MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b16c9eb943baf2dd444a50d55bf5b10cd0deac0de7ae0cdec419573ba100e2cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b16c9eb943baf2dd444a50d55bf5b10cd0deac0de7ae0cdec419573ba100e2cd
SHA3-384 hash: 6fc6ed5c333669a702eb99e4299746c7ae0b183db08b7ec6a0ee4feaf0ebc9af85a8c65cbfcd68a87abb0d301fafcc47
SHA1 hash: 2c146908cac0cb74f01f59d8f6055b3f21b6ae45
MD5 hash: 110dc64494ccec6cec723a340c56eb86
humanhash: connecticut-neptune-don-enemy
File name:110dc64494ccec6cec723a340c56eb86.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:883'104 bytes
First seen:2022-08-28 18:17:03 UTC
Last seen:2022-08-28 18:35:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 48c28d9f3783f0e32815b0b4c57a60a9 (73 x RecordBreaker, 23 x RedLineStealer, 21 x ArkeiStealer)
ssdeep 12288:npB4giN48AAL6cEm2lfBUfjnoDJo3I4wjspZqAgWP6Jg45Ob6u+M3qJogNL:npB4BN48/L6cEmy/js7qPWPaob+ogNL
Threatray 253 similar samples on MalwareBazaar
TLSH T10A159E203DC49173EEF220B746ECBA39416DE0F50B258AD746D457FEDA246C16F3298A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://95.217.187.116/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://95.217.187.116/ https://threatfox.abuse.ch/ioc/845914/

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
110dc64494ccec6cec723a340c56eb86.exe
Verdict:
Malicious activity
Analysis date:
2022-08-28 18:19:26 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/33b776b4-aced-45b4-aa0f-ade00ae09737

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301900/
Detection(s):
SecuriteInfo.com.Variant.Lazy.238286.2659.350.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30554/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/630bb1de05c43eeee23f81bf/reports/0b2b889b-6280-482c-9219-cc85b95556d6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/247464a4-68e0-4c26-8b4b-e108b873123a
Result
Threat name:
PrivateLoader, Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1059343
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
DLL side loading technique detected
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b16c9eb943baf2dd444a50d55bf5b10cd0deac0de7ae0cdec419573ba100e2cd/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-08-28 18:18:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wfwj5okdxlzn2rckkdkvx5nrbtin5lan46xazxwedfltxiia4lgq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
23d0d6dda2a2530d8da2065df99e1070028ad000ed7f9c48ebfb0b8883482ce2
RecordBreaker
4fbfabf2b29729404f1903e47e5dcc2410be6aaabf11b85787d09918b03062d2
RecordBreaker
57154e873b6bebab85bdf3e656fe7fa117c5cf3c14926c22c4cac143622f779d
RecordBreaker
647c4d0f6b9b7817dac9d3ee9c2efd9c9409d6cd4a43fa66bd9d43601537d56b
RecordBreaker
68ac2d5bd9270f9ed2396cddf25c6b2734b42b938ff0ae19964d43616553e7da
RecordBreaker
6c292bc343c1a3922c995bae6300b79243dce4a03410f23505263a1c89971ac5
RecordBreaker
7fa1b425c7bc7f04e84aae8b76cd1e6d1db56dab966ff273b5101816525f61c4
RecordBreaker
8129a8a2a4c77198a9a65c393cfc37f8f6ab83842a9c9f430ab1186db9cd0771
RecordBreaker
c145721cdaf2ddac4fb96f3f37f56987751731734723436314137c8186f2b34f
RecordBreaker
da59303921279f64f59348a35a80762786083649b8f14571a384bf20c058ea7a
RecordBreaker
+ 243 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220828-wxk6yschaj/
Unpacked files
SH256 hash:
c199297d5b5d27c0bd2c6d8a404f5a75c31ac518b09fcb4a8d4cc2d614eb7e05
MD5 hash:
aa31a8aecd18931c89abcfbc11928532
SHA1 hash:
7b97550872ff67fb89a29ac8ede914db79c496b3
Detections:
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/957e3c3d-1dd7-4194-9e1f-c2a00b8d6ed6/
Parent samples :
23d0d6dda2a2530d8da2065df99e1070028ad000ed7f9c48ebfb0b8883482ce2
4fbfabf2b29729404f1903e47e5dcc2410be6aaabf11b85787d09918b03062d2
2027512773cce87cbda89572d75c3a68202ef492cf9111b6c146904c66cdacfe
68ac2d5bd9270f9ed2396cddf25c6b2734b42b938ff0ae19964d43616553e7da
647c4d0f6b9b7817dac9d3ee9c2efd9c9409d6cd4a43fa66bd9d43601537d56b
c145721cdaf2ddac4fb96f3f37f56987751731734723436314137c8186f2b34f
57154e873b6bebab85bdf3e656fe7fa117c5cf3c14926c22c4cac143622f779d
6c292bc343c1a3922c995bae6300b79243dce4a03410f23505263a1c89971ac5
b16c9eb943baf2dd444a50d55bf5b10cd0deac0de7ae0cdec419573ba100e2cd
1b9076e74891d27a5050853ae661b66d364d7f5f7eb9f77a20a52d129f0c81d0
e4bd24a76f688688f7ef6446aed5f2f8d4f0a49dbf36c5dc8b8f24f91c725faa
b684deaaee7a0f5925e92fde9c9b4a7e29e34d5067260ba3a99521e0a5a71287
7c7c62a051640e84ffdc2b37271887591ef8eea04d2068fcb8cda40d7f58bbf0
8d2e5b3eae73c52b375808391efd19e668ce9b9d8d53b45e30f0a816ca21863b
e0804438efa20341e4165f922cfcdf0608bae1af5eec1d805927e7da21c25fe9
5bec680f52a2f2104b4a0422d8e3754d0534446e8a80fcc637123a2c2c786c7d
ccb182af43b018557c273bea1ac1586a278fb814abc19877be37b1e43123f69e
12f393e66e9c5800c25ffe07b70460b1a4c033339246dd5640582d48cb500ab1
eb4faaf07c41e138887ecc1f1c6aa7f6295436cf949c8f4275b8cf54a4567436
d7f50b1176894523bfd02a2ce3930da00efd592f1d501815a8f09d485ad71670
da53cc3344c9d1d5e62f71745cb750b3916c3260d7e5dfb7b109f00bfd677a3b
ca4549ec41a5913d11ee66382ad8e0526e9f4dd110e7d6976052e94ab2974f16
489b1c355037590a63e14193a3beba66daabc6fac58bd4f63d1bf54ec5a7f16e
b1b58186517d80316c8c88c46b0f23df22e69df730e838f9b21d86713c344b16
c62f004e3f3f04c271b2ebaf673b0f5f9155e9ecfcf9cf817f547d87ea742b39
a37f9e2d72de9f114ddab656017f90c4196082d20da3ba068a777eb0a1281b76
0521e7e051a7891ce07faea0d24f9881b1d30c1eb48c5fe87816a6b1a1dcfc91
8352d5041c2baf4613361108ef86b62ce3814bfa543a52662d40ddfc5dbf045a
6137245e74a1d8448185883d90e30e5ca3f3a3435b31be5f84beeeeb3c120db0
SH256 hash:
b16c9eb943baf2dd444a50d55bf5b10cd0deac0de7ae0cdec419573ba100e2cd
MD5 hash:
110dc64494ccec6cec723a340c56eb86
SHA1 hash:
2c146908cac0cb74f01f59d8f6055b3f21b6ae45
Link:
https://www.unpac.me/results/957e3c3d-1dd7-4194-9e1f-c2a00b8d6ed6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b16c9eb943baf2dd444a50d55bf5b10cd0deac0de7ae0cdec419573ba100e2cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe b16c9eb943baf2dd444a50d55bf5b10cd0deac0de7ae0cdec419573ba100e2cd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2281645/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/301900/

Comments