MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db926403044468770e30a5d653fb83c5b262f91682ce6553ee32287c02753c4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db926403044468770e30a5d653fb83c5b262f91682ce6553ee32287c02753c4f
SHA3-384 hash: 25b531db56a3245fbbfa15d1795b26cb3fc0ce6effcb2baff3020b2701265600a6bb593148ced7b5709ef3a99ab499a2
SHA1 hash: 52498377b6a6f5cd0354715210c30880046cc522
MD5 hash: 1105205ff1ec21dac77d2f7275190fc5
humanhash: kilo-oklahoma-finch-mirror
File name:1105205ff1ec21dac77d2f7275190fc5.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:233'472 bytes
First seen:2023-06-15 20:25:07 UTC
Last seen:2023-06-15 20:35:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 99ae33530ebff97e88a1ac2c3129a9f7 (2 x RedLineStealer, 2 x Rhadamanthys, 2 x Stop)
ssdeep 3072:HwusU4MKgzU4flw19V60sUxJBFFH1cnh:QuD4MKkRflG9V6EzFFH1
Threatray 2'948 similar samples on MalwareBazaar
TLSH T15A34AE12EEF0AC32D166DF728D6AC5D53B1EFD508E24679B22182A1F09B11B0C972779
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 016062464a421810 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://149.255.35.140/

Intelligence

File Origin
# of uploads :
2
# of downloads :
351
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
1105205ff1ec21dac77d2f7275190fc5.exe
Verdict:
Malicious activity
Analysis date:
2023-06-15 20:28:31 UTC
Tags:
raccoon recordbreaker trojan loader stealer
Link:
https://app.any.run/tasks/48ef9327-6f8e-41b0-a947-91bc2f1a1c56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/399309/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.14546.26345.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
DNS request
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %temp% directory
Enabling the 'hidden' option for recently created files
Running batch commands
Launching a process
Stealing user critical data
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90937/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/648b73da8815ff2f54944da7/reports/614c9b93-07cf-4c3b-97c1-89a43b2f9bf9/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/db926403044468770e30a5d653fb83c5b262f91682ce6553ee32287c02753c4f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/224fb16a-0d89-4b84-ad2b-9636197d36c1
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1255604
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 888622 Sample: 5BImyJbP7u.exe Startdate: 15/06/2023 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic 2->72 74 Multi AV Scanner detection for domain / URL 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 6 other signatures 2->78 10 5BImyJbP7u.exe 26 2->10         started        15 R.exe 2->15         started        process3 dnsIp4 64 149.255.35.140, 49700, 80 HVC-ASUS Netherlands 10->64 66 cdn.discordapp.com 162.159.130.233, 443, 49701 CLOUDFLARENETUS United States 10->66 68 192.168.2.1 unknown unknown 10->68 56 C:\Users\user\AppData\Roaming\XZy7bzH9.exe, PE32+ 10->56 dropped 58 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 10->58 dropped 60 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 10->60 dropped 62 5 other files (3 malicious) 10->62 dropped 90 Detected unpacking (changes PE section rights) 10->90 92 Detected unpacking (overwrites its own PE header) 10->92 94 Tries to harvest and steal browser information (history, passwords, etc) 10->94 96 Tries to steal Crypto Currency Wallets 10->96 17 XZy7bzH9.exe 5 10->17         started        file5 signatures6 process7 file8 54 C:\ProgramData\SonyProduction\R.exe, PE32+ 17->54 dropped 80 Multi AV Scanner detection for dropped file 17->80 82 Detected unpacking (changes PE section rights) 17->82 84 Machine Learning detection for dropped file 17->84 86 Adds a directory exclusion to Windows Defender 17->86 21 cmd.exe 1 17->21         started        24 powershell.exe 19 17->24         started        26 powershell.exe 19 17->26         started        signatures9 process10 signatures11 88 Uses schtasks.exe or at.exe to add and modify task schedules 21->88 28 R.exe 14 4 21->28         started        32 conhost.exe 21->32         started        34 timeout.exe 1 21->34         started        36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        process12 dnsIp13 70 179.43.140.168, 443, 49703, 49704 PLI-ASCH Panama 28->70 98 Multi AV Scanner detection for dropped file 28->98 100 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->100 102 Machine Learning detection for dropped file 28->102 104 Adds a directory exclusion to Windows Defender 28->104 40 cmd.exe 28->40         started        42 powershell.exe 28->42         started        44 powershell.exe 28->44         started        signatures14 process15 process16 46 conhost.exe 40->46         started        48 schtasks.exe 40->48         started        50 conhost.exe 42->50         started        52 conhost.exe 44->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db926403044468770e30a5d653fb83c5b262f91682ce6553ee32287c02753c4f/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-06-15 20:26:06 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ojgiayeiruhodrquxlfh64dywzgf6iwqlhgku7ogiuhyatvhrhq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0baf82e29d938f8ce86d56784d4249181155983eecbfdae1f7324705b152da7b
RecordBreaker
4be018b42359a6b39fd310c13bf0b99108df248ce85415878ca7d59258541b6b
RecordBreaker
4cb0b838560c4e859b8aa29c40fffde2f196a827eda7f69a2b766299651c50df
RecordBreaker
6aa12fc8b880af7f1ba4edc944be0cc79a0cc4b58adc5439c4263870531b61d2
RecordBreaker
710b3f75954a006368d8ebff83e35a8c815f26bdf2b58d62e1a5ffdbc88cd20f
RecordBreaker
d3e129d7d38d514584d7c468f749c2ccec3e321e731af52b88704d083b2abf84
RecordBreaker
e1c3e42f794ea8db905580fa5ac184a3d06cba1ab0ac47d6bd686c24fe0b6c99
RecordBreaker
+ 2'938 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/230615-y7tl7abb36/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Unpacked files
SH256 hash:
e67f21004aa39c8dd8edeec62374cd46c241fb21243c92e297aae8a3771e219f
MD5 hash:
526f98deb3833fa357b3ac95a4e0091f
SHA1 hash:
3fcf02c75a0da388e59ef4a9e5c1aca375c36958
Detections:
raccoonstealer
Create hunting rule
Link:
https://www.unpac.me/results/fd9c5a3d-cdb0-4171-8f49-e6d16eee8a84/
Parent samples :
542135e092c67c70b1fb7910134e2a6fbecc0044bd8b7ae78d4d03e7ce3249ef
db926403044468770e30a5d653fb83c5b262f91682ce6553ee32287c02753c4f
SH256 hash:
db926403044468770e30a5d653fb83c5b262f91682ce6553ee32287c02753c4f
MD5 hash:
1105205ff1ec21dac77d2f7275190fc5
SHA1 hash:
52498377b6a6f5cd0354715210c30880046cc522
Link:
https://www.unpac.me/results/fd9c5a3d-cdb0-4171-8f49-e6d16eee8a84/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db9264030444/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db926403044468770e30a5d653fb83c5b262f91682ce6553ee32287c02753c4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/399309/

Comments