MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e478b4ce3f8b8d0a2a6f88e5eee26e4f19528b55fa3dfe92258b5e08da8df2e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	e478b4ce3f8b8d0a2a6f88e5eee26e4f19528b55fa3dfe92258b5e08da8df2e0
SHA3-384 hash:	0c5b4314104620f86f404ffb2ab1278bd9ad632086ebf39979952976234630d6dccc89b7c0a21d497d1284dde6dddce9
SHA1 hash:	25696f383c2631d5f9f3d96283e670c66a0b050b
MD5 hash:	68d437052ba03d883891100448526f77
humanhash:	stream-angel-emma-rugby
File name:	68d437052ba03d883891100448526f77.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	7'497'216 bytes
First seen:	2022-08-06 08:45:27 UTC
Last seen:	2022-08-06 10:07:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0901266657d602fff9c7d9a865574642 (16 x RecordBreaker, 2 x RaccoonStealer)
ssdeep	196608:ztmyhP0AJdJX+XPLidQ7L2euCrSeo3Qo:z9hldJSzWQeMA3
Threatray	432 similar samples on MalwareBazaar
TLSH	T1B9762313141401C9F4B94C72A937FDF639B226AF838164BAE9FE9BD76021212971FE17
TrID	29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4505/5/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	f8ccccfcbef8793d (4 x RecordBreaker)
Reporter	abuse_ch
Tags:	exe recordbreaker

abuse_ch

RecordBreaker C2:
http://51.195.166.176/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://51.195.166.176/	https://threatfox.abuse.ch/ioc/841618/

Intelligence

File Origin

# of uploads :

# of downloads :

375

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

68d437052ba03d883891100448526f77.exe

Verdict:

Suspicious activity

Analysis date:

2022-08-06 08:48:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7cc98b71-e9e7-4325-9ebc-439587ad3d22

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/296856/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.33625.7523.5577.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/28227/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

babar packed

Link:

https://www.filescan.io/uploads/62ee2ad26336465f2a18fc54/reports/99b5679b-a414-476f-8d22-52d2c3ece4f4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/451093e4-a8f4-4a29-9a06-920bb3b2c7c8

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1047233

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e478b4ce3f8b8d0a2a6f88e5eee26e4f19528b55fa3dfe92258b5e08da8df2e0/

Threat name:

Win32.Trojan.RecordBreaker

Status:

Malicious

First seen:

2022-08-01 19:16:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4r4ljtr7rogquktprds65ytoj4mvfc2v7i675erfrnparwun6lqa._file

Verdict:

malicious

RecordBreaker

6b8dac8326076b76369a8eb4e316a86a7663b597aeffe89b35e86c02aa5df4c0

RecordBreaker

7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97

RecordBreaker

86c18ece485bd831afd99d3306c5a7944d34f3b36974458d390a76d7280d416b

RecordBreaker

ba9b4ed1a5f1e4f658430f393969f1b6a602c5534d745ad3f12fae35cf2a64d1

RecordBreaker

daa24f5ca9ed1ea8d7aef8627dee95df8a96cb0d75a5ee737308935945e61f1a

RecordBreaker

e134f20c16c2d118f95738897fc6c8f3be4ec46563ad7e1c243c3d7595a0ea68

RecordBreaker

ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

RecordBreaker

f072f7896731668ac389aa1d7da8c1d12a858bcf58b6ef8d023ffa78ef3f4023

RecordBreaker

+ 422 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:5fc047a9c5cf5165300d503b77ab137d stealer

Link:

https://tria.ge/reports/220806-kpavgacgem/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of NtSetInformationThreadHideFromDebugger

Raccoon

Raccoon Stealer payload

Malware Config

C2 Extraction:

http://51.195.166.176

Unpacked files

SH256 hash:

70ee9f068b16c46dd4e6b4dc1353d4c03ce259e0c08dcf7ce89977b597ee22c2

MD5 hash:

4c326e44dbc70de4b72d7cbf0335a8ce

SHA1 hash:

da855e39be60d7cecab7e92cc60c3236d6961c48

Link:

https://www.unpac.me/results/50bd650f-2cb9-4d8e-a5da-403ab043607e/

SH256 hash:

e478b4ce3f8b8d0a2a6f88e5eee26e4f19528b55fa3dfe92258b5e08da8df2e0

MD5 hash:

68d437052ba03d883891100448526f77

SHA1 hash:

25696f383c2631d5f9f3d96283e670c66a0b050b

Link:

https://www.unpac.me/results/50bd650f-2cb9-4d8e-a5da-403ab043607e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e478b4ce3f8b8d0a2a6f88e5eee26e4f19528b55fa3dfe92258b5e08da8df2e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/296856/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample