MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3936faf800dc63de810fa733d33001cdfc381208a5a69102f079d442b1f0071. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	a3936faf800dc63de810fa733d33001cdfc381208a5a69102f079d442b1f0071
SHA3-384 hash:	947b4de0b8c5e2732a73e59699ce306028351434cb78d629d43d4f3d33597b31812df7480023fc42def41e9a15a2be00
SHA1 hash:	f438833134cb618c7e56f6cb32da5e09eca16dfc
MD5 hash:	a9ac944c010706463b44456b56751e85
humanhash:	massachusetts-india-berlin-purple
File name:	file
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	123'856 bytes
First seen:	2022-10-10 12:18:15 UTC
Last seen:	2022-10-10 13:18:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	3072:GSA5H9P+MOdk7Rbj2wqr177vD2/8+d3TraV8u1VrGLTKXZhbA:kQVSdbjSb2/8Q3ZebA
Threatray	623 similar samples on MalwareBazaar
TLSH	T1A2C3ADC56384D61DD819D6BC64B28AA7FA35EE0C4F12F3322198BB2D5D2339D9F01E16
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	e0962b292933b2e8 (4 x RedLineStealer, 2 x AgentTesla, 2 x RecordBreaker)
Reporter	andretavare5
Tags:	exe recordbreaker

andretavare5

Sample downloaded from http://kaisashop.online/install.exe

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RaccoonV2

Link:

https://www.capesandbox.com/analysis/318384/

Detection(s):

SecuriteInfo.com.Variant.Strictor.275802.16649.15937.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

Sending an HTTP POST request

Sending an HTTP GET request

Reading critical registry keys

Sending a custom TCP request

Creating a file in the system32 subdirectories

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated overlay packed

Link:

https://www.filescan.io/uploads/63440db77a6f3f03619d9ec1/reports/285cd70e-5db0-4dab-a2f8-58bea771d008/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/69487b7f-2a1e-47c1-8922-4cf965183d15

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a3936faf800dc63de810fa733d33001cdfc381208a5a69102f079d442b1f0071/

Threat name:

ByteCode-MSIL.Trojan.Privateloader

Status:

Malicious

First seen:

2022-10-10 12:19:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uojw7l4abxdd32aq7jzt2myadtp4hajarjngsebpa6ouiky7abyq._file

Verdict:

malicious

Label(s):

raccoon

RecordBreaker

27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20

RecordBreaker

296d3abb689416d5c47bb8edd555c81b9cf81f80fc9179b14aa6b68c8c8e10ab

RecordBreaker

80bf09424e359558567c85c94e70c8ee4c13d2676f4d52b694da1692c34f0f06

RecordBreaker

9864bde6be2d10c1a5c0e00bb99dc640bf3c955ab0be9dd4529c50d48cb58eb7

RecordBreaker

9b10c724b3474b424cf1aa3860c61f4787ea4fc2ad9ac07347c36a38da0b0058

RecordBreaker

cabcffe00d781032c39fc98acf5ec96687c5ce26b21b38ef9499213ed591fbde

RecordBreaker

f93ba32f22e747dec19ebdf57fc8b1f775feca04f70a69d0660b905956b246f4

RecordBreaker

+ 613 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:bd3a3a503834ef8e836d8a99d1ecff54 spyware stealer

Link:

https://tria.ge/reports/221010-pg6z6abhhl/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Uses the VBS compiler for execution

Downloads MZ/PE file

Raccoon

Malware Config

C2 Extraction:

http://77.73.133.7/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4b8c0a6f-f6f9-4a92-ae82-9f49fc829104

Unpacked files

SH256 hash:

d51774a96236ec45d70952e531236d03d59f6f3f00326702253a059abe05b5ac

MD5 hash:

7d0b80d550b77ac8afe85ac40a5b20f9

SHA1 hash:

931fa81c543f443666612cc7aed553a1027e8c5c

Detections:

raccoonstealer

win_recordbreaker_auto

Link:

https://www.unpac.me/results/77a1efd2-c591-4256-9049-ba1d775f0814/

Parent samples :

a3936faf800dc63de810fa733d33001cdfc381208a5a69102f079d442b1f0071
ee04ca5183cfc25a745102b84f8c3fd504a34fc94e7bff0e09351f45754dd71a
20ed01a8e1ec898ec25499b5ac18d8522226e08c1ff8baffc327e63a6e46c919
c2283fa67f9c570588fbe02ade91f2b4fd9109ddf06d029af8c7e7c47d3579d2
36f5c9bdab307ac6f14fcf0bb1025b32a388da11d89fd654e02a7be82542e15c
2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa

SH256 hash:

a3936faf800dc63de810fa733d33001cdfc381208a5a69102f079d442b1f0071

MD5 hash:

a9ac944c010706463b44456b56751e85

SHA1 hash:

f438833134cb618c7e56f6cb32da5e09eca16dfc

Link:

https://www.unpac.me/results/77a1efd2-c591-4256-9049-ba1d775f0814/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a3936faf800d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a3936faf800dc63de810fa733d33001cdfc381208a5a69102f079d442b1f0071

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	RaccoonV2 Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:	https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/

Rule name:	recordbreaker_win_generic Create hunting rule
Author:	_kphi

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_recordbreaker_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/318384/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample