MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1
SHA3-384 hash: c6212ad088c9775f4e525f4f7ae29339b844c3006d4903281582345ed54508c914cbb83c91662b0077a8a27c3172bd77
SHA1 hash: f2f601bc5c5ac13d007774d7a874f06d41360898
MD5 hash: e8eedfa9c23d565850e4b712c469dc96
humanhash: autumn-potato-summer-sink
File name:1.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:2'571'440 bytes
First seen:2023-09-13 08:25:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:q9NuMPWiKnLjlJ2jfELozwMxB7AvmsJTXsa4BDVUK7tl1SGxSA1wh5x92JaAZk:uPWXH2j8cpIhJTXqBL7trSaMh5xEZW
Threatray 14 similar samples on MalwareBazaar
TLSH T135C5BE4157A0CE1AE3E63F34A993D02EAB31E5153312B75F1FAD22B95C232B459813DB
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 78e8e8f8e8e8e4e0 (1 x RecordBreaker)
Reporter r3dbU7z
Tags:Dotnet exe recordbreaker signed

Code Signing Certificate

Organisation:SamplesGNU observeDV
Issuer:SamplesGNU observeDV
Algorithm:sha256WithRSAEncryption
Valid from:2023-09-07T08:45:26Z
Valid to:2024-09-07T00:00:00Z
Serial number: 9e2c5ec897e4534582e84b96909ad22a
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a138f5a0c3003c8e4730769ad8441c665ebf1b070736833c5e7d5eb533a9a0c3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
444
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
1.exe
Verdict:
Malicious activity
Analysis date:
2023-09-13 08:27:37 UTC
Tags:
raccoon
Link:
https://app.any.run/tasks/0df8f9c3-298e-4c9b-93c6-6c55222245d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448348/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.111682.29859.3977.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin msbuild net net_reactor obfuscated overlay packed packed stealer
Link:
https://www.filescan.io/uploads/6501721bb572d5a2189b1c58/reports/18437bb5-65f0-4959-955c-3c225a1daa95/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a61da822-f1a6-4e4a-bd12-b89cd9b90af7
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1308282
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-09-13 08:26:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
48
AV detection:
14 of 22 (63.64%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxajw4qzjcxwzxdk5gsnyn3x2umqf74ormnznoxihc6ns3j54paq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
34a74095cc9ddabe70e50a3dfaf54ba404db34e18e12270ff6afe8281b46b744
RecordBreaker
4bdfd777b579da177959f5854c16f8201e1501e0cf9394f4cfef13cd999fb9d9
RecordBreaker
5985c61ccf1e28e1421c0d18db0c744f3990afe987e559a1c45c7faae0e2db9f
RecordBreaker
69d090774ce99b248f9e76d50312cfcbc7cc8c333f390a0fdffc95f62d7a9631
RecordBreaker
78bad359d0652879dec380fee12b68cc4e14e4f63f8c4e23e7b75bb5338d5924
RecordBreaker
8d5f481be0bb03f0e59effda0fc86a0c9a7da2fb8964f2b4d00530f24231fc7c
RecordBreaker
9803731e075df4e1c00bc1e62794f1cf8f68158681020b50d37c008e03ba723d
RecordBreaker
+ 4 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon stealer
Link:
https://tria.ge/reports/230913-kbvmqadb72/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in System32 directory
Suspicious use of SetThreadContext
Raccoon
Raccoon Stealer payload
Unpacked files
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/59cbd236-2572-4178-b12d-88821612dce5/
SH256 hash:
8adee86876309a6309be25f2e7a0530cb101673dab30876eb52fe82f34ced2da
MD5 hash:
a19e84fd689bcb17b016267f427d0fd2
SHA1 hash:
7fb2b3ae726f25682f6d667387514c290a4aae3d
Link:
https://www.unpac.me/results/59cbd236-2572-4178-b12d-88821612dce5/
SH256 hash:
d981e3ed21ef6c70c23e928a767cb29cbc7807a8ff8b2eaeacf57b0ae86cc488
MD5 hash:
68346f9b142ef905bb1a502d4e828a79
SHA1 hash:
3c525bcbb43ea15f8313ae0cb5a4472655478433
Link:
https://www.unpac.me/results/59cbd236-2572-4178-b12d-88821612dce5/
SH256 hash:
b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1
MD5 hash:
e8eedfa9c23d565850e4b712c469dc96
SHA1 hash:
f2f601bc5c5ac13d007774d7a874f06d41360898
Link:
https://www.unpac.me/results/59cbd236-2572-4178-b12d-88821612dce5/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5c09b721948/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Password Stealer
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_RaccoonV2
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon Stealer 2.0, also referred to as RecordBreaker
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Author:dr4k0nia, modified by Florian Roth
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe b5c09b721948af6cdc6ae9a4dc3777d51902ff8e8b1b96bae838bcd96d3de3c1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/448348/
  
URLhaus
https://urlhaus.abuse.ch/url/2711458/

Comments