MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 bb77ff59d76bd99692b1dda4c1ca720c9922884c79e7e9592c1f5504fd18722f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RecordBreaker
Vendor detections: 14
| SHA256 hash: | bb77ff59d76bd99692b1dda4c1ca720c9922884c79e7e9592c1f5504fd18722f |
|---|---|
| SHA3-384 hash: | af2e7d67868b7923b69955a9c7b23817e5e25232a04e07777ff6f0bcbaac56995ba01a9db4944f39b2ddd8b7ce6a9d89 |
| SHA1 hash: | 198683bda56a51809f3f4d7310b2777b86d8be34 |
| MD5 hash: | 09cafe7f8e60107450296fd4aedb52b1 |
| humanhash: | network-dakota-fruit-ten |
| File name: | 09cafe7f8e60107450296fd4aedb52b1.exe |
| Download: | download sample |
| Signature | RecordBreaker |
| File size: | 245'720 bytes |
| First seen: | 2022-08-18 07:51:00 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 671aa2c2e04d2049d50437e73dc464f9 (54 x RecordBreaker, 25 x RedLineStealer, 5 x Smoke Loader) |
| ssdeep | 6144:yPqlWF+vEXRUR6AaEWjAOuRIXK8bBFAAdtZQC:yPqEF+cQ+9BNdXQC |
| TLSH | T1A7348C4378E1CCF2C43216330AE4EBB5593DF9660B6359BB27950A7E5F242C0D521FAA |
| TrID | 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1) |
| Reporter |  abuse_ch |
| Tags: | exe recordbreaker |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| http://85.192.63.46/ | https://threatfox.abuse.ch/ioc/843816/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
ID:
1
File name:
09cafe7f8e60107450296fd4aedb52b1.exe
Verdict:
Malicious activity
Analysis date:
2022-08-18 07:53:51 UTC
Tags:
trojan raccoon recordbreaker loader
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
7/10
Tags:
n/a
Behaviour
MalwareBazaar
MeasuringTime
CallSleep
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
greyware overlay packed raccoonstealer smokeloader zusy
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Verdict:
Malicious
Result
Threat name:
Raccoon Stealer v2
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
DLL side loading technique detected
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Recordbreaker
Status:
Malicious
First seen:
2022-08-18 07:33:17 UTC
File Type:
PE (Exe)
AV detection:
24 of 26 (92.31%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
raccoon
Gathering data
Unpacked files
SH256 hash:
14b6c4b12441272edc2bd6e13284816579b98f11bd7edad8875db751ee86cbee
MD5 hash:
1ae168b87f633e869ca2502122878d31
SHA1 hash:
356a79adee6817a13b910bd1cfca15271a799134
Detections:
win_recordbreaker_auto
Parent samples :
a97181ba55b9ba36d21729b745c50836f1fe58007a4508511b1161a6d796b754
3bf0e1d823e337ba4372bd55bb57d93789bda09c5bf3d8b82a308781c8f9a09f
dba0be52e9c4d97b164f7c131710f4761b16b2c4ddacafe5cfe10bfbc6148c3c
d184612e2f0b0b065986b94869296330d56e356e2d1ef077461e064bdcb4d3a2
db1a60b6fbc96276d9781d57d7a4892da8910bfd72007da7cc068323c631a0ea
2f81031bd75d9256897c20efe3ce81e7fe51ac13aa89aadf10790ab086c79f71
f1202073d8e12872048b9bfe08e7e266fbe7870253a869da73991a479515257a
76b0ba4ab1eecf85812948358e917f8d255f073c401ff504516128065c8ce805
adef4ddb07e0ed81129a662c8c1d2d9083bafd0f112e55ca46586381edd70cb9
2ca2059f5fd13395c4144370c6d9ca7bb1168228f8733fe6e423cf6b36349d86
9784234158283ec0b873fa2d3c5259fc92d99c9b84d9d96c1994b8777d11e04b
b0c8efac139f940f344d3d707603c86c3418ff8e45005870e50009a9720af5e4
34d6fdd0b64efa84261dbb8178c35a53fc615005ba3c8b70fcb0bf490ef5ae10
c143f915068c2c931662e1bd5990c91ea4fa32bbf1884e6d4f326de9f2e3ce68
8d9a96a1ad5f24acdfd40da8790cd80f5186b244b6e2f906b17dbe29a294616a
67301041991ea1cec25f8e895f7bf870acd2489528fd7712a619cb2760f479e3
fa0e09b334cc57e724cc675e50ea5afaf3ec1e0658e36716c2c3b2fb4b5467de
abc081806594d320fc53365c4c71be47bd25bf5b647def7b8dd0239f24ff1843
ba69e1ed08c7288821223595c9b220bc5c53d0485930958a1db415a3f7f56945
f0cb4c6cbd0ada55b3461c66195101ba4d5136a2fe9dd065e8fee939145cffd2
b0add85e4e09ef3ac8f4940e98ee17054eeb63f58d68e49e2c0686a2ff7e0ef1
e586ba3ee98a64b30850fbddf2ecbdf64bcd7447224d2baf296e4b760cbbe244
bb77ff59d76bd99692b1dda4c1ca720c9922884c79e7e9592c1f5504fd18722f
b5137e4be20605c7ad8b5bc1045210c9c42ae4190be76aab1bc72e0a71c703d2
7dc73e29c582c16283115de0c5d03ecc102b47b82f4b4e957f2630d935967b61
7f2e0645947bc96cd2f5edd2260db48f09102dcfd0fcd85896d287c1b621770d
3bf0e1d823e337ba4372bd55bb57d93789bda09c5bf3d8b82a308781c8f9a09f
dba0be52e9c4d97b164f7c131710f4761b16b2c4ddacafe5cfe10bfbc6148c3c
d184612e2f0b0b065986b94869296330d56e356e2d1ef077461e064bdcb4d3a2
db1a60b6fbc96276d9781d57d7a4892da8910bfd72007da7cc068323c631a0ea
2f81031bd75d9256897c20efe3ce81e7fe51ac13aa89aadf10790ab086c79f71
f1202073d8e12872048b9bfe08e7e266fbe7870253a869da73991a479515257a
76b0ba4ab1eecf85812948358e917f8d255f073c401ff504516128065c8ce805
adef4ddb07e0ed81129a662c8c1d2d9083bafd0f112e55ca46586381edd70cb9
2ca2059f5fd13395c4144370c6d9ca7bb1168228f8733fe6e423cf6b36349d86
9784234158283ec0b873fa2d3c5259fc92d99c9b84d9d96c1994b8777d11e04b
b0c8efac139f940f344d3d707603c86c3418ff8e45005870e50009a9720af5e4
34d6fdd0b64efa84261dbb8178c35a53fc615005ba3c8b70fcb0bf490ef5ae10
c143f915068c2c931662e1bd5990c91ea4fa32bbf1884e6d4f326de9f2e3ce68
8d9a96a1ad5f24acdfd40da8790cd80f5186b244b6e2f906b17dbe29a294616a
67301041991ea1cec25f8e895f7bf870acd2489528fd7712a619cb2760f479e3
fa0e09b334cc57e724cc675e50ea5afaf3ec1e0658e36716c2c3b2fb4b5467de
abc081806594d320fc53365c4c71be47bd25bf5b647def7b8dd0239f24ff1843
ba69e1ed08c7288821223595c9b220bc5c53d0485930958a1db415a3f7f56945
f0cb4c6cbd0ada55b3461c66195101ba4d5136a2fe9dd065e8fee939145cffd2
b0add85e4e09ef3ac8f4940e98ee17054eeb63f58d68e49e2c0686a2ff7e0ef1
e586ba3ee98a64b30850fbddf2ecbdf64bcd7447224d2baf296e4b760cbbe244
bb77ff59d76bd99692b1dda4c1ca720c9922884c79e7e9592c1f5504fd18722f
b5137e4be20605c7ad8b5bc1045210c9c42ae4190be76aab1bc72e0a71c703d2
7dc73e29c582c16283115de0c5d03ecc102b47b82f4b4e957f2630d935967b61
7f2e0645947bc96cd2f5edd2260db48f09102dcfd0fcd85896d287c1b621770d
SH256 hash:
bb77ff59d76bd99692b1dda4c1ca720c9922884c79e7e9592c1f5504fd18722f
MD5 hash:
09cafe7f8e60107450296fd4aedb52b1
SHA1 hash:
198683bda56a51809f3f4d7310b2777b86d8be34
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | cobalt_strike_tmp01925d3f |
|---|---|
| Author: | The DFIR Report |
| Description: | files - file ~tmp01925d3f.exe |
| Reference: | https://thedfirreport.com |
| Rule name: | RaccoonV2 |
|---|---|
| Author: | @_FirehaK <yara@firehak.com> |
| Description: | This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022. |
| Reference: | https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/ |
| Rule name: | win_recordbreaker_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.recordbreaker. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.