MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f4b450947cbe4007402816a42e6281cd1f3d76ce090c547d5643d5b8f227d49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	7f4b450947cbe4007402816a42e6281cd1f3d76ce090c547d5643d5b8f227d49
SHA3-384 hash:	a3717b9ff65be2dad38952d5f9fe720cd5f6e59e918ec48d381a60a7431145d90dbbdfe136aeb41ff07188892f30c82e
SHA1 hash:	c6599df4d126fe8ab6e338dbedddfb063be56f51
MD5 hash:	f7c2b6f1264ae863cbf21db819051437
humanhash:	bacon-august-johnny-foxtrot
File name:	GoogleMaps.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	2'689'192 bytes
First seen:	2023-01-16 19:20:40 UTC
Last seen:	2023-01-16 20:43:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 46 x PureHVNC, 28 x RedLineStealer)
ssdeep	49152:FsLnJn9Chmy5gcQi3hQ1vPu9js/F5Ets1oqpasfzfrNOXF0Wdw0f9P:FKC82gmx0vPKITEt5XsfNiF0WS0lP
Threatray	7'358 similar samples on MalwareBazaar
TLSH	T157C5F0408E504A1FCCB469B5E83C73693CE0E41BBB56F416AC579E21A37380C9FD766A
TrID	38.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.6% (.ICL) Windows Icons Library (generic) (2059/9) 15.4% (.EXE) OS/2 Executable (generic) (2029/13) 15.2% (.EXE) Generic Win/DOS Executable (2002/3) 15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	c2b4bcb4a4ad96b2 (1 x RecordBreaker)
Reporter	SquiblydooBlog
Tags:	exe Racoon recordbreaker

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

GoogleMaps.exe

Verdict:

Malicious activity

Analysis date:

2023-01-16 19:21:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fbbd3714-340e-4db1-a7c5-fc5991e269ae

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/353526/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Generic.14577.18014.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Creating a file

Sending a custom TCP request

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/63c5a39ee4e81283f94e35f2/reports/81fb2e60-aa2f-4d1b-a988-e4cab01371b2/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ebe4b931-7033-4fe2-add0-ac57da7684df

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1152600

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (changes PE section rights)

DLL side loading technique detected

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Raccoon Stealer v2

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7f4b450947cbe4007402816a42e6281cd1f3d76ce090c547d5643d5b8f227d49/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-01-16 19:21:15 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

14 of 26 (53.85%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p5fukckhzpsaa5acqfvefzridti7hv3m4cimkr6vmq6vxdzcpveq._file

Verdict:

unknown

RecordBreaker

296e195f7896d20af579930d9bc481bc9d651e79480399c071531417bfede4a7

RecordBreaker

3838e7c40562f66dd304227e311eeb51dd9c2981a4e5c54da4789e6fcbb06f5d

RecordBreaker

4d7de57abd009b6bc6e16e3a135d19788b576bc67c75d697ba77f297453fe1fa

RecordBreaker

76594bfde86ba22d8decd126752d700a9567551aff57ff9c85f1cc53b5b51ba5

RecordBreaker

7e481ee40af6227bc65f7334cffa28ef661ab49cb800ce383aed1cec82515ae5

RecordBreaker

97df47266aba1d8e7c70c88c8bf0851a53579dfac7d2bb6545ca85e809bbf1c6

RecordBreaker

e3b0a6b1e8aa4cc6407d49b2bc8607549fc5b25cd2b11fc66a41127266c3ca47

RecordBreaker

e9450c3121f962ad35052a0eb013d667116a77c29299a43047ccd19bd3abfe40

RecordBreaker

f8140b5a0a7451917bfeac768b1165af6cb5ea0f97fdfe01235c7f049ba2a137

RecordBreaker

+ 7'348 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:4826cef0231d2c42faee0cf7804dbe5d evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/230116-x2mq1sca82/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Downloads MZ/PE file

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Raccoon

Malware Config

C2 Extraction:

http://78.153.130.86/

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d7b2e72b-0811-4356-a65e-58893d77a92a

Unpacked files

SH256 hash:

7f4b450947cbe4007402816a42e6281cd1f3d76ce090c547d5643d5b8f227d49

MD5 hash:

f7c2b6f1264ae863cbf21db819051437

SHA1 hash:

c6599df4d126fe8ab6e338dbedddfb063be56f51

Link:

https://www.unpac.me/results/3041fa19-db6b-4943-aac3-c20399e18363/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7f4b450947cb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.46

Link:

https://yomi.yoroi.company/submissions/7f4b450947cbe4007402816a42e6281cd1f3d76ce090c547d5643d5b8f227d49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/353526/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample