MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b1f8ccc99f4ce9e05e6471a7df1c9c1e1d4c193d3d4218157f43c11ea7978fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b1f8ccc99f4ce9e05e6471a7df1c9c1e1d4c193d3d4218157f43c11ea7978fa
SHA3-384 hash: a18fbbb9fff683b1a445c9f4a7639f1676eb8e688b21ef48edd7d350a95afddef88ac0cb8d98d879cc855fd9ec91ca9c
SHA1 hash: f0a8bdd0f5769a7b7a857f24e29a36dc54bdd96a
MD5 hash: 9f2d4ac2e67b3fe84ac5a8b6f7d6e6dd
humanhash: utah-edward-saturn-november
File name:9f2d4ac2e67b3fe84ac5a8b6f7d6e6dd.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:359'936 bytes
First seen:2023-04-17 09:40:15 UTC
Last seen:2023-04-17 11:37:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2cb59bd9251d49d733d8b63af794a12e (2 x GCleaner, 1 x RecordBreaker)
ssdeep 6144:diTnQl63wAB92+mSftzQab34Lv588toz+lAbb1zt:diUlpK92+mStz5b3ix88lMb1
Threatray 1'298 similar samples on MalwareBazaar
TLSH T13E747C3272D8A871E51206764E2EC6F82E6EF4634F557ADB2755BA3F0E301E2C172319
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0005012813100509 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://45.15.156.226/

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
d1228d4641ea6608026ee871ce336dbe.exe
Verdict:
Malicious activity
Analysis date:
2023-04-14 10:33:36 UTC
Tags:
opendir loader smoke trojan stealer raccoon recordbreaker gcleaner cryptbot evasion
Link:
https://app.any.run/tasks/701b5892-596b-4cf3-bab0-0335a6a6285a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382752/
Detection(s):
Sanesecurity.Malware.29209.BadIN.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit greyware packed zusy
Link:
https://www.filescan.io/uploads/643d1430b197bbdcf7dc2e4d/reports/64328711-e6c8-402a-9fff-c98d268c8446/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8b1f8ccc99f4ce9e05e6471a7df1c9c1e1d4c193d3d4218157f43c11ea7978fa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00e83640-0841-4377-9e4c-54d8a6f306d1
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215073
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b1f8ccc99f4ce9e05e6471a7df1c9c1e1d4c193d3d4218157f43c11ea7978fa/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-04-14 13:50:11 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
23 of 24 (95.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rmpyztez6thj4bpgi4nh34ojyhq5jqmt2pkcdakx6q6bd2tzpd5a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
12fdcabe145b1710ec9139ac4d519f6107acc46f0fbcd7255e66f9e6b788fc6c
RecordBreaker
13ea9deef659665396675833d0ae5057dcd25d4059108fd19ac3b44b55a5267d
RecordBreaker
2cb4c7dbd38b5d1feebbf2d5f8d218f0748bb2ee05a7b0dcf07ac3695500d560
RecordBreaker
3d89f2818d1db862eb5542217e1d5571e5a75af60e8734265ef6b6bc884e191f
RecordBreaker
3e8cd0eb4715ef2b9f3b9f676b90eb16b0842d289a34fdd41e46c106a845d983
RecordBreaker
599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e
RecordBreaker
9f6b69057e19a7fd08aab0b2df861a65337207dcfac2d6fbd0d1c0a2b75670e7
RecordBreaker
d78277798307b83a9a1c0d695abec585b290fe1fe69556f62e6bec7e1ba37e26
RecordBreaker
f3d62ca6b2dfd77bd362dc1f4ec6e99bb43302e82583e6e8dce38df9ea1f6fe5
RecordBreaker
+ 1'288 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:1c40fcc370e4bf723bb6902cae839308 stealer
Link:
https://tria.ge/reports/230417-lnrx2afc9v/
Behaviour
Program crash
Raccoon
Malware Config
C2 Extraction:
http://45.15.156.226/
Unpacked files
SH256 hash:
77a8a1f0c546fabcd0dd62bf5ac3dc00dc70cd28c1ab355db5242727509f83fc
MD5 hash:
f67eb16e2f4dcbdac98df99cc10414f0
SHA1 hash:
acf1dc337f4c6726bea0a6119226bdda565810a4
Detections:
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/a04b27b9-d592-450d-b533-9f693c86dafa/
SH256 hash:
8b1f8ccc99f4ce9e05e6471a7df1c9c1e1d4c193d3d4218157f43c11ea7978fa
MD5 hash:
9f2d4ac2e67b3fe84ac5a8b6f7d6e6dd
SHA1 hash:
f0a8bdd0f5769a7b7a857f24e29a36dc54bdd96a
Link:
https://www.unpac.me/results/a04b27b9-d592-450d-b533-9f693c86dafa/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b1f8ccc99f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b1f8ccc99f4ce9e05e6471a7df1c9c1e1d4c193d3d4218157f43c11ea7978fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 8b1f8ccc99f4ce9e05e6471a7df1c9c1e1d4c193d3d4218157f43c11ea7978fa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2611638/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/382752/

Comments