MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a
SHA3-384 hash: fc3d194713a6cc122145221dd527d42dd856e0b94daa8438dde21a4af1bd1776fdce3dccbaaa68ffccac1e676a1fd075
SHA1 hash: 3d9d22ef47c09230fda8d66945e00e3538f2d975
MD5 hash: 018dbebc18d0989b6c5a0916a7aeb8ee
humanhash: nineteen-alpha-december-salami
File name:lrPBx4qjVQLL.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'588'808 bytes
First seen:2022-09-27 04:32:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash af58d77e2de72a34dfec8ea762118eda (2 x RecordBreaker, 1 x AsyncRAT, 1 x SystemBC)
ssdeep 49152:8N0TnIUbWriymtRAZbUJylRyOuo+ecZTa1gBHXOlr/pQVpu7S/cY:gKnIUbWrJUJy/yOuo/cZTa1cXO/DS/b
TLSH T11A75020E94741652F63ACF30B542B9B31BF81FBE19B96D0C57D437A78B740E9089D22A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0ccb2f0ccc4dcf0 (1 x RecordBreaker)
Reporter JAMESWT_WT
Tags:9178UTuitA24715UTuitA26909 exe recordbreaker signed

Code Signing Certificate

Organisation:*.eos.com
Issuer:Sectigo RSA Domain Validation Secure Server CA
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-02T00:00:00Z
Valid to:2023-05-02T23:59:59Z
Serial number: 062b2827500c5df35a83f661b3af5dd3
Thumbprint Algorithm:SHA256
Thumbprint: caa9b01580066fabdcbe98047475f558d180c7dafdb237abb0d848a849146e8d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.131.107.206/ https://threatfox.abuse.ch/ioc/851872/

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
79ba4f51061dc9ddd3f87739de5f1fea765695f17f3ca05e9bcf8398e5e08863.exe
Verdict:
Malicious activity
Analysis date:
2022-09-27 04:19:49 UTC
Tags:
installer trojan raccoon recordbreaker
Link:
https://app.any.run/tasks/f05bf924-cbd1-4d92-b908-d9017a182c87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313772/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.3.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Сreating synchronization primitives
Sending an HTTP POST request
Creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39384/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63327cfe6db724e16b707d64/reports/64f13617-193e-4157-9e3a-4bbc303c71dd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b2567315-1bcd-4be3-90da-c63ec6fe002d
Result
Threat name:
Allcome clipbanker, DarkTortilla, Raccoo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1077978
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Allcome clipbanker
Yara detected DarkTortilla Crypter
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 710523 Sample: lrPBx4qjVQLL.exe Startdate: 27/09/2022 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 7 other signatures 2->47 7 lrPBx4qjVQLL.exe 2->7         started        process3 signatures4 49 Writes to foreign memory regions 7->49 51 Allocates memory in foreign processes 7->51 53 Injects a PE file into a foreign processes 7->53 10 InstallUtil.exe 76 7->10         started        process5 dnsIp6 31 94.131.107.206, 49734, 80 NASSIST-ASGI Ukraine 10->31 33 wizecenter.com 27.254.85.35, 49761, 49764, 49767 CSLOX-IDC-AS-APCSLOXINFOPublicCompanyLimitedTH Thailand 10->33 23 C:\Users\user\AppData\Roaming\7ZQjsS2h.exe, PE32 10->23 dropped 25 C:\Users\user\AppData\Roaming\08ii5K8P.exe, PE32 10->25 dropped 27 C:\Users\user\AppData\Local\...\2KcOWuVg.exe, PE32+ 10->27 dropped 29 7 other files (5 malicious) 10->29 dropped 55 Tries to harvest and steal browser information (history, passwords, etc) 10->55 57 DLL side loading technique detected 10->57 59 Tries to steal Crypto Currency Wallets 10->59 15 7ZQjsS2h.exe 15 2 10->15         started        19 08ii5K8P.exe 10->19         started        21 2KcOWuVg.exe 10->21         started        file7 signatures8 process9 dnsIp10 35 www.google.com 142.250.185.228 GOOGLEUS United States 15->35 37 Multi AV Scanner detection for dropped file 15->37 39 Machine Learning detection for dropped file 15->39 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2022-09-26 19:33:00 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qiisvddw225lg6wk3qpbuej6io3nzftpjc47figmr7n5qrhof55a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:9b19cf60d9bdf65b8a2495aa965456c3 evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/220927-e6hnradfbn/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Enumerates connected drives
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Malware Config
C2 Extraction:
http://94.131.107.206
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f20acdd5-baff-45be-ba86-2fd15c763978
Unpacked files
SH256 hash:
ea902470772ae28793614f759b824e7c86e0cb23701fd282c0effd30d23c56ce
MD5 hash:
6dd83a203d5096ea3a1e13b81e9e4d64
SHA1 hash:
90bf8aeb71797d04ed692d930b4f18e0d7f0e304
Detections:
raccoonstealer
Create hunting rule
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/9beb24d5-9904-427e-a1a6-f0b1a6d9d76f/
Parent samples :
82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a
ea902470772ae28793614f759b824e7c86e0cb23701fd282c0effd30d23c56ce
5a3544515807da069035c75e37e1570b893768eeab16385402b0464fd26272c0
SH256 hash:
bf5d8eb13d501cf73446077fd5b4e1053664c3f5502acb2816e38af946dc1601
MD5 hash:
244d5077ef24c1bf2c6efcadc0163c15
SHA1 hash:
aa739ddfa765133a28cd59f6056b63bdecd60df5
Link:
https://www.unpac.me/results/9beb24d5-9904-427e-a1a6-f0b1a6d9d76f/
SH256 hash:
82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a
MD5 hash:
018dbebc18d0989b6c5a0916a7aeb8ee
SHA1 hash:
3d9d22ef47c09230fda8d66945e00e3538f2d975
Link:
https://www.unpac.me/results/9beb24d5-9904-427e-a1a6-f0b1a6d9d76f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/82112a8c76d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313772/

Comments