MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde
SHA3-384 hash: 998f5eb365edfa1f5bd51c8bbdc886eba6f5d846c374e2d749d6ad7541288e654dc0094f4b97b03074a5fbc3348eebed
SHA1 hash: 38d1dbda1992ca36752b3a7c5633f57c111dfbfe
MD5 hash: ff63e8f5b4f30a045c8b69219da4305d
humanhash: equal-alabama-berlin-romeo
File name:e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:10'902'106 bytes
First seen:2023-07-04 10:42:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (258 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 196608:dNR0VMXHsF0wuqcqj4P8QYiqEvy1ru/ADM3Je4SKtl0cpRumKphRmdt5o9X:ycDwhcRPV/qLYoDUPDnumKph+o9X
Threatray 62 similar samples on MalwareBazaar
TLSH T160B6233BF368613FD55A1A32557292119977BE62381ACC1A07ED340ECF37B701E3AA46
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter adrian__luca
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://href.li/https://cli.re/RNmm5y
Verdict:
Suspicious activity
Analysis date:
2023-06-19 13:01:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/555579e3-d867-416c-9923-b9f8c15151cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/406334/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67639023.19564.3401.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Moving a file to the %temp% subdirectory
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/95497/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/64a3f7b7204315fbc16cb0d5/reports/1c89147c-bbbb-4d18-a2e7-c5b8ca33d15f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde
Result
Verdict:
MALICIOUS
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fce76348-794b-4b34-83d7-bd6397ac9ab8
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266524
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 14:50:20 UTC
File Type:
PE (Exe)
Extracted files:
473
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4atqgvv55c6dwfv2qf6qa2kymbgwsd3swyq5wam34rh2u3g7jppa._file
Verdict:
malicious
Similar samples:
1d3329d2fc6d022e283a519b328991098f0d9c7bf01fa2eeaa941ec3bc44b2ef
RecordBreaker
27f03bcd5cf9f3252316c1aea335f56dd9909c53832707b9f56033d1da98a0a1
RecordBreaker
4a8da72abff64bcf80a2500077504588b720180b7694203bdb2434fa075fa7fa
RecordBreaker
4e1e9baa83e4e1f612490a1348ba9d6aa431563ad96320705d3ea886a8ede4e9
RecordBreaker
9206df8f28b1540fa4f76fc385b2d786fadaef5cf7b0e24e5218ff7fff0fcbad
RecordBreaker
9cb4357e2a87559617f3adfcdcfe5dba5f02de53d9d7acd8cc5415bbab703e65
RecordBreaker
b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
RecordBreaker
f32db321d5183fc90c55c6e73314aafa46e94b8b48337068b6840d59aa44927b
RecordBreaker
f5ef1750803211817b6b86ffc0e3a7d6fa13e9b0c2760eae83489d99e4e109d1
RecordBreaker
+ 52 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:b0f267902bbcc11cd154886fb8ee5da8 stealer
Link:
https://tria.ge/reports/230704-mr8wdsca24/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Raccoon
Raccoon Stealer payload
Malware Config
C2 Extraction:
http://94.142.138.74:80/
Unpacked files
SH256 hash:
9051d786de5efeee25223c8e2664058c795c3cb46f8d63d152af507ebdd8898d
MD5 hash:
31676f971649e9b626a0a2841948f01b
SHA1 hash:
7b051fb609449f8f14e9d8c50951129257064728
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
SH256 hash:
14a730dba343b48787c33c71936ac638cc2ecf2722512652f46fdce4c9afa8a7
MD5 hash:
74ee245b8948720099530bbe6b2e2938
SHA1 hash:
5020fe750c1270a168106cb30db357b58014935f
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
SH256 hash:
ecba6763c1f69098d34360bb22a7d8f86d8d25665b17648124bd0d39332b4535
MD5 hash:
fa3fa3f59e7b63448c6d0dc6d68f3b91
SHA1 hash:
27c14b1e744d316c26811920c0a42772d5efe880
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
SH256 hash:
aa5a82aa058556c45ad73f9eb696503044f7855d8b5ca6c5d5ce2ec9b0afd0db
MD5 hash:
b9bb40230966039243a389d56fe731a4
SHA1 hash:
123ec33b0329502258aedfc142136b7176d77b06
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
SH256 hash:
0212030af3a0c45cd7a7f376eef5ab685f690905dd06a596283bdd9246750573
MD5 hash:
912f7f6c0f90a31be826ccae6c157806
SHA1 hash:
0a27f1e66730cb8e1c0d554ac1f33bc7d45c1458
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
SH256 hash:
f862595927ac5be4796d64dfd5d6b7ac682d3923c53d78b7856c13b145228ccb
MD5 hash:
0d876439e581499ab21e3d08a80a3e72
SHA1 hash:
8510140e47704d7faebf369f2aa0284b7ed00f3b
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
SH256 hash:
4deb421bcb1cdb95468a5d0f64479207ee738140173217a3bb5c8f76e547a298
MD5 hash:
d9802949a1c922cd3195900015229605
SHA1 hash:
6da9434ae7387a63f1804871120d31ae4a943a56
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
SH256 hash:
9051d786de5efeee25223c8e2664058c795c3cb46f8d63d152af507ebdd8898d
MD5 hash:
31676f971649e9b626a0a2841948f01b
SHA1 hash:
7b051fb609449f8f14e9d8c50951129257064728
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
SH256 hash:
14a730dba343b48787c33c71936ac638cc2ecf2722512652f46fdce4c9afa8a7
MD5 hash:
74ee245b8948720099530bbe6b2e2938
SHA1 hash:
5020fe750c1270a168106cb30db357b58014935f
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
SH256 hash:
ecba6763c1f69098d34360bb22a7d8f86d8d25665b17648124bd0d39332b4535
MD5 hash:
fa3fa3f59e7b63448c6d0dc6d68f3b91
SHA1 hash:
27c14b1e744d316c26811920c0a42772d5efe880
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
SH256 hash:
aa5a82aa058556c45ad73f9eb696503044f7855d8b5ca6c5d5ce2ec9b0afd0db
MD5 hash:
b9bb40230966039243a389d56fe731a4
SHA1 hash:
123ec33b0329502258aedfc142136b7176d77b06
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
SH256 hash:
0212030af3a0c45cd7a7f376eef5ab685f690905dd06a596283bdd9246750573
MD5 hash:
912f7f6c0f90a31be826ccae6c157806
SHA1 hash:
0a27f1e66730cb8e1c0d554ac1f33bc7d45c1458
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
SH256 hash:
f862595927ac5be4796d64dfd5d6b7ac682d3923c53d78b7856c13b145228ccb
MD5 hash:
0d876439e581499ab21e3d08a80a3e72
SHA1 hash:
8510140e47704d7faebf369f2aa0284b7ed00f3b
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
SH256 hash:
4deb421bcb1cdb95468a5d0f64479207ee738140173217a3bb5c8f76e547a298
MD5 hash:
d9802949a1c922cd3195900015229605
SHA1 hash:
6da9434ae7387a63f1804871120d31ae4a943a56
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
SH256 hash:
e0270356bde8bc3b16ba817d006958604d690f72b621db019be44faa6cdf4bde
MD5 hash:
ff63e8f5b4f30a045c8b69219da4305d
SHA1 hash:
38d1dbda1992ca36752b3a7c5633f57c111dfbfe
Link:
https://www.unpac.me/results/b4cc7065-165d-4dd1-b08f-ca2c6578ff46/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e0270356bde8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution).
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/406334/

Comments