MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 828979d543912cebcdfbc73bb80fb2744a8a2cb9a289915ec02df4b11c966338. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 14

Intelligence 14 IOCs 1 YARA File information Comments

SHA256 hash:	828979d543912cebcdfbc73bb80fb2744a8a2cb9a289915ec02df4b11c966338
SHA3-384 hash:	78064b9c309d4348cd02109adda460462f7502f52a18d5f2b0e2cb2c35ddad56ffc079a732b6bcb0da4b2ddd03fd9a44
SHA1 hash:	d82d2fd75bc092872e884634e5403f5d72697152
MD5 hash:	009013ee565051be2de777ca53ca6863
humanhash:	potato-robin-pluto-lima
File name:	009013ee565051be2de777ca53ca6863.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	1'140'224 bytes
First seen:	2022-08-28 04:06:16 UTC
Last seen:	2022-08-28 04:37:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1e33718404ffbe0d91b536c10bf053f8 (80 x RedLineStealer, 7 x RecordBreaker, 4 x N-W0rm)
ssdeep	24576:4LWIV2qlhYiY724fAdbgMQPd8bYY/wvzyvreDAAL:4KvqmF58wvzy5A
Threatray	837 similar samples on MalwareBazaar
TLSH	T11C354C29EB4715B4DA635371C19EEA7B9B147A348022AE3FFF4BDA0CB4331163C85256
TrID	44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe recordbreaker

abuse_ch

RecordBreaker C2:
http://213.252.244.230/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://213.252.244.230/	https://threatfox.abuse.ch/ioc/845895/

Intelligence

File Origin

# of uploads :

# of downloads :

325

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

raccoon

ID:

File name:

https://mega.nz/file/QCtFnbLQ#ZURhhqQ92atwIHR6urN5YENDMqn0EPBpvvelxNsb7Cg

Verdict:

Malicious activity

Analysis date:

2022-08-25 19:13:06 UTC

Tags:

loader trojan raccoon recordbreaker stealer

Link:

https://app.any.run/tasks/f324a83a-b602-4480-a08a-4844910ced19

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/301746/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.21525.20676.10948.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/30427/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/630aea24095b251adf6a8c2f/reports/2d52769f-1a42-4590-b2ef-279144127851/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/efdd9d62-7eaf-49f4-9974-d832c19abb41

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1059108

Signature

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes to foreign memory regions

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/828979d543912cebcdfbc73bb80fb2744a8a2cb9a289915ec02df4b11c966338/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-08-25 18:10:00 UTC

File Type:

PE (Exe)

AV detection:

29 of 40 (72.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qkextvkdsewoxtp3y453qd5sorfiulfzukezcxwafx2lchewmm4a._file

Verdict:

malicious

Label(s):

raccoon

RecordBreaker

4ff647517c0dcc43d4269fc35b9198143b8edd4c3f4e5f200cdbb3e54709a527

RecordBreaker

72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610

RecordBreaker

78c6f90eac23139048bd81c970f7fa9c9dc50e7ba0e75106f330ac1906a9fde7

RecordBreaker

8ebb6a267127e1437a1fea7a658729c80947a433b5e9a999f82766b7986bab0b

RecordBreaker

bdbd5a0fb6a3ab99f0cfa3cee7e3f7f8f7ec078eeb628aadfb8a32a5df2be3b9

RecordBreaker

d626b63e65618c3912e53028484168dc213f2bf7cc5b1576bc02817d00724c2d

RecordBreaker

dd0145067f81bf5aff9a7ee7eb56c11a98a5f69a9bdbc36744919ee49890de5a

RecordBreaker

e44039074cefd09367970c1bd8be052e4ce4cbebd7bdeaa3b495391def0fb2f9

RecordBreaker

faa3e926d4b9981b4b21a9c5a2cd61dd573b8eee6938a9519dbdfcabb32073c2

RecordBreaker

+ 827 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:4c319cb108b8c325bc279b0d33bd04f4 stealer

Link:

https://tria.ge/reports/220828-epmw5sdbe6/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Raccoon

Malware Config

C2 Extraction:

http://213.252.244.230/

Unpacked files

SH256 hash:

d72b2ffcc7028c0f9dd8d7c995decef511bf126a3b91874b8169b5586824a963

MD5 hash:

3cb09621c91e41ebf15ab6a57cfe9e59

SHA1 hash:

69bdba59efa3beaa5e93cc90153b93d62849536f

Detections:

win_recordbreaker_auto

Link:

https://www.unpac.me/results/dc243029-8382-4340-bbdc-135dddcdd491/

Parent samples :

828979d543912cebcdfbc73bb80fb2744a8a2cb9a289915ec02df4b11c966338
d8f4a974a2d65cc7e7e93a456896efbe804dad011c3e8ba8a3be71834e269105

SH256 hash:

828979d543912cebcdfbc73bb80fb2744a8a2cb9a289915ec02df4b11c966338

MD5 hash:

009013ee565051be2de777ca53ca6863

SHA1 hash:

d82d2fd75bc092872e884634e5403f5d72697152

Link:

https://www.unpac.me/results/dc243029-8382-4340-bbdc-135dddcdd491/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/828979d54391/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/828979d543912cebcdfbc73bb80fb2744a8a2cb9a289915ec02df4b11c966338

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/301746/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample