MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae7e53e8352267a436628554d19b93e4cca583549375a38fba1517551ce83791. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae7e53e8352267a436628554d19b93e4cca583549375a38fba1517551ce83791
SHA3-384 hash: ff4498f96a2398d0ebcb0154f966904b502a7acac194c80effd69ddb5cdd18233aaadca556ae56117d8b8d85a741ef8a
SHA1 hash: e7d6fe4a2ddbac739b08656c0f4a8051277a5dbc
MD5 hash: 558a7e30e676b9ce85a7360017d430b5
humanhash: salami-red-lactose-salami
File name:file
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:295'936 bytes
First seen:2022-09-11 20:17:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 81eb0f2ab6386242036b4e8efd568fe7 (2 x RecordBreaker)
ssdeep 6144:4qWwQ5jqxbPgY9IBc56SpNTIuqbqHwFIEyJh:4KQETh6Bc56SpNTIuxQ7y
Threatray 372 similar samples on MalwareBazaar
TLSH T1EB548C00BA90C035F6F312F449B693ACB93E7EA15B6450CB22D566EE5B356E0EC3135B
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 5e6367636363471c (1 x RecordBreaker)
Reporter andretavare5
Tags:exe recordbreaker


Avatar
andretavare5
Sample downloaded from http://95.216.212.143/lesokbuild.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
437
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-11 20:20:07 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/144a08cb-bb92-48c9-ae3c-e641543fb23f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/309361/
Detection(s):
Win.Ransomware.Tofsee-9967922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the system32 subdirectories
Creating a file
Сreating synchronization primitives
Sending an HTTP POST request
Sending an HTTP GET request
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed ransomware tofsee
Link:
https://www.filescan.io/uploads/631e428cd836d69184874132/reports/e0877503-9319-4493-9dd9-98c0d1ec912b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c43235a-28f3-40a0-a2a0-09191a6575e0
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1068535
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae7e53e8352267a436628554d19b93e4cca583549375a38fba1517551ce83791/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-11 20:18:09 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
32 of 41 (78.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vz7fh2bvejt2intcqvkndg4t4tgkla2usn22hd52culvkhhig6iq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
61e9483a13f0e4d906031e1db890424d3f7916710c80ba1d7da968f986fa9764
RecordBreaker
6da056b3e14e136e17890c04f270ed1decbca6d67eb0f0fed914569e4fba8a92
RecordBreaker
7fa1b425c7bc7f04e84aae8b76cd1e6d1db56dab966ff273b5101816525f61c4
RecordBreaker
8129a8a2a4c77198a9a65c393cfc37f8f6ab83842a9c9f430ab1186db9cd0771
RecordBreaker
829f67338d9165358ffdab748662e90f6f6962711dee0e670faacd61517d20ff
RecordBreaker
93f4ea88e5d2a00916f4c182cda835059b0b405316f340ac03b10a73057db97d
RecordBreaker
b22de3458444455c80b7d79c6d4e2b5925867930ce51ed641cc909b45297c8bb
RecordBreaker
cf16aaa4e7e4e906915e9901e93f4de670355784d5350991e8f09b813cc7988d
RecordBreaker
e3f6666bcc343098a21a2c52ee8a63d03c042b9dfd4cb1dfbf984c6d0e985da0
RecordBreaker
fd2b5d87e8e073c701253840c2f3997669c760a68b01cd1307f69042db48831f
RecordBreaker
+ 362 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:29436d51b3a8fde5d7895ccc63af3a09 discovery spyware stealer
Link:
https://tria.ge/reports/220911-y29q8afhbp/
Behaviour
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Malware Config
C2 Extraction:
http://88.119.161.156
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d2c58fc3-6a3a-4678-b12d-17cbfedf0a0d
Unpacked files
SH256 hash:
96dc51aa72ee72e09e3602ac8634455e7703cb388c54a99f850e72c01d0f03b2
MD5 hash:
b69f0dcd48d8fb876dfcdac5911c2376
SHA1 hash:
0612f16bf0dbfa2796abd830240905098943265a
Detections:
raccoonstealer
Create hunting rule
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/0b35ab38-b84e-49cf-8bbe-8ea673f10159/
SH256 hash:
ae7e53e8352267a436628554d19b93e4cca583549375a38fba1517551ce83791
MD5 hash:
558a7e30e676b9ce85a7360017d430b5
SHA1 hash:
e7d6fe4a2ddbac739b08656c0f4a8051277a5dbc
Link:
https://www.unpac.me/results/0b35ab38-b84e-49cf-8bbe-8ea673f10159/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae7e53e83522/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae7e53e8352267a436628554d19b93e4cca583549375a38fba1517551ce83791

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2299833/
Cape
Cape
https://www.capesandbox.com/analysis/309361/

Comments