MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7f78e22526692e61b0df20f2f6a7d22918d6b8ed0d8489db583a0e60952ff67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	e7f78e22526692e61b0df20f2f6a7d22918d6b8ed0d8489db583a0e60952ff67
SHA3-384 hash:	6fd1f46959fc52805576a4f17ade05258d7d94c36a48a7cd363f4b755662bdfe9012319bd9a7c2f09fdd706757adc95d
SHA1 hash:	fe29633a73efe06ffed1954be236aa9e49e2a762
MD5 hash:	24085f579497e4adda77ea8e3101efe4
humanhash:	yankee-washington-ceiling-princess
File name:	Autoplay.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	6'462'464 bytes
First seen:	2023-01-26 19:35:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	11ea24073ee65343ee563e3160c77fde (11 x RecordBreaker, 3 x RaccoonStealer, 1 x Zyklon)
ssdeep	98304:2d+HKGRyh0wuVmd1USdtQ1TdEHSHBbmXLXKDSxWdyzxN0ARU6CjvpGbSrvLCoWwj:2UM8s+GoBbCXDxPxNaNGb6L31
Threatray	304 similar samples on MalwareBazaar
TLSH	T13B5623F323559309D0DF8E34833BFEA4F1F40DA66B63A93926C636D559322E76212943
TrID	30.2% (.EXE) Win64 Executable (generic) (10523/12/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4505/5/1) 5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	6c6f9607236b2d1a (1 x RecordBreaker)
Reporter	abuse_ch
Tags:	exe recordbreaker

abuse_ch

RecordBreaker C2:
http://193.149.187.53/

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Autoplay.exe

Verdict:

No threats detected

Analysis date:

2023-01-26 19:36:31 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/723a9bc9-609b-447f-9037-8edfc62ed416

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/357208/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Sending an HTTP POST request

Sending an HTTP GET request

Creating a file

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/63281/overview

Behaviour

MalwareBazaar

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63d2d6242b351a3d0ea929b5/reports/cc6b35ee-8ac6-4d4e-8aba-ec96381c153b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/ca4d28d2-990e-4002-91ef-06fc8b5d0968

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1159809

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Snort IDS alert for network traffic

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e7f78e22526692e61b0df20f2f6a7d22918d6b8ed0d8489db583a0e60952ff67/

Threat name:

Win32.Trojan.Casdet

Status:

Malicious

First seen:

2023-01-26 19:36:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=473y4issm2jomgyn6ihs62t5ekiy224o2dmerhnvqoqomcks75tq._file

Verdict:

suspicious

Label(s):

raccoon

RecordBreaker

6dd1973caebbffefb2df652852376397f00c6e60998620969173d3bb163bed31

RecordBreaker

754d637166838352780c8e0e611a21f4886f98a82cca0c8a32bf1df3e3c35f1f

RecordBreaker

+ 294 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:5c28acbbf9d03405995950480f1c9638 stealer

Link:

https://tria.ge/reports/230126-ya8pvagd51/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of NtSetInformationThreadHideFromDebugger

Raccoon

Malware Config

C2 Extraction:

http://193.149.187.53/

Unpacked files

SH256 hash:

e7f78e22526692e61b0df20f2f6a7d22918d6b8ed0d8489db583a0e60952ff67

MD5 hash:

24085f579497e4adda77ea8e3101efe4

SHA1 hash:

fe29633a73efe06ffed1954be236aa9e49e2a762

Link:

https://www.unpac.me/results/a0b562a7-a54a-4209-8813-c7f8aa3ee618/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e7f78e225266/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e7f78e22526692e61b0df20f2f6a7d22918d6b8ed0d8489db583a0e60952ff67

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/357208/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample