MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80bf09424e359558567c85c94e70c8ee4c13d2676f4d52b694da1692c34f0f06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80bf09424e359558567c85c94e70c8ee4c13d2676f4d52b694da1692c34f0f06
SHA3-384 hash: 6247f57983e159c92254513b61b8fd82fed5b37353c9670536a307d999029c8207139a65d174afd495c23982c3a5a102
SHA1 hash: ffe2883fa9aa455056fc2290b2cd2c4493252f1d
MD5 hash: bbe6d20b7f00e927104d51ab7c8b4861
humanhash: seven-low-connecticut-freddie
File name:file
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:271'872 bytes
First seen:2022-10-04 17:14:30 UTC
Last seen:2022-10-05 05:53:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 03ab2c62a893c1f9ee368bd303fccd65 (4 x GCleaner, 3 x Smoke Loader, 2 x RedLineStealer)
ssdeep 3072:WXhDuJjtfL/5lFTYXPU5Cx8za/mOXaXW1EcYyRZEWrxpzbgqruhkPnwpZa9uD6Vz:+ZuRtfLxYZx8OUFuZEuzbgwuGYwVf
Threatray 575 similar samples on MalwareBazaar
TLSH T17D44BE3176E9C8B1E1B7153078609BA0673BBE326574858B2724121D1E72ECC9EF6B1F
TrID 39.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 38b078eccacccc53 (67 x Smoke Loader, 29 x Stop, 20 x RedLineStealer)
Reporter andretavare5
Tags:exe recordbreaker


Avatar
andretavare5
Sample downloaded from https://vk.com/doc527785675_645459589?hash=qV9jRUhBKYVkArCHRKEZUuZhqgm5f52OmSyecB7L8tc&dl=GUZDONZYGU3DONI:1664903453:JDXrDN37BeX9BEdVz60jcPxpcIBbzQLx8IcJzlNrXLz&api=1&no_preview=1#bblolz

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://64.44.102.241/ https://threatfox.abuse.ch/ioc/870579/

Intelligence

File Origin
# of uploads :
331
# of downloads :
287
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/316603/
Detection(s):
Win.Malware.Azorult-9949206-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Creating a file in the system32 subdirectories
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41131/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware
Link:
https://www.filescan.io/uploads/633c6a1790cb824e9da01c4a/reports/e030b9b8-df6c-4959-ace6-ffeceae21f11/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad6f9bbb-a9e1-4cd6-b01d-9adf981bc55f
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1083453
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80bf09424e359558567c85c94e70c8ee4c13d2676f4d52b694da1692c34f0f06/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-10-04 17:15:07 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
28 of 41 (68.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qc7qsqsogwkvqvt4qxeu44gi5zgbhuthn5gvfnuu3iljfq2pb4da._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
296d3abb689416d5c47bb8edd555c81b9cf81f80fc9179b14aa6b68c8c8e10ab
RecordBreaker
69eac55ff687843f9d856e7facdef36d1c53faa5df6ff3eab874a1426a5efcea
RecordBreaker
774fa8863d2cb1747c338ef9023103d535715b30b6d5450a9ee146663d77c89b
RecordBreaker
9864bde6be2d10c1a5c0e00bb99dc640bf3c955ab0be9dd4529c50d48cb58eb7
RecordBreaker
aa39655b046e5dff029236ee67d80d3106f2e05f11bd3ee1ebeb41d40321c988
RecordBreaker
cabcffe00d781032c39fc98acf5ec96687c5ce26b21b38ef9499213ed591fbde
RecordBreaker
f93ba32f22e747dec19ebdf57fc8b1f775feca04f70a69d0660b905956b246f4
RecordBreaker
+ 565 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:f65d012b021e6e8fcaa9c1a04b6d5107 discovery spyware stealer
Link:
https://tria.ge/reports/221004-vsjlwsbhfk/
Behaviour
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Malware Config
C2 Extraction:
http://64.44.102.241
http://64.44.102.116
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c251936c-dd76-4e01-8b6d-85a780243462
Unpacked files
SH256 hash:
608e622a73c0cb3563824bf002f9abd4d4ebeb469f50c6cfe6e7816d33547437
MD5 hash:
3c8dec2f9fa84f2d4daea091fabdd95f
SHA1 hash:
0c731f2190094075e4156c3d415d30a58386817a
Link:
https://www.unpac.me/results/818e95f0-4e36-4d9b-803d-aa5410783022/
SH256 hash:
80bf09424e359558567c85c94e70c8ee4c13d2676f4d52b694da1692c34f0f06
MD5 hash:
bbe6d20b7f00e927104d51ab7c8b4861
SHA1 hash:
ffe2883fa9aa455056fc2290b2cd2c4493252f1d
Link:
https://www.unpac.me/results/818e95f0-4e36-4d9b-803d-aa5410783022/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80bf09424e35/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80bf09424e359558567c85c94e70c8ee4c13d2676f4d52b694da1692c34f0f06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:recordbreaker_win_generic
Create hunting rule
Author:_kphi
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/316603/

Comments