windows Defender notifications (registry) 44->115
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79ba4f51061dc9ddd3f87739de5f1fea765695f17f3ca05e9bcf8398e5e08863/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 21:12:56 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
5 of 26 (19.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pg5e6uigdxe53u7yo4454xy75j3fnfprp46kaxu3z6bzrzparbrq._file
Verdict:
unknown
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:9b19cf60d9bdf65b8a2495aa965456c3 discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/220927-avmfcaddbl/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Defender notification settings
Raccoon
Malware Config
C2 Extraction:
http://94.131.107.206
Dropper Extraction:
http://80.92.205.35/hfile.bin
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/231c9df6-36bb-428e-b319-2f3826811a41
Unpacked files
SH256 hash:
b2da9101398354b7ecd2e4cdd9679ae14a420fd62fb1b71bffacba8297284dfc
MD5 hash:
527dee1dfad68522f58429df785689bf
SHA1 hash:
275a3355d9658eeca6af0da1673ad3dd6110c64c
Link:
https://www.unpac.me/results/98bdc4f7-22b0-4c89-bc6a-3b3b271312b0/
SH256 hash:
932da99918ee9466a095c5fdf9d5441ee5fac25cd43bc5fb5dbd21d2b150be12
MD5 hash:
fb8b6dad8c0375649c4e2adcf5dd0b0c
SHA1 hash:
e3a14598598dd8e12a574c0bd2c9e63a8ed8460a
Link:
https://www.unpac.me/results/98bdc4f7-22b0-4c89-bc6a-3b3b271312b0/
SH256 hash:
cf7e4d3415eac17b6b241b477de93e76d4f1e4b6051d350f7cd01bb1cdcc35d5
MD5 hash:
bff9ca481018a1eec3ccf09cd9b4feaf
SHA1 hash:
1f23362486f86f73d494906ab8ff912802c9c2db
Link:
https://www.unpac.me/results/98bdc4f7-22b0-4c89-bc6a-3b3b271312b0/
SH256 hash:
79ba4f51061dc9ddd3f87739de5f1fea765695f17f3ca05e9bcf8398e5e08863
MD5 hash:
0bd42b1d43c4df140cde9354d078f527
SHA1 hash:
22dfa323960c4a7bdf499e169a4a060c0c58afa6
Link:
https://www.unpac.me/results/98bdc4f7-22b0-4c89-bc6a-3b3b271312b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79ba4f51061dc9ddd3f87739de5f1fea765695f17f3ca05e9bcf8398e5e08863

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313733/

Comments