MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9ff159b826661ea2361ee7a5ddb7fe27c036e9906f93cc302e4ed8851f4fffa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9ff159b826661ea2361ee7a5ddb7fe27c036e9906f93cc302e4ed8851f4fffa
SHA3-384 hash: 8dd998e1ac0649ba48dc144f610e7f568389a2cc505a210e599a8bc13d33006c022c4fb6a4ae13b66753387a70ef4c43
SHA1 hash: efed6e321f531c6c38c742b1a86472795a478d71
MD5 hash: 13c439f2aa37547fcd115cf3e134dc39
humanhash: sweet-sodium-mexico-cat
File name:13c439f2aa37547fcd115cf3e134dc39.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'276'928 bytes
First seen:2023-10-24 22:35:40 UTC
Last seen:2023-10-24 23:58:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f324049a53d99c6596f2acda01d12740 (1 x RecordBreaker)
ssdeep 24576:oDKMNt8ifoRO+16tg8UNkPaguM8JKwlghk+s:oDKs8vIsT+I7g8
Threatray 640 similar samples on MalwareBazaar
TLSH T1094529B2E2A0492DF323937F6425439A4438E9A237670DF95DD7F42A97143AC132FE46
TrID 68.7% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13097/50/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 68ecdcfed2d4ecf0 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://62.113.119.179/

Intelligence

File Origin
# of uploads :
2
# of downloads :
367
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
13c439f2aa37547fcd115cf3e134dc39.exe
Verdict:
Malicious activity
Analysis date:
2023-10-24 22:44:35 UTC
Tags:
autoit stealer raccoon recordbreaker
Link:
https://app.any.run/tasks/d2e9e18c-d963-4597-83d5-afd6f60c1aad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Raccoon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456086/
Detection(s):
SecuriteInfo.com.Trojan.Siggen21.46484.21215.27628.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Searching for the window
Creating a file in the %temp% subdirectories
Launching cmd.exe command interpreter
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
DNS request
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin packed
Link:
https://www.filescan.io/uploads/653846d4e3768e7905ca34f5/reports/74e8e12e-7d87-4d50-9fb3-17d855eb90b4/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c9ff159b826661ea2361ee7a5ddb7fe27c036e9906f93cc302e4ed8851f4fffa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/73d1761b-98de-4848-a842-099a2c648809
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1331568
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found malware configuration
Injects a PE file into a foreign processes
Snort IDS alert for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1331568 Sample: NevPRIzrpW.exe Startdate: 25/10/2023 Architecture: WINDOWS Score: 100 40 RtYZmeftGgnOYBSyUiBtBlzXoDs.RtYZmeftGgnOYBSyUiBtBlzXoDs 2->40 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Yara detected Raccoon Stealer v2 2->50 52 C2 URLs / IPs found in malware configuration 2->52 10 NevPRIzrpW.exe 12 2->10         started        signatures3 process4 file5 38 C:\Users\user\AppData\Local\...\Collected, PE32 10->38 dropped 13 cmd.exe 1 10->13         started        process6 signatures7 62 Uses ping.exe to sleep 13->62 64 Drops PE files with a suspicious file extension 13->64 66 Uses ping.exe to check the status of other devices and networks 13->66 16 cmd.exe 1 13->16         started        19 conhost.exe 13->19         started        process8 signatures9 44 Uses ping.exe to sleep 16->44 21 Rn.pif 16->21         started        24 cmd.exe 2 16->24         started        27 tasklist.exe 1 16->27         started        29 3 other processes 16->29 process10 file11 54 Found API chain indicative of debugger detection 21->54 56 Found API chain indicative of sandbox detection 21->56 58 Contains functionality to modify clipboard data 21->58 60 2 other signatures 21->60 31 Rn.pif 12 21->31         started        34 Rn.pif 21->34         started        36 C:\Users\user\AppData\Local\Temp\...\Rn.pif, PE32 24->36 dropped signatures12 process13 dnsIp14 42 62.113.119.179, 49714, 80 VDSINA-ASRU Russian Federation 31->42
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c9ff159b826661ea2361ee7a5ddb7fe27c036e9906f93cc302e4ed8851f4fffa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9ff159b826661ea2361ee7a5ddb7fe27c036e9906f93cc302e4ed8851f4fffa/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-20 06:51:00 UTC
File Type:
PE (Exe)
Extracted files:
63
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zh7rlg4cmzq6ui3b5z5f3w374j6ag3uza34tzqyc4twyqupu775a._file
Verdict:
malicious
Similar samples:
2c451ecf5feca99ed7b4e199a0aa4636c03cc3a2afe218ce5cffb75755c25c61
RecordBreaker
37203c38c11b529b8d10382dfb610e739ceb38daae8bc1c19f28506edf3dfdd1
RecordBreaker
717957544dcfbf0a92f33a1ab039d4197fd7c4b21615ec2fa9a730ef74e24c85
RecordBreaker
9908463593e6a22247db288d2966051a140a36fc712d5b546a3112ebba6b0483
RecordBreaker
a567c1f01f6bed6d88712149472f5262d2ddc14aa4d6c1b0544e81dd0929931f
RecordBreaker
ed70d26100b509a7b74ae7b12260c679a05a6bad291a5e40ef6a44a9fb3fdef7
RecordBreaker
eeb17e6d418ca892e7fc46aa88fba3fc6dd0b72d38c4e7accc58facb15504a97
RecordBreaker
ff1d81df2395cd32a5976882993a6af8a6aa2a3be90ddb69a01da429a75de6d2
RecordBreaker
+ 630 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:48576d61a017d3386d2f0c737f3ea0e2 stealer
Link:
https://tria.ge/reports/231024-2h8llaba99/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Raccoon
Raccoon Stealer payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://62.113.119.179:80/
Unpacked files
SH256 hash:
5f3865dd196edc6485773376ffa452bd67f36e3edf73262e9983b8ba42573237
MD5 hash:
1e02c5df4b470749d11a19b288900383
SHA1 hash:
2d08102294b4af314f711c5315fc46288483291a
Link:
https://www.unpac.me/results/c6d2d07f-84c9-4c51-9160-9d491caa1d26/
SH256 hash:
c9ff159b826661ea2361ee7a5ddb7fe27c036e9906f93cc302e4ed8851f4fffa
MD5 hash:
13c439f2aa37547fcd115cf3e134dc39
SHA1 hash:
efed6e321f531c6c38c742b1a86472795a478d71
Link:
https://www.unpac.me/results/c6d2d07f-84c9-4c51-9160-9d491caa1d26/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9ff159b8266/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/456086/

Comments