MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b803f8964ba32cb741ae8f49c57609a81eb155f1af105c430d4ef22c506840b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b803f8964ba32cb741ae8f49c57609a81eb155f1af105c430d4ef22c506840b0
SHA3-384 hash: 8eabc8ddc8e099a941e2f2fcde0eda059b533df2b3ac76b5c41fae4e02b5577b5e9cee4632ea5eae66e6b86dd7e3c45c
SHA1 hash: ffe8d5495035b07f0e77697a442f6d92c1af7eca
MD5 hash: 23776ff8b01b453a94d4ebfe99002121
humanhash: oranges-eight-papa-golf
File name:REVISED - Delay Notice - OB做1013 - #449326830 925 CURTIS TAOSAINT LOUIS SO J228.scr
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:504'832 bytes
First seen:2023-10-13 20:10:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:jvo7Wv9Co8/GvnWIjkui4d+bZyNK3o/PV:jvoiv9CZ/G/WtGdy4I3o/PV
Threatray 267 similar samples on MalwareBazaar
TLSH T17FB40240B23A2BA7D87B17F55442650B1BF2553B6876E34A9CEE70EB60A4F110BC1F27
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe recordbreaker scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REVISED - Delay Notice - OB做1013 - #449326830 925 CURTIS TAOSAINT LOUIS SO J228.scr
Verdict:
No threats detected
Analysis date:
2023-10-13 20:12:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/56564b53-017c-44b0-b74d-dd9a2c3f0680

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/454208/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed recordbreaker
Link:
https://www.filescan.io/uploads/6529a45af776149b0b317e4c/reports/04ee0a98-6c39-4c70-a530-a14094639090/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b803f8964ba32cb741ae8f49c57609a81eb155f1af105c430d4ef22c506840b0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19b77268-e42c-4fea-98f6-5c486e07cc51
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1325473
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected AntiVM3
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b803f8964ba32cb741ae8f49c57609a81eb155f1af105c430d4ef22c506840b0
Detection:
recordbreaker
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b803f8964ba32cb741ae8f49c57609a81eb155f1af105c430d4ef22c506840b0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-12 08:24:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xab7rfslumwloqnor5e4k5qjvaplcvprv4ifyqynj3zcyudiicya._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
42b2cb14dd123186b342a9b6e7f4602e8a3e6be4464aa224f50623307b027edc
RecordBreaker
84d1b1f0588cac4fb502da345ed7ee3bae4000b7f6b096a7bc797789c1fe8120
RecordBreaker
9952affcabbccc681e03047df87b05548324026730cb851fd5c89387036d4cd8
RecordBreaker
aa9f12fd49254a9abce5cbe72cd428b8376f0da76cfd4361709ebe7f8bfb26b5
RecordBreaker
ac0db3f8c382fc37ba05bc45a8f5751853b9a37e445f1e7dbef4a0ad65a3ab7b
RecordBreaker
b981427514cc51902a80d8857ae1ada0bcdec9965d016bfa39f69c760c1d4f35
RecordBreaker
dae0ac387ae56f091a6a97666aa0ae4a3039f674fa316f8258fc64005c61cffe
RecordBreaker
e5bb90639329e6ea1595260e72a4ffd479e0c2957086bcdb180efb1617adcdde
RecordBreaker
e5ef66ce90e1cc6a203205bdeb1726c7f186bda08ad271856500f532d16c9bdb
RecordBreaker
f8d3db5f1e0853a50a59ae70fce7826d0529e88c913be21cce5098772581dbf8
RecordBreaker
+ 257 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231013-yx9wesaa57/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
Link:
https://www.unpac.me/results/52d11375-3489-4b9f-bbb7-0c545cbea8d7/
SH256 hash:
ffabc13f7fad5bea21ab9b04b5c04700394db8ec812f01af098dfbd213b0cded
MD5 hash:
bb95d7e54d7271723c25cf89f5bc63fc
SHA1 hash:
c00a879d8c2bf1d1600387eee96b70f53fa53a39
Link:
https://www.unpac.me/results/52d11375-3489-4b9f-bbb7-0c545cbea8d7/
SH256 hash:
475a9d03ae7c7c02f06526c22e6b3090a43c4754da1cf9fc52d6a6f3fbf9af53
MD5 hash:
8c53e8ec9453b739640d410129739ead
SHA1 hash:
4cfd56811aa59caba9d1ec7a438638d3140e9d80
Detections:
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/52d11375-3489-4b9f-bbb7-0c545cbea8d7/
Parent samples :
b803f8964ba32cb741ae8f49c57609a81eb155f1af105c430d4ef22c506840b0
989acc1c32f6dab02d1d29f18483f94d98b0708ddb057ce7404c348cb2b073f7
SH256 hash:
51db9b009d6df82f86b6881280b951a770f4e24a90da85df89fb3daffc8f8291
MD5 hash:
b95996a74e170997cd753e8a64e657ae
SHA1 hash:
153936eb81a3db46e57768cf3d9d8cbf5d021cd0
Link:
https://www.unpac.me/results/52d11375-3489-4b9f-bbb7-0c545cbea8d7/
SH256 hash:
b803f8964ba32cb741ae8f49c57609a81eb155f1af105c430d4ef22c506840b0
MD5 hash:
23776ff8b01b453a94d4ebfe99002121
SHA1 hash:
ffe8d5495035b07f0e77697a442f6d92c1af7eca
Link:
https://www.unpac.me/results/52d11375-3489-4b9f-bbb7-0c545cbea8d7/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b803f8964ba3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b803f8964ba32cb741ae8f49c57609a81eb155f1af105c430d4ef22c506840b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_RaccoonV2
Create hunting rule
Author:ditekSHen
Description:Detects Raccoon Stealer 2.0, also referred to as RecordBreaker
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/454208/

Comments