MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee04ca5183cfc25a745102b84f8c3fd504a34fc94e7bff0e09351f45754dd71a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	ee04ca5183cfc25a745102b84f8c3fd504a34fc94e7bff0e09351f45754dd71a
SHA3-384 hash:	fe57059f2b71e43318040ba1d863928a43394e5417a6e6b938f77732b62dab125d40f113f4808c3b5958eead4f98ef64
SHA1 hash:	cbc71fe263e3cde55f73fdf9301dab9b7f91664f
MD5 hash:	e78106a30c83dc812692fc4665471983
humanhash:	orange-queen-uncle-moon
File name:	file
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	800'160 bytes
First seen:	2022-10-10 13:00:13 UTC
Last seen:	2022-10-10 14:19:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:6SSdabSZkc7GLpGLMMMHMMMvMMZMMMKzbKXOMMHMMMvMMZMMMKzbKX7GLMMMHMMq:gdak/qMMHMMMvMMZMMMFOMMHMMMvMMZ5
Threatray	625 similar samples on MalwareBazaar
TLSH	T1A905AFC2F385D8A4C46942718833CA664673AD1E8D24463B31EE7B1E3E723D36676D1B
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	c271cc9cae8de972 (24 x Skeeeyah, 7 x RedLineStealer, 2 x RecordBreaker)
Reporter	andretavare5
Tags:	exe recordbreaker

andretavare5

Sample downloaded from http://kaisashop.online/install.exe

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RaccoonV2

Link:

https://www.capesandbox.com/analysis/318412/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.19431.1777.UNOFFICIAL

SecuriteInfo.com.Variant.Strictor.275802.16649.15937.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

Sending an HTTP POST request

Sending an HTTP GET request

Reading critical registry keys

Creating a file in the system32 subdirectories

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

obfuscated overlay packed

Link:

https://www.filescan.io/uploads/6344178f29700e7ac65cb5df/reports/eeeff774-d8cb-415d-b53e-906b606e2c09/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a2f104a7-90c8-4ec9-a5e4-e0be24cb29ad

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1087305

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ee04ca5183cfc25a745102b84f8c3fd504a34fc94e7bff0e09351f45754dd71a/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-10-10 13:01:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

361

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5ycmuumdz7bfu5crak4e7db72uckgt6jjz576dqjgupuk5kn24na._file

Verdict:

malicious

Label(s):

raccoon

RecordBreaker

27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20

RecordBreaker

296d3abb689416d5c47bb8edd555c81b9cf81f80fc9179b14aa6b68c8c8e10ab

RecordBreaker

9864bde6be2d10c1a5c0e00bb99dc640bf3c955ab0be9dd4529c50d48cb58eb7

RecordBreaker

a3936faf800dc63de810fa733d33001cdfc381208a5a69102f079d442b1f0071

RecordBreaker

cabcffe00d781032c39fc98acf5ec96687c5ce26b21b38ef9499213ed591fbde

RecordBreaker

f93ba32f22e747dec19ebdf57fc8b1f775feca04f70a69d0660b905956b246f4

RecordBreaker

+ 615 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:bd3a3a503834ef8e836d8a99d1ecff54 spyware stealer

Link:

https://tria.ge/reports/221010-p87qrsbha6/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Uses the VBS compiler for execution

Downloads MZ/PE file

Raccoon

Malware Config

C2 Extraction:

http://77.73.133.7/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/fd15a4b3-4b5f-4577-850a-21d1ccb8a92f

Unpacked files

SH256 hash:

d51774a96236ec45d70952e531236d03d59f6f3f00326702253a059abe05b5ac

MD5 hash:

7d0b80d550b77ac8afe85ac40a5b20f9

SHA1 hash:

931fa81c543f443666612cc7aed553a1027e8c5c

Detections:

raccoonstealer

win_recordbreaker_auto

Link:

https://www.unpac.me/results/1ce91024-d50f-4eec-8f6e-6d37ee694cbe/

Parent samples :

a3936faf800dc63de810fa733d33001cdfc381208a5a69102f079d442b1f0071
ee04ca5183cfc25a745102b84f8c3fd504a34fc94e7bff0e09351f45754dd71a
20ed01a8e1ec898ec25499b5ac18d8522226e08c1ff8baffc327e63a6e46c919
c2283fa67f9c570588fbe02ade91f2b4fd9109ddf06d029af8c7e7c47d3579d2
36f5c9bdab307ac6f14fcf0bb1025b32a388da11d89fd654e02a7be82542e15c
2d8ea1230d6d994febd35edec21f298efe7e1a2a6f75d00a691035980f30a5aa

SH256 hash:

ee04ca5183cfc25a745102b84f8c3fd504a34fc94e7bff0e09351f45754dd71a

MD5 hash:

e78106a30c83dc812692fc4665471983

SHA1 hash:

cbc71fe263e3cde55f73fdf9301dab9b7f91664f

Link:

https://www.unpac.me/results/1ce91024-d50f-4eec-8f6e-6d37ee694cbe/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ee04ca5183cf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ee04ca5183cfc25a745102b84f8c3fd504a34fc94e7bff0e09351f45754dd71a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	RaccoonV2 Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:	https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/

Rule name:	recordbreaker_win_generic Create hunting rule
Author:	_kphi

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_recordbreaker_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/318412/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample