MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0b96ba1adef41f90c616ba72a4047735925f14d4745a87992732dcd1dc60b23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0b96ba1adef41f90c616ba72a4047735925f14d4745a87992732dcd1dc60b23
SHA3-384 hash: c79842e37c38d8e410d67efcddd1ec74b688846b07358acbe4167c0939287ed147846946e030d9bd5c1a91154b782c90
SHA1 hash: 73c02bb3add993ce71e9ee461494cd2584754066
MD5 hash: a4b5c22ad66abf713b53dd48a7b6da65
humanhash: floor-zulu-beer-west
File name:a4b5c22ad66abf713b53dd48a7b6da65.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'575'824 bytes
First seen:2022-09-21 09:18:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c72502f2d5ccc8f887bba24717678e47 (2 x RedLineStealer, 1 x RecordBreaker)
ssdeep 24576:wgRocFUaFfzmT58FvIU5FL4vZzdhZ3lz3MUiAQrVdU91NMBnw4AUci:wgScyUfzmAQzZJL3lLn5+Vdw1NUPA4
TLSH T102751202E5C4D4E1C1DBEE7B85B7697591A2CC1B8C964E479E0C2B7B4C78782472B2E8
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71e8cc8686ccf030 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker signed

Code Signing Certificate

Organisation:ok.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-09-02T20:13:33Z
Valid to:2022-12-01T20:13:32Z
Serial number: 043052956e1e6dbd5f6ae3d8b82cad2a2ed8
Thumbprint Algorithm:SHA256
Thumbprint: 0d6a416199467edafc75d860c2a9559694e1fe18d7d2c5a3bd0e0ee5d5faa693
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RecordBreaker C2:
http://45.11.19.99/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.11.19.99/ https://threatfox.abuse.ch/ioc/850873/

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
a4b5c22ad66abf713b53dd48a7b6da65.exe
Verdict:
Malicious activity
Analysis date:
2022-09-21 09:21:55 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/ce0e111b-debc-49a6-b878-880580b47a9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312017/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Сreating synchronization primitives
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a process with a hidden window
Changing a file
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
babar greyware overlay packed
Link:
https://www.filescan.io/uploads/632ad74e397677696538711b/reports/29c1fe96-64b4-4638-9206-eff7ce3b13ff/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b52f679-09a0-4ba1-a67c-ed3f4458508f
Result
Threat name:
Allcome clipbanker, DarkTortilla, Raccoo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1074492
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Allcome clipbanker
Yara detected DarkTortilla Crypter
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 707034 Sample: eDHe3XYrqf.exe Startdate: 21/09/2022 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 7 other signatures 2->59 7 eDHe3XYrqf.exe 2->7         started        process3 signatures4 61 Writes to foreign memory regions 7->61 63 Allocates memory in foreign processes 7->63 65 Injects a PE file into a foreign processes 7->65 10 InstallUtil.exe 81 7->10         started        process5 dnsIp6 31 94.131.107.23 NASSIST-ASGI Ukraine 10->31 33 217.64.195.216 SEEWEBWebhostingcolocationandcloudservicesIT Italy 10->33 35 2 other IPs or domains 10->35 23 C:\Users\user\AppData\Roaming\g8Klb895.exe, PE32 10->23 dropped 25 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 10->25 dropped 27 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 10->27 dropped 29 7 other files (2 malicious) 10->29 dropped 67 Tries to harvest and steal browser information (history, passwords, etc) 10->67 69 DLL side loading technique detected 10->69 71 Tries to steal Crypto Currency Wallets 10->71 15 lK3KGIDR.exe 15 2 10->15         started        19 g8Klb895.exe 10->19         started        21 28Ih65AC.exe 10->21         started        file7 signatures8 process9 dnsIp10 37 142.250.185.164 GOOGLEUS United States 15->37 41 Detected unpacking (changes PE section rights) 15->41 43 Query firmware table information (likely to detect VMs) 15->43 45 Tries to detect sandboxes and other dynamic analysis tools (window names) 15->45 51 2 other signatures 15->51 39 192.168.2.1 unknown unknown 19->39 47 Multi AV Scanner detection for dropped file 19->47 49 Machine Learning detection for dropped file 19->49 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0b96ba1adef41f90c616ba72a4047735925f14d4745a87992732dcd1dc60b23/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2022-09-16 17:51:31 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
22 of 26 (84.62%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yc4wxinn55a7sddbnotsuqchonmsl4kni5c2q6msomw42hogbmrq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:9b19cf60d9bdf65b8a2495aa965456c3 spyware stealer
Link:
https://tria.ge/reports/220921-k96smsbedn/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Malware Config
C2 Extraction:
http://94.131.107.23/
http://45.11.19.99/
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/67e5cd4f-6e89-47b8-a5cc-68ebfd79236f
Unpacked files
SH256 hash:
8687e1cc2b6b50e1a84aeaf15ac60ea8d504911cfb11ee7ab29f0bb31908c60d
MD5 hash:
557bafa5b521e989949dacadcb4fc72c
SHA1 hash:
fdabd5306f1ce5fc1f64eb97ea5d3cf1f27d2bd8
Detections:
raccoonstealer
Create hunting rule
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/14733364-edf8-4cb9-82b5-a33ebd4fea11/
SH256 hash:
309c72f0f2823d19e50e5c8819cbf4982e47d900a266fc1fa468d659714a5455
MD5 hash:
c7cb7702e5f14d75e791ab6c9907d917
SHA1 hash:
e0b98c6bfd9837626886e39c87ea2ecdf93378b5
Link:
https://www.unpac.me/results/14733364-edf8-4cb9-82b5-a33ebd4fea11/
SH256 hash:
c0b96ba1adef41f90c616ba72a4047735925f14d4745a87992732dcd1dc60b23
MD5 hash:
a4b5c22ad66abf713b53dd48a7b6da65
SHA1 hash:
73c02bb3add993ce71e9ee461494cd2584754066
Link:
https://www.unpac.me/results/14733364-edf8-4cb9-82b5-a33ebd4fea11/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c0b96ba1adef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0b96ba1adef41f90c616ba72a4047735925f14d4745a87992732dcd1dc60b23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:recordbreaker_win_generic
Create hunting rule
Author:_kphi
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/312017/

Comments