MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90092dd11cdc687a901279f37c704e10c55c8a9ea762beca4b74fb4da8e0f3f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90092dd11cdc687a901279f37c704e10c55c8a9ea762beca4b74fb4da8e0f3f4
SHA3-384 hash: 6a7ab8e9ec964c07b1785175a73dd351dbde448884dc9349ddf2f3bc6261dd251e51de94c893db9772bf3c60f9897672
SHA1 hash: 88c7515fb8b733d59af3a85ace4b85597cf2d69f
MD5 hash: d65cef18dc7e808145161fc1fb6ed898
humanhash: quiet-harry-eighteen-single
File name:d65cef18dc7e808145161fc1fb6ed898.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:66'048 bytes
First seen:2022-11-16 07:17:21 UTC
Last seen:2022-11-16 08:46:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 1536:BvdDWMN95Vp01Eca2z/LvhbUDZUN1T04K3rJJOFOEL:pdDWMN9q1EcfBUDZi03KL
Threatray 1'051 similar samples on MalwareBazaar
TLSH T118533911E6D2D4A7E59208F127C23A78DB5FFF353D5D3D9363088754AA602B20B277A2
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
d65cef18dc7e808145161fc1fb6ed898.exe
Verdict:
Malicious activity
Analysis date:
2022-11-16 07:20:12 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/3cb11db3-cc5f-4968-805f-9fe81689aaba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334670/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.23950.26866.5142.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Sending an HTTP POST request
Sending an HTTP GET request
Reading critical registry keys
Sending a custom TCP request
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed packed racealer
Link:
https://www.filescan.io/uploads/63748eac65b4ed3de8c86441/reports/509b0ffa-a04a-4667-8564-5bfb2160ba06/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b57b69d-6f8b-4d89-af7b-a618059bf721
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1114583
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90092dd11cdc687a901279f37c704e10c55c8a9ea762beca4b74fb4da8e0f3f4/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 06:41:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=saes3ui43ruhveasphzxy4cocdcvzcu6u5rl5sslot5u3kha6p2a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
41686ad7861e37227ef1e467c075c844beee3e7c5fbdf9fbad39b9172f4a0c23
RecordBreaker
554205366ff07e0fa59789cbf9ba72e1d1966d9d3d1889154408b9c0b4dbd861
RecordBreaker
70b5392192a57314e1c7793599439b518dbf2a0affcbd849cecf779063bd792a
RecordBreaker
77860ceeea9d024405a1ceb41a347159a49c9dcf480bcf7fb1272eda405e52b6
RecordBreaker
b993ca2a752e9bd918f76db3cff5b987977821bd5874c3d867ad16d82156682f
RecordBreaker
e50d7612867722fff23e0bb61ae117b5cfe6fc843e17c8c3a4deb413820170c4
RecordBreaker
ff764f0ab5f7a6c6fc5358a3bcc556e6d1e96fb80b9c2030f8f46b2d51ef241a
RecordBreaker
+ 1'041 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:d8f44b07b06da3a90ad87ebc9249718c botnet:dc575a13050638a6 discovery spyware stealer
Link:
https://tria.ge/reports/221116-h4y5hahf48/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Malware Config
C2 Extraction:
http://79.137.205.87/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c5a53e31-c46c-4476-830b-62a28880dd0c
Unpacked files
SH256 hash:
c73eef378eb054a400fb8163dd3141feaffea91eeb6a1363a41e7e7a88222f53
MD5 hash:
5cef736542d8707af28a2927bb0a09c2
SHA1 hash:
415816c04d498480ef350db4d77651dc17791897
Link:
https://www.unpac.me/results/61afcf39-be33-4b06-9a12-727521863d45/
SH256 hash:
90092dd11cdc687a901279f37c704e10c55c8a9ea762beca4b74fb4da8e0f3f4
MD5 hash:
d65cef18dc7e808145161fc1fb6ed898
SHA1 hash:
88c7515fb8b733d59af3a85ace4b85597cf2d69f
Link:
https://www.unpac.me/results/61afcf39-be33-4b06-9a12-727521863d45/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90092dd11cdc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90092dd11cdc687a901279f37c704e10c55c8a9ea762beca4b74fb4da8e0f3f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution).
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 90092dd11cdc687a901279f37c704e10c55c8a9ea762beca4b74fb4da8e0f3f4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2414186/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/334670/

Comments