MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba69e1ed08c7288821223595c9b220bc5c53d0485930958a1db415a3f7f56945. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba69e1ed08c7288821223595c9b220bc5c53d0485930958a1db415a3f7f56945
SHA3-384 hash: f4339c699ab1400ed98ad0f6a376e3e4908a3ace293433b40068aed6a0193c0a2b9739aca6fb66cc9326c0a6628131e8
SHA1 hash: 5cf9e39d3274273fea990e108ee796d6f3f840e2
MD5 hash: 9f43a1390f06a8abfcc818472281221f
humanhash: pizza-fillet-triple-delaware
File name:9f43a1390f06a8abfcc818472281221f.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:245'720 bytes
First seen:2022-08-18 00:55:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 671aa2c2e04d2049d50437e73dc464f9 (54 x RecordBreaker, 25 x RedLineStealer, 5 x Smoke Loader)
ssdeep 6144:hfxlWlpgUXRkxzjEPjAOs51MUBbxasaZQC:hfxklpJHlQC
TLSH T1C7349E0077D2C072D87B183609E4D6B5793DB8324B7249BF2B951B7EAF34AC09E3165A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://85.192.63.46/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://85.192.63.46/ https://threatfox.abuse.ch/ioc/843816/

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
9f43a1390f06a8abfcc818472281221f.exe
Verdict:
Malicious activity
Analysis date:
2022-08-18 00:58:17 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/f57a4a73-2b82-4485-9d16-5808772e6c4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/299430/
Detection(s):
SecuriteInfo.com.W32.SmokeLoader.C.genEldorado.32248.22852.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29333/overview
Behaviour
MalwareBazaar
MeasuringTime
CallSleep
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62fd8e238adad7d7739d0832/reports/a7b3feb7-5187-45d2-b267-8b18befa5a7c/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e92d04c6-7dfc-4d3f-b3b3-96eb5cce5146
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1053456
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
DLL side loading technique detected
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba69e1ed08c7288821223595c9b220bc5c53d0485930958a1db415a3f7f56945/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-08-18 00:56:08 UTC
File Type:
PE (Exe)
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xju6d3iiy4uiqijcgwk4tmraxrofhucileyjlcq5wqk2h57vnfcq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220818-back3sabf6/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
14b6c4b12441272edc2bd6e13284816579b98f11bd7edad8875db751ee86cbee
MD5 hash:
1ae168b87f633e869ca2502122878d31
SHA1 hash:
356a79adee6817a13b910bd1cfca15271a799134
Detections:
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/b8b0d354-9ea3-4037-bd88-b60a3f5678be/
Parent samples :
a97181ba55b9ba36d21729b745c50836f1fe58007a4508511b1161a6d796b754
3bf0e1d823e337ba4372bd55bb57d93789bda09c5bf3d8b82a308781c8f9a09f
dba0be52e9c4d97b164f7c131710f4761b16b2c4ddacafe5cfe10bfbc6148c3c
d184612e2f0b0b065986b94869296330d56e356e2d1ef077461e064bdcb4d3a2
db1a60b6fbc96276d9781d57d7a4892da8910bfd72007da7cc068323c631a0ea
2f81031bd75d9256897c20efe3ce81e7fe51ac13aa89aadf10790ab086c79f71
f1202073d8e12872048b9bfe08e7e266fbe7870253a869da73991a479515257a
76b0ba4ab1eecf85812948358e917f8d255f073c401ff504516128065c8ce805
adef4ddb07e0ed81129a662c8c1d2d9083bafd0f112e55ca46586381edd70cb9
2ca2059f5fd13395c4144370c6d9ca7bb1168228f8733fe6e423cf6b36349d86
9784234158283ec0b873fa2d3c5259fc92d99c9b84d9d96c1994b8777d11e04b
b0c8efac139f940f344d3d707603c86c3418ff8e45005870e50009a9720af5e4
34d6fdd0b64efa84261dbb8178c35a53fc615005ba3c8b70fcb0bf490ef5ae10
c143f915068c2c931662e1bd5990c91ea4fa32bbf1884e6d4f326de9f2e3ce68
8d9a96a1ad5f24acdfd40da8790cd80f5186b244b6e2f906b17dbe29a294616a
67301041991ea1cec25f8e895f7bf870acd2489528fd7712a619cb2760f479e3
fa0e09b334cc57e724cc675e50ea5afaf3ec1e0658e36716c2c3b2fb4b5467de
abc081806594d320fc53365c4c71be47bd25bf5b647def7b8dd0239f24ff1843
ba69e1ed08c7288821223595c9b220bc5c53d0485930958a1db415a3f7f56945
f0cb4c6cbd0ada55b3461c66195101ba4d5136a2fe9dd065e8fee939145cffd2
b0add85e4e09ef3ac8f4940e98ee17054eeb63f58d68e49e2c0686a2ff7e0ef1
e586ba3ee98a64b30850fbddf2ecbdf64bcd7447224d2baf296e4b760cbbe244
bb77ff59d76bd99692b1dda4c1ca720c9922884c79e7e9592c1f5504fd18722f
b5137e4be20605c7ad8b5bc1045210c9c42ae4190be76aab1bc72e0a71c703d2
7dc73e29c582c16283115de0c5d03ecc102b47b82f4b4e957f2630d935967b61
7f2e0645947bc96cd2f5edd2260db48f09102dcfd0fcd85896d287c1b621770d
SH256 hash:
ba69e1ed08c7288821223595c9b220bc5c53d0485930958a1db415a3f7f56945
MD5 hash:
9f43a1390f06a8abfcc818472281221f
SHA1 hash:
5cf9e39d3274273fea990e108ee796d6f3f840e2
Link:
https://www.unpac.me/results/b8b0d354-9ea3-4037-bd88-b60a3f5678be/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba69e1ed08c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba69e1ed08c7288821223595c9b220bc5c53d0485930958a1db415a3f7f56945

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe ba69e1ed08c7288821223595c9b220bc5c53d0485930958a1db415a3f7f56945

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2273842/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/299430/

Comments