MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdf7f13dca65ddcf112e9ff77f6ea6ca00c9dc23f5f60a8ca340e41956d42ef0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdf7f13dca65ddcf112e9ff77f6ea6ca00c9dc23f5f60a8ca340e41956d42ef0
SHA3-384 hash: 95133a6ffb8c3fba416ae45271e770f4b841d6f65fb1f0108e2b1df56287aa3bf5e4a4ae3c97e7db607dc4175eb04c94
SHA1 hash: 008fddba90148dd4153f52af91ad4a8d51a0b8d9
MD5 hash: cd0f0ac51d617e7deea5a192f2e2c9d6
humanhash: eight-colorado-princess-fanta
File name:bdf7f13dca65ddcf112e9ff77f6ea6ca00c9dc23f5f60.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:309'248 bytes
First seen:2022-11-04 19:50:32 UTC
Last seen:2022-11-05 09:30:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 16b436c30f39ef43763690a76519424b (6 x Smoke Loader, 5 x Amadey, 5 x RecordBreaker)
ssdeep 3072:mBGbzTCEIYhxP5FZI4Do9tzxHm8y9C9dkndrTbPNMVQDo64zUT:kGbzTbB2dxG8y9XNH2ao6b
Threatray 921 similar samples on MalwareBazaar
TLSH T15B64CFE13690C072C0E755318529C7E25BBEB9322566D94BFBB4266D4F3C3C2A63A317
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 480c1c4c4f590b14 (113 x Smoke Loader, 92 x RedLineStealer, 83 x Amadey)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://95.141.41.13/

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
bdf7f13dca65ddcf112e9ff77f6ea6ca00c9dc23f5f60.exe
Verdict:
Malicious activity
Analysis date:
2022-11-04 19:51:24 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/3bffd3fa-95de-435c-95a7-9da38099f25e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/328797/
Detection(s):
Can't access file ERROR
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/63656d2815611f8d8bf8e17d/reports/15fe6ec0-f211-42a1-9e32-46d8e5b98a86/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/26b3edf9-9bf9-4a62-b294-f1de8869c9f4
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1105722
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdf7f13dca65ddcf112e9ff77f6ea6ca00c9dc23f5f60a8ca340e41956d42ef0/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-04 19:51:08 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xx37cpokmxo46ejot73x63vgziamtxbd6x3avdfdidsbsvwuf3ya._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
508c885f4485d15fa5cf949ef900d14f16f763e702e2a45867d7192938529c30
RecordBreaker
70b5392192a57314e1c7793599439b518dbf2a0affcbd849cecf779063bd792a
RecordBreaker
98b71364c59171da0e9d98e40caec2ade8668da7389d63cb353124bcfd8ae925
RecordBreaker
99b0dac266ed96c1ae6a9b32b624e4697e1bac4348144376e737bf8e292e35f5
RecordBreaker
b8450b53b8d32f064e1dc0c7229c542e833fbfdb8a18d481125444f0f8048edc
RecordBreaker
d2a3379a95cf890e4f8a739171aca247cd9cc40c90262d4eb42dccf9b420c59d
RecordBreaker
e1ff33ee4dab36c7f0cf9e8abf6f1ce95fbe23e3b02d076b56d720f98cc163f0
RecordBreaker
+ 911 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:dde3f69d00a438843e8c5509eb29534e stealer
Link:
https://tria.ge/reports/221104-yks25saea7/
Behaviour
Program crash
Raccoon
Malware Config
C2 Extraction:
http://95.141.41.13/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/18a3e0c5-d1f1-4da4-be1e-ec8fef49e843
Unpacked files
SH256 hash:
bc6aa377d08ec4ec24168e2f958a3e23a793958c6d384cf45d21493b2d2faab7
MD5 hash:
ad0b4512e038e480f9ff794af18bcdcb
SHA1 hash:
4baea88e2cc6b78321dc0f537bcc78bf2d9686ae
Link:
https://www.unpac.me/results/4d0b724a-ec81-4da9-93fa-1bd55d2123a9/
SH256 hash:
bdf7f13dca65ddcf112e9ff77f6ea6ca00c9dc23f5f60a8ca340e41956d42ef0
MD5 hash:
cd0f0ac51d617e7deea5a192f2e2c9d6
SHA1 hash:
008fddba90148dd4153f52af91ad4a8d51a0b8d9
Link:
https://www.unpac.me/results/4d0b724a-ec81-4da9-93fa-1bd55d2123a9/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bdf7f13dca65/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdf7f13dca65ddcf112e9ff77f6ea6ca00c9dc23f5f60a8ca340e41956d42ef0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution).
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe bdf7f13dca65ddcf112e9ff77f6ea6ca00c9dc23f5f60a8ca340e41956d42ef0

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/328797/
  
URLhaus
https://urlhaus.abuse.ch/url/2401256/
  
Delivery method
Distributed via web download

Comments