MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d64f8f88ebc713a396315b15ff8a0707a405fe67717aa74679f4a71f34a4162d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	d64f8f88ebc713a396315b15ff8a0707a405fe67717aa74679f4a71f34a4162d
SHA3-384 hash:	3924c5cf3727e39c4a41d7d18da228b41112b14f359fc8ee90b66d5f997ded9c37f66f303e6ba9b491ef4a61e9606f37
SHA1 hash:	fbaefb64948d42483be0b8bb7dd5fffea45824b4
MD5 hash:	a0933cde9f55c4045b6fb5c081f419be
humanhash:	alanine-nineteen-spring-north
File name:	a0933cde9f55c4045b6fb5c081f419be.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	1'675'264 bytes
First seen:	2023-03-09 20:05:50 UTC
Last seen:	2023-03-09 21:28:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:8lnofk9mIM9gkokoQWG0/Ua0Q1IYfk9mIM9gkokoQWG0/Ua0a2oni:8ck9mISfo60/UhQ1fk9mISfo60/Uhg
TLSH	T17075AFE42F5DB263E786A1B3684417A7DBACBE5D2917C0581EE2008FC1CDD7C5112EAE
TrID	53.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 22.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.7% (.EXE) Win64 Executable (generic) (10523/12/4) 4.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe recordbreaker

abuse_ch

RecordBreaker C2:
http://89.23.107.5/

Intelligence

File Origin

# of uploads :

# of downloads :

257

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a0933cde9f55c4045b6fb5c081f419be.exe

Verdict:

Malicious activity

Analysis date:

2023-03-09 20:07:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3bdb9bee-1e75-4302-9226-c2255fa0b1c9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/373134/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Verdict:

Suspicious

Threat level:

5/10

Confidence:

57%

Tags:

packed

Link:

https://www.filescan.io/uploads/640a3c2c797502788014210b/reports/95f59a2f-9686-4462-8b34-b58e10367acd/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d64f8f88ebc713a396315b15ff8a0707a405fe67717aa74679f4a71f34a4162d

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7670c213-cf5d-4542-9146-52bb91f286e9

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

rans.troj.spyw

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1190726

Signature

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d64f8f88ebc713a396315b15ff8a0707a405fe67717aa74679f4a71f34a4162d/

Threat name:

ByteCode-MSIL.Trojan.Privateloader

Status:

Malicious

First seen:

2023-03-09 19:59:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2zhy7chly4j2hfrrlmk77cqha6sal7thof5kortz6str6nfecywq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230309-yvebqsbf81/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

8dbb60ab2003358d65bf9c2a74571150224d9cfbcb84991dc6584f118a8c4322

MD5 hash:

5486fa36ca503a039282fa00ea17d919

SHA1 hash:

e3dbb9be7a1d30ecf1be6f05ba9eb7c790fd7199

Link:

https://www.unpac.me/results/6d7012e2-a2eb-449a-8371-a1bd208e6874/

SH256 hash:

498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f

MD5 hash:

f4e7e91d4fdda2d3feb401b5b1d53abf

SHA1 hash:

cf9e76e6418850ac853bd9c6ce82a0be7920fc1d

Link:

https://www.unpac.me/results/6d7012e2-a2eb-449a-8371-a1bd208e6874/

SH256 hash:

eba71548c9696387c2400754ee768913d5654efed56d4278d3f54d294a2d02b0

MD5 hash:

d97ce4a2393a5e83e9439b36313f1014

SHA1 hash:

ce8fb1781704fab9f5dfb5f577b471181637c6d4

Link:

https://www.unpac.me/results/6d7012e2-a2eb-449a-8371-a1bd208e6874/

SH256 hash:

937070c0a974032e7e7bf0b3f8abe5bcf69578b064aa33d2aa0fc97e74f61189

MD5 hash:

984b05150001a45370073f89f5f56ee7

SHA1 hash:

1b0db808f4cf9f315ff13f17ee09c12caa063c1f

Link:

https://www.unpac.me/results/6d7012e2-a2eb-449a-8371-a1bd208e6874/

SH256 hash:

8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c

MD5 hash:

e5b073b30db1b058298f5df032164e4d

SHA1 hash:

15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca

Link:

https://www.unpac.me/results/6d7012e2-a2eb-449a-8371-a1bd208e6874/

SH256 hash:

d64f8f88ebc713a396315b15ff8a0707a405fe67717aa74679f4a71f34a4162d

MD5 hash:

a0933cde9f55c4045b6fb5c081f419be

SHA1 hash:

fbaefb64948d42483be0b8bb7dd5fffea45824b4

Link:

https://www.unpac.me/results/6d7012e2-a2eb-449a-8371-a1bd208e6874/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d64f8f88ebc713a396315b15ff8a0707a405fe67717aa74679f4a71f34a4162d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/373134/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample