MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e4371101f788c3f31179a2d0ee6fdb933367f21cc9dc28a65928373d2253d2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e4371101f788c3f31179a2d0ee6fdb933367f21cc9dc28a65928373d2253d2f
SHA3-384 hash: 01c1349d34c2d0e8d414bc3f7fafeb79e5483de4c085d9b0d259fa8a544dd1dd95ff2cd267f8556ef2601c13d5723172
SHA1 hash: 2c31615315dd6a93085272e74d47aadc0ca47d2b
MD5 hash: e7ae207b81f1463e7650ae4135d6d8e9
humanhash: mexico-eleven-fanta-twelve
File name:Setup.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:499'712 bytes
First seen:2022-11-07 11:41:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 296df6d34c5cd51c253772b859775151 (1 x AsyncRAT, 1 x RecordBreaker)
ssdeep 12288:Fy/1LwRWBGVpDNIo8WmAQwE57IejJgUALwU:mJvBGVpDd8WmAJ47lJgUALwU
TLSH T1AAB4BF39FB808933C1B32A388DE7D3644569FB902D2414473BEC0D5C5E7A2927A667DB
TrID 38.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon fefef2fcdcf3ba78 (2 x RedLineStealer, 2 x RecordBreaker, 1 x ArkeiStealer)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://94.131.109.157/

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-11-07 11:49:54 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/b639e94d-8f1b-4e65-9264-efc433dd5d5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/329876/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Sending a custom TCP request
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/49581/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug dllhost.exe hh.exe packed regsvr32.exe replace.exe
Link:
https://www.filescan.io/uploads/6368ef0b7da1a723acc6a0e2/reports/c9db71e7-27a3-40f6-9163-b685cda5d1a1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c58e2f30-f6a7-4168-aacc-f20c5104903b
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107205
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Costura Assembly Loader
Yara detected PasswordDump Tool
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e4371101f788c3f31179a2d0ee6fdb933367f21cc9dc28a65928373d2253d2f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-07 11:42:08 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pzbxcea7pcgd6mixtiwq5zx5xeztm7zbzso4fctfskbxhurfhuxq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:79e040fa8ecb76867d7f15a1a8b4fadc discovery spyware stealer
Link:
https://tria.ge/reports/221107-nt1hgagdgj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Malware Config
C2 Extraction:
http://94.131.109.157/
http://45.153.230.92/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2e465d79-85a8-4fb7-b7ed-36cb8f0e0329
Unpacked files
SH256 hash:
dadca335ab25517609326de40001ea5aaeb0bfa1139f3458df26b07209dc121b
MD5 hash:
5f2a0d681844db68511822247258b551
SHA1 hash:
8fc493af235064349122c82d6bdfb010762734c3
Link:
https://www.unpac.me/results/06814c58-110b-4621-af45-494ec4dd1adf/
SH256 hash:
7e4371101f788c3f31179a2d0ee6fdb933367f21cc9dc28a65928373d2253d2f
MD5 hash:
e7ae207b81f1463e7650ae4135d6d8e9
SHA1 hash:
2c31615315dd6a93085272e74d47aadc0ca47d2b
Link:
https://www.unpac.me/results/06814c58-110b-4621-af45-494ec4dd1adf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e4371101f788c3f31179a2d0ee6fdb933367f21cc9dc28a65928373d2253d2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Enigma
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Enigma
Rule name:INDICATOR_EXE_Packed_Loader
Create hunting rule
Author:ditekSHen
Description:Detects packed executables observed in Molerats
Rule name:MAL_Unknown_PWDumper_Apr18_3
Create hunting rule
Author:Florian Roth
Description:Detects sample from unknown sample set - IL origin
Reference:Internal Research
Rule name:MAL_Unknown_PWDumper_Apr18_3_RID312A
Create hunting rule
Author:Florian Roth
Description:Detects sample from unknown sample set - IL origin
Reference:Internal Research
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/329876/

Comments