MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c45a9b56d9fd1edfbefdb2b124e27bebb1f7cec2126e3031a7c0d82e3624aa8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c45a9b56d9fd1edfbefdb2b124e27bebb1f7cec2126e3031a7c0d82e3624aa8f
SHA3-384 hash: d0505460ec3e0495076146382fa2837a978c70362417231b98d143a6f54d913f4566bfc5ea6c58573ec1ac9f420f3d05
SHA1 hash: fd946976be14dd8a9fea499138107465848d3a4c
MD5 hash: 6909f15203fad4b8cd743dc9b1488f27
humanhash: queen-black-earth-oranges
File name:6909f15203fad4b8cd743dc9b1488f27.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:233'984 bytes
First seen:2023-10-03 00:05:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a7960cb042304220b44306228fd698f9 (3 x Stealc, 2 x Tofsee, 2 x Smoke Loader)
ssdeep 3072:NVm8XyErZLlx6CqUV3Dhuhi4yTeGH1LxC3ny7GWNALjdpZ5+fF2n/Q:Lm2Lr6bstKyKGH9xC3y7W292n
Threatray 47 similar samples on MalwareBazaar
TLSH T16134D02279B1C0B2D6E745B9A870DB957EFEB9221361C15F37641A9E5F203D0AB32307
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 020600010a302000 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://5.78.80.43:8388/

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
9f5e9c7125371340b125a859ed102f07.exe
Verdict:
Malicious activity
Analysis date:
2023-10-02 23:37:37 UTC
Tags:
gcleaner loader stealer raccoon recordbreaker
Link:
https://app.any.run/tasks/0338204f-447c-485c-9c6b-36d0c7f48aad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/452761/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/651b5aea9b16696e9f8d45bd/reports/6ed5db8d-5950-4e6a-bc4a-111114edcf79/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/c45a9b56d9fd1edfbefdb2b124e27bebb1f7cec2126e3031a7c0d82e3624aa8f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2903867c-aeb7-40a0-a3cf-1a55a2fbcbeb
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318360
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c45a9b56d9fd1edfbefdb2b124e27bebb1f7cec2126e3031a7c0d82e3624aa8f/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 00:06:05 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
23 of 24 (95.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yrnjwvwz7upn7px5wkysjyt35oy7ptwccjxdamnhydmc4nrevkhq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1406293eef687c73d84fff0be7d1a47bc973b79fb4b208dc4a31f311684e2bf8
RecordBreaker
595aefb01f819eeef533258c04af5487164119bdd92bcd735a26de9f5935832d
RecordBreaker
84d1b1f0588cac4fb502da345ed7ee3bae4000b7f6b096a7bc797789c1fe8120
RecordBreaker
981923aeeddd4c6f2b68c6b1c0e80f6b4ca6495e200562f371215e37cb7885ac
RecordBreaker
abcbbdb2a2eb219a82c3f446f74ac6ef93a3deb11e4c277dee8c106792d7b783
RecordBreaker
e5bb90639329e6ea1595260e72a4ffd479e0c2957086bcdb180efb1617adcdde
RecordBreaker
e5e5abe00e82ad616e13abd1768769dc8d31b4e1a5b79955219cea34c395e9df
RecordBreaker
f62d3ac335a3bff0698d08076dd7fb06c806706879fcf66bfc17a25eb7673fdf
RecordBreaker
fe83636233da5eeb406ddcd43a4beb5ed9629797073fba5415c2b4450aad0647
RecordBreaker
+ 37 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:9c05379df6f1d02ae49f9ee18aad8c17 discovery spyware stealer
Link:
https://tria.ge/reports/231003-adq27sfc5w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Raccoon Stealer payload
Malware Config
C2 Extraction:
http://5.78.80.43:8388/
Unpacked files
SH256 hash:
f78f031d50c388e06bafe028fa1ac9416507f3d7e804b3a67cd02300db2df532
MD5 hash:
4ccc583c6a5cc1dde3917d7c3e2c63b3
SHA1 hash:
7e7eb58434261122af33fcdb084de96bf27fe205
Link:
https://www.unpac.me/results/bac9a3a3-458c-460c-843a-6bc1befe5437/
SH256 hash:
c45a9b56d9fd1edfbefdb2b124e27bebb1f7cec2126e3031a7c0d82e3624aa8f
MD5 hash:
6909f15203fad4b8cd743dc9b1488f27
SHA1 hash:
fd946976be14dd8a9fea499138107465848d3a4c
Link:
https://www.unpac.me/results/bac9a3a3-458c-460c-843a-6bc1befe5437/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c45a9b56d9fd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c45a9b56d9fd1edfbefdb2b124e27bebb1f7cec2126e3031a7c0d82e3624aa8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe c45a9b56d9fd1edfbefdb2b124e27bebb1f7cec2126e3031a7c0d82e3624aa8f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2715904/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/452761/

Comments