MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c4f084abd9f7229ca5225a304a86f48d7dddf7ebce402f1200726ac77b5e292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c4f084abd9f7229ca5225a304a86f48d7dddf7ebce402f1200726ac77b5e292
SHA3-384 hash: f918a9b40e5ef356adc08a02ed88cad3b0ce305935dd096956bb6fd6a8ecf67fed00037657476bc481b97d2acfb2a6f3
SHA1 hash: 17b9cc38282e6e69e6525a8bb7184c0e80e9f148
MD5 hash: bd14a25c3f6e6687a4de687d9d1a2b2a
humanhash: arizona-muppet-ack-carbon
File name:bd14a25c3f6e6687a4de687d9d1a2b2a.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'298'432 bytes
First seen:2023-11-27 16:40:09 UTC
Last seen:2023-11-27 18:18:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f42abcdb23b603da5b775db836a96fc (1 x RecordBreaker)
ssdeep 24576:Y/B+Xb8N2E85odK3fTEpe0pFET+8A39c2fu:Ykrq7tbBpFZ8A62f
Threatray 1'069 similar samples on MalwareBazaar
TLSH T1D255E171B2E04937D13B1E789D1F57A8983ABE111E38548A2FE45D8C5F39780393A2B7
TrID 28.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
25.9% (.SCR) Windows screen saver (13097/50/3)
20.8% (.EXE) Win64 Executable (generic) (10523/12/4)
8.9% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon fefefeeedeb6fece (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://178.20.41.15/

Intelligence

File Origin
# of uploads :
2
# of downloads :
359
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460762/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.70559293.27256.29378.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control hook lolbin
Link:
https://www.filescan.io/uploads/6564c69f6d4756846dc30bde/reports/94c6aa56-c9d6-4abc-a73f-a56a004da165/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7c4f084abd9f7229ca5225a304a86f48d7dddf7ebce402f1200726ac77b5e292
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e2ac197-656f-4db3-9ecd-ef4a95db56a3
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1348747
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1348747 Sample: ZjRZI29oPO.exe Startdate: 27/11/2023 Architecture: WINDOWS Score: 100 40 JZWXBUvHtbWxxMVALUsmd.JZWXBUvHtbWxxMVALUsmd 2->40 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 2 other signatures 2->52 10 ZjRZI29oPO.exe 8 2->10         started        signatures3 process4 file5 38 C:\Users\user\AppData\Local\...\Psychiatry, PE32 10->38 dropped 13 cmd.exe 1 10->13         started        process6 signatures7 62 Uses ping.exe to sleep 13->62 64 Drops PE files with a suspicious file extension 13->64 66 Uses ping.exe to check the status of other devices and networks 13->66 16 cmd.exe 1 13->16         started        19 conhost.exe 13->19         started        process8 signatures9 44 Uses ping.exe to sleep 16->44 21 Astronomy.pif 16->21         started        24 cmd.exe 2 16->24         started        27 cmd.exe 2 16->27         started        29 6 other processes 16->29 process10 file11 54 Found evasive API chain (may stop execution after checking mutex) 21->54 56 Found API chain indicative of debugger detection 21->56 58 Found API chain indicative of sandbox detection 21->58 60 3 other signatures 21->60 31 Astronomy.pif 12 21->31         started        34 Astronomy.pif 21->34         started        36 C:\Users\user\AppData\Local\...\Astronomy.pif, PE32 24->36 dropped signatures12 process13 dnsIp14 42 178.20.41.15, 49734, 80 ASN-FRWInternetServiceProviderIT Russian Federation 31->42
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7c4f084abd9f7229ca5225a304a86f48d7dddf7ebce402f1200726ac77b5e292
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c4f084abd9f7229ca5225a304a86f48d7dddf7ebce402f1200726ac77b5e292/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-23 20:42:59 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
15 of 37 (40.54%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=prhqqsv5t5zctsssewrqjkdpjdl53x36xtsaf4jaa4tky55v4kja._file
Verdict:
malicious
Similar samples:
2c507279c680c935a07e01c7a49cd6f971495bb337feafe6b9f094766ddc639c
RecordBreaker
2d43530c81da22814e9debab6cc5dc8583d87b50c374e84c4ef153b0e51e4430
RecordBreaker
5f38f9fc4ef01d4b048a0ce6199622afd8f0a82168ff70b13bb1576bec721ef0
RecordBreaker
7c4f084abd9f7229ca5225a304a86f48d7dddf7ebce402f1200726ac77b5e292
RecordBreaker
87251d0a36f7ece7e116d9c0f05649a015f16f527ee1a083d0dd3d1c176e83aa
RecordBreaker
b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775
RecordBreaker
+ 1'059 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon stealer
Link:
https://tria.ge/reports/231127-t64csaaa27/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Raccoon
Raccoon Stealer payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
d6d814d2f814c5619c6a7657e12aa189f8dc7b7de0d02655aa6befcf40288519
MD5 hash:
25e095eba4288a592d85234a571dd045
SHA1 hash:
b36c137afa3d8a5cda14e12911f869905dbfbfc4
Link:
https://www.unpac.me/results/85603e61-6646-48a3-9f9a-d5b7d1e17570/
SH256 hash:
7c4f084abd9f7229ca5225a304a86f48d7dddf7ebce402f1200726ac77b5e292
MD5 hash:
bd14a25c3f6e6687a4de687d9d1a2b2a
SHA1 hash:
17b9cc38282e6e69e6525a8bb7184c0e80e9f148
Link:
https://www.unpac.me/results/85603e61-6646-48a3-9f9a-d5b7d1e17570/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c4f084abd9f7229ca5225a304a86f48d7dddf7ebce402f1200726ac77b5e292

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/460762/

Comments