MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12
SHA3-384 hash: 40a5adf32d05b9bcc18c247986c5921381fb6b95a5fbfb5d60d9ec270fa4b9ff25eda5eb36b960c1eef7d29921ee4171
SHA1 hash: a5172b25d36f9954ae0c198f569432c4954a00b2
MD5 hash: e9acfc93e52dd181932e7604184beecb
humanhash: grey-paris-diet-illinois
File name:e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:6'326'712 bytes
First seen:2022-09-27 04:41:30 UTC
Last seen:2022-09-27 06:25:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 196608:SkV6yZjVzDxw7ZX1J8ZG+HIf5XI+l5Qs0:RV5xzG7d/1XI+XQv
TLSH T17F5601ABB2D8653FC56A1B3D05728EA05D776A61F41A8C0A47F0443CCB2ED601EFB64D
TrID 61.8% (.EXE) Inno Setup installer (109740/4/30)
23.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.EXE) Win32 Executable (generic) (4505/5/1)
1.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 3378d6d292d671b2 (1 x RecordBreaker, 1 x ArkeiStealer)
Reporter JAMESWT_WT
Tags:exe fake drivereasy recordbreaker signed

Code Signing Certificate

Organisation:www.enchanting.com
Issuer:www.enchanting.com
Algorithm:sha256WithRSAEncryption
Valid from:2022-09-26T14:07:28Z
Valid to:2023-09-26T14:27:28Z
Serial number: 181f4c8252f9b3ae4877d291ef6c2abd
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 738dad37c2823dd636761263383f64867b7de61e3f87840eacfba9f404d8e8fc
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.131.107.206/ https://threatfox.abuse.ch/ioc/851872/

Intelligence

File Origin
# of uploads :
2
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12
Verdict:
Malicious activity
Analysis date:
2022-09-27 04:40:38 UTC
Tags:
installer trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/8845a6dd-da92-4c03-8531-3a29c740bada

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313778/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Moving a file to the %temp% subdirectory
Creating a file
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Enabling the 'hidden' option for files in the %temp% directory
Sending an HTTP GET request
Launching a process
Launching a file downloaded from the Internet
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39388/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63327f1b5291e4a063ec0728/reports/3242dfe2-a608-4a58-a94d-72b2697194ec/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24319828-aded-4cb1-8f57-f4d52ece6e20
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
54 / 100
Link:
https://www.joesandbox.com/analysis/1077982
Signature
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Disable Windows Defender notifications (registry)
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses 7zip to decompress a password protected archive
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 710527 Sample: yFQ5C6BG2i.exe Startdate: 27/09/2022 Architecture: WINDOWS Score: 54 86 Snort IDS alert for network traffic 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 .NET source code references suspicious native API functions 2->90 92 2 other signatures 2->92 10 yFQ5C6BG2i.exe 2 2->10         started        process3 file4 50 C:\Users\user\AppData\...\yFQ5C6BG2i.tmp, PE32 10->50 dropped 100 Obfuscated command line found 10->100 14 yFQ5C6BG2i.tmp 5 18 10->14         started        signatures5 process6 file7 52 C:\Users\user\...\DriverEasy.5.7.3.exe (copy), PE32 14->52 dropped 54 C:\Users\user\AppData\Local\...\is-TV8IQ.tmp, PE32 14->54 dropped 56 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 14->56 dropped 58 3 other files (none is malicious) 14->58 dropped 17 cmd.exe 3 2 14->17         started        20 DriverEasy.5.7.3.exe 2 14->20         started        process8 file9 76 Suspicious powershell command line found 17->76 78 Wscript starts Powershell (via cmd or directly) 17->78 80 Uses ping.exe to sleep 17->80 84 5 other signatures 17->84 23 wscript.exe 1 17->23         started        26 powershell.exe 15 17 17->26         started        29 PING.EXE 1 17->29         started        34 2 other processes 17->34 48 C:\Users\user\...\DriverEasy.5.7.3.tmp, PE32 20->48 dropped 82 Obfuscated command line found 20->82 31 DriverEasy.5.7.3.tmp 26 45 20->31         started        signatures10 process11 dnsIp12 96 Wscript starts Powershell (via cmd or directly) 23->96 36 cmd.exe 1 23->36         started        70 80.92.205.35, 49710, 80 HELIOSNET-ASRU Russian Federation 26->70 72 127.0.0.1 unknown unknown 29->72 74 192.168.2.1 unknown unknown 29->74 60 C:\Program Filesaseware\...\is-QQ2JM.tmp, PE32 31->60 dropped 62 C:\Users\user\AppData\...\iswin7logo.dll, PE32 31->62 dropped 64 C:\Users\user\AppData\Local\...\botva2.dll, PE32 31->64 dropped 68 30 other files (none is malicious) 31->68 dropped 66 C:\ProgramData\...\ControlSet001_obf.bat, Unicode 34->66 dropped file13 signatures14 process15 signatures16 94 Uses cmd line tools excessively to alter registry or file data 36->94 39 reg.exe 36->39         started        42 conhost.exe 36->42         started        44 reg.exe 1 1 36->44         started        46 17 other processes 36->46 process17 signatures18 98 Disable Windows Defender notifications (registry) 39->98
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-09-27 03:51:28 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
4 of 26 (15.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4k4ylh6pv3ikpv5ik5sgz433aqw7e3ytutcfljp477wq625xjuja._file
Verdict:
unknown
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:9b19cf60d9bdf65b8a2495aa965456c3 evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/220927-fbn3qaceb5/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Defender notification settings
Raccoon
Malware Config
C2 Extraction:
http://94.131.107.206
Dropper Extraction:
http://80.92.205.35/hfile.bin
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1000ddc0-96fb-467a-beda-4e598c894c36
Unpacked files
SH256 hash:
c68f53dd27dc25cd2c41fe0e804dba02515b8412ccb9b415fee6c1d2bf50e52e
MD5 hash:
4a6bf797d45bb196d148089e5393050f
SHA1 hash:
de786a67a444dc98beac3684585483edacf942d5
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
dfe25e9c801f828df9fb5e3baee41651ba72c1e00634be4b648d72f1ad8599e7
MD5 hash:
559ec2666c1b2a509aebf1cfd182add8
SHA1 hash:
d9fe1a0fc77eee967de02606f87c5a8c5c6d7729
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
4eff93f229080f4822285fd82427380621608e44026bbc1d62b79e6a6c984633
MD5 hash:
ad3b52fedc4fb152e0d6c3e75e7153f8
SHA1 hash:
c22d1c94565c3b062e9716ed3c0a47fdefa2e6fb
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
55a7b6e88f03528c8cdcc4cfff9a7e5efce3c9d3d21023ef2b37aa228b530ddc
MD5 hash:
850d12295447dbcd9e38a073aef72fb6
SHA1 hash:
bb8e998ed8b2e07d5ffec82509019df134468643
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
4aa76ce51201b2794b046ac8cea1e0c41166674c021cb2fe78c378f15c57ae73
MD5 hash:
907fc67917ccc9d45fa9a8a7d3d20e67
SHA1 hash:
aa4408e8d2eb8b4b87bc9bbf237698698165dd91
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
24f9e01c1dcd1701aed6b73fa70a98aa9da9046304764a9fb2185641a3e3991f
MD5 hash:
1fdbe83871289864400e4ecb25da2319
SHA1 hash:
a2ea53c957d0736e6ca3302d4fab08deb6209722
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
7a497126a5282b8ebb1e2556c18067c99845fda4c81cda9de2958ab6e687a3c2
MD5 hash:
cfebe2584e894bfaaee48fcc6a58f6df
SHA1 hash:
90dc30754f1507ede9ccf1baf3e5be4ec3060160
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
b6f10d67dc407b7f4e7c77f837122df13d93cd3557af1b21cd1421c6784fd9ca
MD5 hash:
1319526e085b1db1cd41d72d3814d6e5
SHA1 hash:
655d6bbf15009f9cac036f16738aabf34892c8e4
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
e60d85e3225aad5397513fb3a1247da025c0602e233587c1193258dae92ead68
MD5 hash:
b41745d1c49c1b5327ad465151649793
SHA1 hash:
56035a9c146858082bb52aeb20d44e7e55dc18d1
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
b771683b23d22073b4513748f42a0fd68f04e640b74b20ff10640dff9c8c92bd
MD5 hash:
8b5239641b3180f561d3d3f258a6e47e
SHA1 hash:
3cd208659a191dd9b3aff0619ab42b17423397f5
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
622faa9b7b8e8ed4f927c83e4a6e9e1a26388aeb324fee8758acd653102d20fa
MD5 hash:
2c5fcdfdb2073799456c6ced6cd23c58
SHA1 hash:
1be97224dde351c41e42b9b051f228380e515c26
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
85ae3b5a989f08e148df93853615d3f6dc011188c4232bdbb0a8637c04712183
MD5 hash:
342007ddcb97dbcb6c651ac3cc323de2
SHA1 hash:
39980d1954ad058a22fc4dd896d2e333a4034bc7
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
0a4b31893f11ed266df9e3d740be1b53fb0345c11903317eb13c254628fa9b77
MD5 hash:
fd99abd9170a55136517f4c93c5afbf9
SHA1 hash:
f1aa4171e82b8ddd66e2b8c7ade40a27397a9e4d
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
18d6744c7d0876261f9048f52731e17517c325919bfcc802da7775bd4cc306ec
MD5 hash:
8aeb1cd14dbffd34f602ac3f66bb00c8
SHA1 hash:
b2ebe5c23c72d2a17c2276dad4825946e7abcf63
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
a7d2601b55e3821e6f516fdc7716f8026b8a85a85422f424cc32c18bd23dd89d
MD5 hash:
c79df15c51d50021b8ca6196a896b16c
SHA1 hash:
219ea0a5d8c8a2e82dde84a8571c873b0e04d15a
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
SH256 hash:
e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12
MD5 hash:
e9acfc93e52dd181932e7604184beecb
SHA1 hash:
a5172b25d36f9954ae0c198f569432c4954a00b2
Link:
https://www.unpac.me/results/a152c294-0fa7-4219-982e-eedd70ed3895/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313778/

Comments