MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a0fa5a7bd56e091581b8fd0e18d21b31be7f4a82b1d9a92abeccab8fbe32aaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a0fa5a7bd56e091581b8fd0e18d21b31be7f4a82b1d9a92abeccab8fbe32aaa
SHA3-384 hash: cec8ee175b24b8a7242419eafc2a1e1e8a2b334342f18cea80e4bd579f4f311b0d107b673e579b0b08de75bcf835c6e2
SHA1 hash: c668d97fefa30a3c1a99e6cfd0c7c018f2830d13
MD5 hash: 31fc8dad6cea223850e93b22565a12ad
humanhash: victor-twelve-north-pasta
File name:31fc8dad6cea223850e93b22565a12ad.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'529'376 bytes
First seen:2022-09-29 09:40:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash af58d77e2de72a34dfec8ea762118eda (2 x RecordBreaker, 1 x AsyncRAT, 1 x SystemBC)
ssdeep 24576:yFoouS58towEKba9CtzyO+tffHcZvRarFFboUJ5k7nCn8ZVyBVMi3J8e6Xi0aD8Q:y2LXqwEN9Y2O8ff1rFFD5k7Cn8ZVyIil
Threatray 516 similar samples on MalwareBazaar
TLSH T1BE65120091B99122C0364930BAB3DAB5A4177575A8B581AFBFC9FB673F7D0E31608397
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71dcbeb2acbcf879 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker signed

Code Signing Certificate

Organisation:cars.com
Issuer:GlobalSign RSA OV SSL CA 2018
Algorithm:sha256WithRSAEncryption
Valid from:2021-09-08T14:01:06Z
Valid to:2022-10-10T14:01:06Z
Serial number: 02f193f0d229f4bac4a02fb4
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a83af25318ed9de29718164fb8fac1fc969603e4c327f24cbea7470b74363f0a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.131.107.238/ https://threatfox.abuse.ch/ioc/858521/

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
https://github.com/1anakin20/VideoCaptureUtility/releases/download/44/Pi_Network_Setup_0.4.5.zip
Verdict:
Malicious activity
Analysis date:
2022-09-29 05:37:24 UTC
Tags:
evasion trojan socelars stealer loader rat redline ransomware stop
Link:
https://app.any.run/tasks/451966e5-4c2f-4b0c-b360-5a9b22a949e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/314676/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.22691.12668.10752.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Сreating synchronization primitives
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39931/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6335683149c58ce767c4117e/reports/d350874a-83ce-453e-8b49-5382dfaa3e42/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cacbe800-7f01-4dab-9bd0-5a5a6147f87c
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1080025
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a0fa5a7bd56e091581b8fd0e18d21b31be7f4a82b1d9a92abeccab8fbe32aaa/
Threat name:
Win32.Infostealer.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-09-26 19:31:19 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pih2lj55k3qjcwa3r7ioddjbwmn6p5fifmozvevl5tflr67dfkva._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
691de13efede839b6f009ef91cd90570cc953543ff01fcb1a06f07854f06a9d5
RecordBreaker
69eac55ff687843f9d856e7facdef36d1c53faa5df6ff3eab874a1426a5efcea
RecordBreaker
71c5f6a701ead64ef5c9458cba8a2fcb7c91c3ae44dd72ed029f317db506bbb3
RecordBreaker
82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a
RecordBreaker
aa39655b046e5dff029236ee67d80d3106f2e05f11bd3ee1ebeb41d40321c988
RecordBreaker
bd963743ed3ccb3c8c05084a4f12f5d93d57d7fedfe39950826fd5e14fc14c9c
RecordBreaker
d9b885f05a64a1a3bab13334bf378b7093ee6b4a5790d5608c5cf3531de1de7b
RecordBreaker
db5f7c3938b52249f973b747352df62e4294e719477f15d4337321cdc1a259ec
RecordBreaker
+ 506 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:e56bae1a677690f5bec9b31bbab05974 spyware stealer
Link:
https://tria.ge/reports/220929-lnr8ssbdbq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Raccoon
Malware Config
C2 Extraction:
http://94.131.107.238/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5084e6d9-a336-46d1-b6c5-5c07f202fa2a
Unpacked files
SH256 hash:
f29c9872b8239f05ea087a225abf09196f55c2194a3b51875fdf2424541aa9d7
MD5 hash:
44d7e2dbf28ff6a27128e8ace2c080b1
SHA1 hash:
9d2c007dc2bb83589ef105c66f9c8876be2646e0
Detections:
raccoonstealer
Create hunting rule
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/ecf301b2-b9a4-4f95-8aee-0172a463c8bb/
SH256 hash:
7cce7ef18303c7e42a3cd4a957f6a916934e79e8cb3b0105aa75a47763ef143b
MD5 hash:
db0ae43f906d639f5833d92186b3cda5
SHA1 hash:
5d529f5bd5862aa3eaa52dd4f8cb35c74de7d3d1
Link:
https://www.unpac.me/results/ecf301b2-b9a4-4f95-8aee-0172a463c8bb/
SH256 hash:
7a0fa5a7bd56e091581b8fd0e18d21b31be7f4a82b1d9a92abeccab8fbe32aaa
MD5 hash:
31fc8dad6cea223850e93b22565a12ad
SHA1 hash:
c668d97fefa30a3c1a99e6cfd0c7c018f2830d13
Link:
https://www.unpac.me/results/ecf301b2-b9a4-4f95-8aee-0172a463c8bb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a0fa5a7bd56/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a0fa5a7bd56e091581b8fd0e18d21b31be7f4a82b1d9a92abeccab8fbe32aaa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:recordbreaker_win_generic
Create hunting rule
Author:_kphi
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/314676/

Comments