MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf959b4f5e8dbd5b8c13bca917931c6b02ace3cc3835f6f1d88405095c69e393. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf959b4f5e8dbd5b8c13bca917931c6b02ace3cc3835f6f1d88405095c69e393
SHA3-384 hash: 8a6c3b3be49b1638f8c63cfecfba70fa2ae50ada1da21a865c91e9a454f059630dd18e2855ca904daf6a889b0f6ac603
SHA1 hash: 7cee03adb681f53668e1f6ff8823c0fdcdc903b4
MD5 hash: 02a9d3d1420152eb639a16d34ec2ebbf
humanhash: robin-lima-minnesota-beryllium
File name:cf959b4f5e8dbd5b8c13bca917931c6b02ace3cc3835f.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'231'016 bytes
First seen:2023-06-13 10:45:21 UTC
Last seen:2023-06-13 11:58:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 24576:viOohBuHsHjByXXXZzjz8+nITzGzArrqr/Kr15rbArSKr6rBv:viRdaXXhBITzGz
Threatray 839 similar samples on MalwareBazaar
TLSH T19C458C5673085822E6DF9435CD9F08FA5F32BF12C9B1911A72972D8E31B242F9C6B712
TrID 47.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
28.1% (.EXE) InstallShield setup (43053/19/16)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0cf8f0e0c7d3f303 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker signed

Code Signing Certificate

Organisation:GIGABYTE B660M DS3H DDR4 (rev. 1.0)
Issuer:GIGABYTE B660M DS3H DDR4 (rev. 1.0)
Algorithm:sha1WithRSAEncryption
Valid from:2023-06-12T12:37:43Z
Valid to:2033-06-13T12:37:43Z
Serial number: 222b192352050b9b403e64372138f5d2
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 37542055dfa9e1fbae7511304c3c6ace9cfa8f6030ea75f68f9e3294e1dba18e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RecordBreaker C2:
http://95.164.86.208/

Intelligence

File Origin
# of uploads :
2
# of downloads :
376
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
cf959b4f5e8dbd5b8c13bca917931c6b02ace3cc3835f.exe
Verdict:
Malicious activity
Analysis date:
2023-06-13 10:48:45 UTC
Tags:
installer raccoon recordbreaker trojan loader stealer
Link:
https://app.any.run/tasks/1a6fe909-fe37-40e0-892d-4350b296b09c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/398248/
Detection(s):
SecuriteInfo.com.Trojan.MSIL2.29993.27524.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros overlay packed packed
Link:
https://www.filescan.io/uploads/648848ec08b287b7595b6b51/reports/9db46cc5-14ff-4f8a-a49e-a104e77f7a33/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/cf959b4f5e8dbd5b8c13bca917931c6b02ace3cc3835f6f1d88405095c69e393
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e90b6b50-0bbe-4d5c-8513-201d3fb601c9
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253538
Signature
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf959b4f5e8dbd5b8c13bca917931c6b02ace3cc3835f6f1d88405095c69e393/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Suspicious
First seen:
2023-06-13 10:46:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
104
AV detection:
15 of 23 (65.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z6kzwt26rw6vxdatxsurpey4nmbkzy6mha27n4oyqqcqsxdj4ojq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
03577d17dd44e6dbf63a555a3ae8de4cced57f237980fc2c7a74edac2f66d29c
RecordBreaker
035c9b74eb554db2c071ab90d77d252027c36ba3995597fb61f81ef0f72c911e
RecordBreaker
079d4fb4e951c8072a66799ef1524aca47d34de646bffb34125cc3b60533c338
RecordBreaker
0a7104481d9a86895362b28a49420c90427054217fd82ba9a5ebbb2a086e61a2
RecordBreaker
1546e632cb3cd6abb0497a1e941d7c1afefd3d1bc7582b63f49d948241406b80
RecordBreaker
1f1051d96cb5c92ca2a1677d2b33bd22d1aeb1ebcf0421643a60ae92a0c364ae
RecordBreaker
4d79b33e220433112cc2b309be56a1fa511d59c376b19df936c5debbd14d4728
RecordBreaker
881b9954a4f1debc7e45fecb6072f05daa542c368af208156fd624d5b5fabc95
RecordBreaker
923dece3727e56390fd3e56305a2e30f0599c6ae7b79877aa2c9823af34fcf9c
RecordBreaker
cd800688bc80efe2b52af54dae15b709c8c9bb878d6d10c67367625c57b3e5a3
RecordBreaker
+ 829 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230613-mtys7sfh22/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
.NET Reactor proctector
Unpacked files
SH256 hash:
b0a8972dc2b7c16a4e86da04f018f57e28086c1b24f6c323eaf891ae036bec14
MD5 hash:
b45a476c0d8b2ef04c8dbad5ae940032
SHA1 hash:
c5acf250b91a502bf5f73d9cb63eaabb7317b68a
Link:
https://www.unpac.me/results/2b3b7612-3d21-44f3-ba68-401fc1d776b3/
SH256 hash:
a39f62ea9a1623edc7d2faa3a05572c7ddece9d8ca01acb89689f61e9ee55e1f
MD5 hash:
426f629c9d0cc3a08581db8b09d64f7e
SHA1 hash:
99eb955ceb7f9865063864147dca1493c16e1058
Detections:
raccoonstealer
Create hunting rule
Link:
https://www.unpac.me/results/2b3b7612-3d21-44f3-ba68-401fc1d776b3/
SH256 hash:
a440b5929848e6071f401a94fc1a040f14094bf7701b151ff409aeaa60e05f95
MD5 hash:
909be53831182d523ccea3c428d59c4f
SHA1 hash:
8f8f99a97544638bdfc02b5f8054f833f46eccaa
Link:
https://www.unpac.me/results/2b3b7612-3d21-44f3-ba68-401fc1d776b3/
SH256 hash:
cf959b4f5e8dbd5b8c13bca917931c6b02ace3cc3835f6f1d88405095c69e393
MD5 hash:
02a9d3d1420152eb639a16d34ec2ebbf
SHA1 hash:
7cee03adb681f53668e1f6ff8823c0fdcdc903b4
Link:
https://www.unpac.me/results/2b3b7612-3d21-44f3-ba68-401fc1d776b3/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf959b4f5e8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf959b4f5e8dbd5b8c13bca917931c6b02ace3cc3835f6f1d88405095c69e393

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe cf959b4f5e8dbd5b8c13bca917931c6b02ace3cc3835f6f1d88405095c69e393

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/398248/
  
URLhaus
https://urlhaus.abuse.ch/url/2659317/
  
Delivery method
Distributed via web download

Comments