MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e36099a8ffebc501c3d1b8325a103b62769c5ac2630989ea3ea66715022a062f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e36099a8ffebc501c3d1b8325a103b62769c5ac2630989ea3ea66715022a062f
SHA3-384 hash: 9e1dacdc249bb308890bda02b2a5ba1ec504b0d193ebdfe702a711a49b669a814366675c745358dc1c601d8fd379b2ba
SHA1 hash: fc391210da8753222ba357db7c70397dd73c396e
MD5 hash: 02eceb12980e60c1496eb6b9a02d3483
humanhash: illinois-minnesota-lithium-venus
File name:e36099a8ffebc501c3d1b8325a103b62769c5ac263098.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:6'258'688 bytes
First seen:2023-05-23 17:15:34 UTC
Last seen:2023-05-23 19:08:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f8af27f520ea359d999bd8cba16dec6 (2 x RecordBreaker)
ssdeep 98304:z4S0clXTS9EIv1281Ey0l6iEz0JzA3+rBAlrHC3dNtCLChF:l/lX3I9R1EFlnxJzVA1ALI+hF
TLSH T17B56DE3EAED11137D4B3CA7ACAF65AD7F962311335516C2E95CB13810813BA7BE9201E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://45.144.28.189/

Intelligence

File Origin
# of uploads :
2
# of downloads :
318
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
UI721.bin
Verdict:
Malicious activity
Analysis date:
2023-05-21 18:58:57 UTC
Tags:
evasion loader ransomware opendir stealer rat redline lumma gcleaner amadey trojan fabookie arkei vidar lokibot remcos raccoon recordbreaker keylogger
Link:
https://app.any.run/tasks/f6a6cc23-4b97-49de-a580-6d175494a63d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/390843/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.289150.28348.11914.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Creating a window
Changing a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/87611/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto greyware lolbin packed packed ping shell32.dll
Link:
https://www.filescan.io/uploads/646cf4d25c09d16f6a328003/reports/cb979c87-72c0-4e63-a9a7-6a8f56a8f2ff/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/e36099a8ffebc501c3d1b8325a103b62769c5ac2630989ea3ea66715022a062f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/45b06f1a-c8ab-4ef2-aa7a-4e0668130b7c
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1241062
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected VMProtect packer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 874073 Sample: e36099a8ffebc501c3d1b8325a1... Startdate: 23/05/2023 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic 2->72 74 Found malware configuration 2->74 76 Antivirus / Scanner detection for submitted sample 2->76 78 8 other signatures 2->78 7 e36099a8ffebc501c3d1b8325a103b62769c5ac263098.exe 3 2->7         started        11 wfplwfs.exe 2->11         started        14 chrome.exe 1 2->14         started        process3 dnsIp4 46 iplogger.com 148.251.234.93, 443, 49695 HETZNER-ASDE Germany 7->46 48 14mmf.za.com 104.21.54.36, 443, 49694 CLOUDFLARENETUS United States 7->48 40 C:\Users\user\AppData\Local\...\wfplwfs.exe, PE32 7->40 dropped 42 C:\Users\user\AppData\Local\Temp\2.1.1.exe, PE32 7->42 dropped 16 wfplwfs.exe 1 4 7->16         started        19 2.1.1.exe 15 7->19         started        23 cmd.exe 1 7->23         started        80 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->80 50 192.168.2.5 unknown unknown 14->50 52 239.255.255.250 unknown Reserved 14->52 25 chrome.exe 14->25         started        file5 signatures6 process7 dnsIp8 58 Antivirus detection for dropped file 16->58 60 Multi AV Scanner detection for dropped file 16->60 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->62 70 3 other signatures 16->70 27 rundll32.exe 16->27         started        30 rundll32.exe 15 16->30         started        44 45.144.28.189, 49696, 80 HQservCommunicationSolutionsIL United Kingdom 19->44 36 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 19->36 dropped 38 C:\Users\user\AppData\LocalLow\msvcp140.dll, PE32 19->38 dropped 64 Tries to steal Crypto Currency Wallets 19->64 66 Uses ping.exe to sleep 23->66 68 Uses ping.exe to check the status of other devices and networks 23->68 32 PING.EXE 1 23->32         started        34 conhost.exe 23->34         started        file9 signatures10 process11 dnsIp12 54 192.168.2.1 unknown unknown 27->54 56 127.0.0.1 unknown unknown 32->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e36099a8ffebc501c3d1b8325a103b62769c5ac2630989ea3ea66715022a062f/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2023-05-23 17:16:06 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4nqjtkh75pcqdq6rxazfueb3mj3jywwcmmeyt2r6uztrkarkayxq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer vmprotect
Link:
https://tria.ge/reports/230523-vs4l3ahb8x/
Behaviour
Modifies Internet Explorer settings
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
VMProtect packed file
Downloads MZ/PE file
Unpacked files
SH256 hash:
e36099a8ffebc501c3d1b8325a103b62769c5ac2630989ea3ea66715022a062f
MD5 hash:
02eceb12980e60c1496eb6b9a02d3483
SHA1 hash:
fc391210da8753222ba357db7c70397dd73c396e
Detections:
raccoonstealer
Create hunting rule
Link:
https://www.unpac.me/results/8dfaa99e-b7d3-4b28-b978-16c6ef4405c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e36099a8ffebc501c3d1b8325a103b62769c5ac2630989ea3ea66715022a062f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:Ping_Command_in_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an suspicious ping command execution in an executable
Reference:Internal Research
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution).
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe e36099a8ffebc501c3d1b8325a103b62769c5ac2630989ea3ea66715022a062f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/390843/
  
URLhaus
https://urlhaus.abuse.ch/url/2639745/
  
Delivery method
Distributed via web download

Comments