MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539
SHA3-384 hash: 7e06c33f2f14c1067933e8e9b674665fd5b21360a4ed028adac1b6498eb0a9f27f95e9a68df6c07897b0677454e607fb
SHA1 hash: c37d98a04edbe68fbd4e054fe0e96b1c926460ea
MD5 hash: f29f6dc54c33b2aae2950019ee54b04c
humanhash: fix-magazine-arkansas-sink
File name:f29f6dc54c33b2aae2950019ee54b04c
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:850'944 bytes
First seen:2023-01-13 17:54:29 UTC
Last seen:2023-01-13 19:42:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:Mf78hVkC6gGhgfyNbpiODGsSm+FGUz9q:MAhf6gGhgab6shWz
TLSH T17E05E0D6D7371BF2EA4A65EF4576138302F73A3724141E68644DA20C8A2B753B09E93F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe recordbreaker

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f29f6dc54c33b2aae2950019ee54b04c
Verdict:
Malicious activity
Analysis date:
2023-01-13 17:55:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f0f170bb-53e6-4ed8-ac44-261d30c14a13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352714/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64961075.579.23575.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending an HTTP POST request
Sending an HTTP GET request
Reading critical registry keys
Creating a process with a hidden window
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c19af9de614a115a16097f/reports/8c5dcb1f-8832-4715-bd98-da30896471bb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b3d97b11-0bfe-4968-a1f3-2c2e9c32c694
Result
Threat name:
Raccoon Stealer v2, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1151325
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer v2
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 784055 Sample: 2lnjYiHOeM.exe Startdate: 13/01/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 10 other signatures 2->51 7 2lnjYiHOeM.exe 3 2->7         started        process3 file4 25 C:\Users\user\AppData\...\2lnjYiHOeM.exe.log, ASCII 7->25 dropped 53 Injects a PE file into a foreign processes 7->53 55 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->55 11 2lnjYiHOeM.exe 23 7->11         started        signatures5 process6 dnsIp7 35 91.215.85.146, 49698, 80 PINDC-ASRU Russian Federation 11->35 37 fransceysse.ac.ug 91.215.85.158, 49700, 80 PINDC-ASRU Russian Federation 11->37 27 C:\Users\user\AppData\Roaming\eNYbDsbO.exe, PE32 11->27 dropped 29 C:\Users\user\AppData\Roaming\S1b1Cl6W.exe, PE32 11->29 dropped 31 C:\Users\user\AppData\Roaming\9i6gDNmJ.exe, PE32+ 11->31 dropped 33 8 other files (6 malicious) 11->33 dropped 57 Tries to harvest and steal browser information (history, passwords, etc) 11->57 59 Tries to steal Crypto Currency Wallets 11->59 16 12Wu344h.exe 2 11->16         started        19 S1b1Cl6W.exe 2 11->19         started        21 eNYbDsbO.exe 2 11->21         started        23 9i6gDNmJ.exe 2 11->23         started        file8 signatures9 process10 signatures11 39 Antivirus detection for dropped file 16->39 41 Multi AV Scanner detection for dropped file 16->41 43 Machine Learning detection for dropped file 16->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-01-13 08:17:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rro7amg6br47efk2mdqnl5ayrhwi2b6uietz2qdjs3okiy47qu4q._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:raccoon family:remcos family:xmrig botnet:1122023 botnet:75ea4cb7f040eb3056eaa4e86a3a9d6c discovery infostealer miner persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230113-whe2dsbb83/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
XMRig Miner payload
Azorult
Raccoon
Remcos
xmrig
Malware Config
C2 Extraction:
http://91.215.85.146/
http://195.245.112.115/index.php
nikahuve.ac.ug:65214
kalskala.ac.ug:65214
tuekisaa.ac.ug:65214
parthaha.ac.ug:65214
Unpacked files
SH256 hash:
3293f2ae91e6f68d270cfac1edf4cd939835b5c0669a42b78ff9620b4dc6545e
MD5 hash:
952f470cf79253a15541523d22f0234d
SHA1 hash:
2e527c95bbfd97fc72dbce59b37e890e72017dc9
Link:
https://www.unpac.me/results/f837943f-ddb6-41b5-b430-a78bd21fad2a/
SH256 hash:
8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539
MD5 hash:
f29f6dc54c33b2aae2950019ee54b04c
SHA1 hash:
c37d98a04edbe68fbd4e054fe0e96b1c926460ea
Link:
https://www.unpac.me/results/f837943f-ddb6-41b5-b430-a78bd21fad2a/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c5df030de0c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/352714/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/2257580/
  
URLhaus
https://urlhaus.abuse.ch/url/2257588/
  
URLhaus
https://urlhaus.abuse.ch/url/1514315/
  
URLhaus
https://urlhaus.abuse.ch/url/1539388/
  
URLhaus
https://urlhaus.abuse.ch/url/2254177/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/2141170/
  
URLhaus
https://urlhaus.abuse.ch/url/1539152/
  
URLhaus
https://urlhaus.abuse.ch/url/2254174/
  
URLhaus
https://urlhaus.abuse.ch/url/1514297/
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
  
URLhaus
https://urlhaus.abuse.ch/url/2271067/
  
URLhaus
https://urlhaus.abuse.ch/url/1514313/
  
URLhaus
https://urlhaus.abuse.ch/url/1596393/
  
URLhaus
https://urlhaus.abuse.ch/url/2441296/
  
URLhaus
https://urlhaus.abuse.ch/url/2271066/
  
URLhaus
https://urlhaus.abuse.ch/url/2254175/
  
URLhaus
https://urlhaus.abuse.ch/url/2506772/
  
URLhaus
https://urlhaus.abuse.ch/url/2506771/
  
URLhaus
https://urlhaus.abuse.ch/url/2506773/

Comments


Avatar
zbet commented on 2023-01-13 17:54:32 UTC

url : hxxp://movesc.top/ghjk.exe