MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99b0dac266ed96c1ae6a9b32b624e4697e1bac4348144376e737bf8e292e35f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99b0dac266ed96c1ae6a9b32b624e4697e1bac4348144376e737bf8e292e35f5
SHA3-384 hash: 2a53b35c2788642c845ac4bc8ab93fe2595d4c279ffc92518ab60944791c3935eab389f525f8ae0b765bccc082c15e4e
SHA1 hash: 07aacc9cadb86d5e2f4d311815ebf6c815db458b
MD5 hash: a2dab6d2fa54df066eac9cecbfd84fbf
humanhash: victor-king-twenty-chicken
File name:a2dab6d2fa54df066eac9cecbfd84fbf
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:659'968 bytes
First seen:2022-10-24 09:53:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 800e93b76bb0af86258910988701686b (2 x RecordBreaker)
ssdeep 12288:CQhNMpHQaQhG14GstzDjlEFPmm0qK2KRbeh02cpkwbVpuCU1YICm/lrD:CQhNHaQhG14pNm0L2+beh7YKr
Threatray 747 similar samples on MalwareBazaar
TLSH T19DE4AE2134C1C036C6B738318A6AF6B485BEB4311B655AEF93D81A7E5F345E0BE2153B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe nanoplow-space recordbreaker

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://172.86.120.142/ https://threatfox.abuse.ch/ioc/916315/

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
a2dab6d2fa54df066eac9cecbfd84fbf
Verdict:
Malicious activity
Analysis date:
2022-10-24 09:55:27 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/84ffec13-6b32-484f-b285-c504e63cc39e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323331/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b788e80-37fd-4100-bc93-1ab9505d88c7
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1096398
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99b0dac266ed96c1ae6a9b32b624e4697e1bac4348144376e737bf8e292e35f5/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-10-24 09:53:57 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tgynvqtg5wlmdltktmzlmjhenf7bxlcdjakeg5xhg67y4kjogx2q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c
RecordBreaker
4dd0e5762e6ae6553863f594262e8a1d3f48635d1f49ced7975fc5842fa69a14
RecordBreaker
70b5392192a57314e1c7793599439b518dbf2a0affcbd849cecf779063bd792a
RecordBreaker
72da013062ea0fd8acf955c4517f8998fef0f6f6d467c9610f8d9b5f77169f57
RecordBreaker
980095faad7ac452f5f2827290c5f00904f9aaed2facf9ed690850f8739437ed
RecordBreaker
cabcffe00d781032c39fc98acf5ec96687c5ce26b21b38ef9499213ed591fbde
RecordBreaker
e1ff33ee4dab36c7f0cf9e8abf6f1ce95fbe23e3b02d076b56d720f98cc163f0
RecordBreaker
+ 737 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/221024-lw7nfsgacn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
99b0dac266ed96c1ae6a9b32b624e4697e1bac4348144376e737bf8e292e35f5
MD5 hash:
a2dab6d2fa54df066eac9cecbfd84fbf
SHA1 hash:
07aacc9cadb86d5e2f4d311815ebf6c815db458b
Link:
https://www.unpac.me/results/97a80374-81d2-4626-a5ec-e894957aa976/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/99b0dac266ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99b0dac266ed96c1ae6a9b32b624e4697e1bac4348144376e737bf8e292e35f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution).
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 99b0dac266ed96c1ae6a9b32b624e4697e1bac4348144376e737bf8e292e35f5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2382105/
Cape
Cape
https://www.capesandbox.com/analysis/323331/

Comments


Avatar
zbet commented on 2022-10-24 09:53:19 UTC

url : hxxps://nanoplow.space/zxc.exe