MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88aa85f63ddbcfa1204202633336d60f9ac6e37510794be230bcfc64a50f243f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88aa85f63ddbcfa1204202633336d60f9ac6e37510794be230bcfc64a50f243f
SHA3-384 hash: 594d9f4115b89f4ec6f3237b88b16727df7595f9f70b1dc8e7a1a225c8e4a57874b755737909fde85ce8b3dad67ee192
SHA1 hash: 95dd10a0166683dd10efd0cabca2c7c4a9df4bbb
MD5 hash: 25dbc9fb9f4d6dcbba5f528f4780de04
humanhash: tango-three-artist-orange
File name:25dbc9fb9f4d6dcbba5f528f4780de04
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:456'192 bytes
First seen:2023-01-18 09:43:17 UTC
Last seen:2023-01-18 11:30:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fe6c9b473349465e571611857ce5cb94 (4 x RedLineStealer, 1 x RecordBreaker)
ssdeep 6144:TLoqTPSdT4fKfgRP5sVzOtBgOxYKvbBOPv6iofK9+B+AOwBm/bhd6SLqJeNfNLq:/oqTPO4fOgRPqVzOtG8YKTBu37PFL
Threatray 287 similar samples on MalwareBazaar
TLSH T16DA4AE137ED1B831E9E118325B43DEB2797EE0B10D608BDBFB985C796B202906239775
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe recordbreaker

Intelligence

File Origin
# of uploads :
2
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
25dbc9fb9f4d6dcbba5f528f4780de04
Verdict:
No threats detected
Analysis date:
2023-01-18 09:46:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7815f9ac-2a31-4125-a7b9-0563cb8c91cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354085/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33036464.16948.17436.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/61173/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63c7bf6681817f6f4dc47d49/reports/6ff874b1-33af-4f0f-994c-47abb36e5962/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c646a8b-31b1-435d-9de6-f403d652c7e6
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1153742
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786474 Sample: d876Km2P9e.exe Startdate: 18/01/2023 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic 2->32 34 Multi AV Scanner detection for domain / URL 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 4 other signatures 2->38 6 d876Km2P9e.exe 1 2->6         started        process3 signatures4 40 Contains functionality to inject code into remote processes 6->40 42 Writes to foreign memory regions 6->42 44 Allocates memory in foreign processes 6->44 46 Injects a PE file into a foreign processes 6->46 9 vbc.exe 23 6->9         started        14 WerFault.exe 24 9 6->14         started        16 conhost.exe 6->16         started        process5 dnsIp6 28 185.180.199.215, 49691, 80 HOSTING-SOLUTIONSUS Netherlands 9->28 18 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 9->18 dropped 20 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 9->20 dropped 22 C:\Users\user\AppData\LocalLow\mozglue.dll, PE32 9->22 dropped 26 4 other files (none is malicious) 9->26 dropped 48 Tries to harvest and steal browser information (history, passwords, etc) 9->48 50 DLL side loading technique detected 9->50 52 Tries to steal Crypto Currency Wallets 9->52 54 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->54 30 192.168.2.1 unknown unknown 14->30 24 C:\ProgramData\Microsoft\...\Report.wer, Unicode 14->24 dropped file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88aa85f63ddbcfa1204202633336d60f9ac6e37510794be230bcfc64a50f243f/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-01-17 05:35:35 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcvil5r53ph2ciccajrtgnwwb6nmny3vcb4uxyrqxt6gjjipeq7q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
3508674e78e25a2ee057e9e667c73515367d45388a9cfda3358b1ee668cb1798
RecordBreaker
3e1fbbd273800929e5d4a0d80655a43b262da68eb415141c346b7feb97dc6316
RecordBreaker
553c1fcd31804f36add63ad512e78acd9344c6a85ae09ab39dbd9f6d31c4b389
RecordBreaker
97f0590c95058e7177e57e48c36da9302f5016b21da44efcfa644d016d87330b
RecordBreaker
aa4185102f68d05e1dc41d46e7b65cfb4a12e1f8694b7300264a6044a51f6931
RecordBreaker
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e
RecordBreaker
c7e8c1f9dccbb6994c09588f04ec4ebf8db2ab30b3ca1a7951b847475b0e16dd
RecordBreaker
dd6591db098a249805d23dea1f8c3bb79e2cb9a40a27cfaffaaf7b81042af622
RecordBreaker
+ 277 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:571391c08bcfc49c97149aeb137899e0 stealer
Link:
https://tria.ge/reports/230118-lqgvvaec47/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Raccoon
Malware Config
C2 Extraction:
http://185.180.199.215
Unpacked files
SH256 hash:
eeca4fb3d9914d9f34344ac5e784f5cd068ab95755367d71b4ab1e858975f22b
MD5 hash:
5caedb9a17268f3e56e9ea03f4dbfff0
SHA1 hash:
88fcefc1d94f257b93b52d7c45b7567eeb1937b7
Link:
https://www.unpac.me/results/4b300bf8-731e-4df7-ab30-4cdb7a0acd10/
SH256 hash:
88aa85f63ddbcfa1204202633336d60f9ac6e37510794be230bcfc64a50f243f
MD5 hash:
25dbc9fb9f4d6dcbba5f528f4780de04
SHA1 hash:
95dd10a0166683dd10efd0cabca2c7c4a9df4bbb
Link:
https://www.unpac.me/results/4b300bf8-731e-4df7-ab30-4cdb7a0acd10/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88aa85f63ddbcfa1204202633336d60f9ac6e37510794be230bcfc64a50f243f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 88aa85f63ddbcfa1204202633336d60f9ac6e37510794be230bcfc64a50f243f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2511214/
Cape
Cape
https://www.capesandbox.com/analysis/354085/

Comments


Avatar
zbet commented on 2023-01-18 09:43:21 UTC

url : hxxp://62.204.41.121/lend/ztf9phdgi2oi7q.exe