MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df7cfb28f642a2341b0cf3d5626ec787a7afb0aacd3e6806b7a0caa3a6dd73ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df7cfb28f642a2341b0cf3d5626ec787a7afb0aacd3e6806b7a0caa3a6dd73ee
SHA3-384 hash: 4ddd330fa5eda9668a7101f5015b13c20529bc676505a99f699675f332d0e51c0c6d6de349b7c11c92f8049ad2fd55a6
SHA1 hash: 7b55fcbae0b8c90100a0b8b999292e1c83ab5947
MD5 hash: 4bad8e019dc6d8254185426c2fef0c59
humanhash: gee-louisiana-mobile-neptune
File name:4bad8e019dc6d8254185426c2fef0c59.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'673'120 bytes
First seen:2022-10-07 17:30:23 UTC
Last seen:2022-10-07 19:14:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bda57d298bb9003a0c4a6884d4ab9606 (1 x RecordBreaker)
ssdeep 49152:Tm5PrbWIRjUx3FEcLhbu32hEwdGvmKdAzDJ6SM:Tm5j0icVY2hNdGuKdAc
TLSH T14B751213F7F10430C153AA769921AB5DA438AFA0DD32C0CBA1A58F61CF67EF2D719256
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0371f0d4cce87113 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker signed

Code Signing Certificate

Organisation:designed.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-26T02:16:28Z
Valid to:2022-11-24T02:16:27Z
Serial number: 035e24463ef89fb13623de7263f45a0f27e2
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 4b45d81c2ab2ba8cdf7911da974079261ed3ea61d0f0e600312b28f3496a376b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RecordBreaker C2:
http://5.2.70.65/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.2.70.65/ https://threatfox.abuse.ch/ioc/872024/

Intelligence

File Origin
# of uploads :
2
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/317706/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.34590.13353.24107.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Reading critical registry keys
Sending an HTTP GET request
Changing a file
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41877/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6340625949c58ce767c68c81/reports/b9c89176-fcae-426b-b11d-02d2588f7282/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b42c0e91-ec2b-4fb9-9466-499df4913187
Result
Threat name:
Allcome clipbanker, DarkTortilla, Raccoo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1085935
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Allcome clipbanker
Yara detected DarkTortilla Crypter
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 718496 Sample: Lul3W1R6fF.exe Startdate: 07/10/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 7 other signatures 2->53 7 Lul3W1R6fF.exe 2->7         started        process3 signatures4 55 Writes to foreign memory regions 7->55 57 Allocates memory in foreign processes 7->57 59 Injects a PE file into a foreign processes 7->59 10 InstallUtil.exe 57 7->10         started        process5 dnsIp6 29 45.15.156.150, 49705, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 10->29 31 45.15.156.170, 49706, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 10->31 33 3 other IPs or domains 10->33 21 C:\Users\user\AppData\LocalLow\yRNV8d6Y.exe, PE32 10->21 dropped 23 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 10->23 dropped 25 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 10->25 dropped 27 6 other files (4 malicious) 10->27 dropped 61 Tries to harvest and steal browser information (history, passwords, etc) 10->61 63 DLL side loading technique detected 10->63 65 Tries to steal Crypto Currency Wallets 10->65 15 JA977q6e.exe 15 2 10->15         started        19 yRNV8d6Y.exe 10->19         started        file7 signatures8 process9 dnsIp10 35 www.google.com 142.250.186.36 GOOGLEUS United States 15->35 37 Multi AV Scanner detection for dropped file 15->37 39 Detected unpacking (changes PE section rights) 15->39 41 Query firmware table information (likely to detect VMs) 15->41 43 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->43 45 Machine Learning detection for dropped file 19->45 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df7cfb28f642a2341b0cf3d5626ec787a7afb0aacd3e6806b7a0caa3a6dd73ee/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 05:58:27 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=356pwkhwikrdigym6pkwe3whq6t27mfkzu7gqbvxudfkhjw5opxa._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:9b19cf60d9bdf65b8a2495aa965456c3 evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/221007-v3pwnadbfl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Malware Config
C2 Extraction:
http://5.2.70.65/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/43368040-9a77-4d5c-bb93-b88580ecf2ce
Unpacked files
SH256 hash:
feddb715649f03c1eb33cf6b487281e5f7eb1fc009cacd6ff2c27e13e8ee1cbc
MD5 hash:
3906364fb825117b10b1b01309954bfd
SHA1 hash:
48bc6b302841d69d6b2a5b493c09238e43742007
Detections:
raccoonstealer
Create hunting rule
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/fcc1ce0f-9b5a-42d8-9789-5799f0c2c266/
Parent samples :
06b2f4503ff44aeb98aefb8f65f5392c7b90f1ca8dc618a249b866914590a40f
df7cfb28f642a2341b0cf3d5626ec787a7afb0aacd3e6806b7a0caa3a6dd73ee
fa5ac27700f443ba8bc0509f2ce8c1c0be408e3dbca55a07de27f7d1bcb5de16
c7d3d775fda24b3244022a1488315c51a55d54e155b8e788583c0d50a4a9f5e9
23b137ce3bf552461beac7baf3a449a620010feac5cf69a1864e40b5efa04c2d
1227762670b7f30a26b51d681acad249a14986f375f5d659ef36e25e4e8bef1b
SH256 hash:
4c9d2efd7ab8338c7c76fcd918b438807c16538f06af4ae6009e711025e858b0
MD5 hash:
282d6e7f6027560cc7520f5ae12568e3
SHA1 hash:
378c907fd61fd3f5ed16caabbff222d108d0bd3b
Link:
https://www.unpac.me/results/fcc1ce0f-9b5a-42d8-9789-5799f0c2c266/
SH256 hash:
df7cfb28f642a2341b0cf3d5626ec787a7afb0aacd3e6806b7a0caa3a6dd73ee
MD5 hash:
4bad8e019dc6d8254185426c2fef0c59
SHA1 hash:
7b55fcbae0b8c90100a0b8b999292e1c83ab5947
Link:
https://www.unpac.me/results/fcc1ce0f-9b5a-42d8-9789-5799f0c2c266/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df7cfb28f642/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df7cfb28f642a2341b0cf3d5626ec787a7afb0aacd3e6806b7a0caa3a6dd73ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317706/

Comments