MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fad15e5560a44aab6c5cbee221013ea141bc27251b351702349a86781c1a54e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fad15e5560a44aab6c5cbee221013ea141bc27251b351702349a86781c1a54e6
SHA3-384 hash: a3d9948ce3bd5125c4bccf3b7ec0355df91c27e03828ccbfd559fd984718dc29b1bc9dadc056b8a93da1e3521c39487f
SHA1 hash: 865a133a93d62b5388bc10d5cb01c97777300fc9
MD5 hash: c3654b51ced8ff0851491f49511c38b3
humanhash: angel-stairway-shade-two
File name:c3654b51ced8ff0851491f49511c38b3.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:4'040'192 bytes
First seen:2022-08-27 10:20:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e98b06ee3897133c685290c7cb68f1f3 (10 x RedLineStealer, 1 x RecordBreaker)
ssdeep 98304:5dB9GMU+Q0065r/6ZhXKFjnZ3lwN/YlCmy:5noMgq5rKcqyCh
Threatray 233 similar samples on MalwareBazaar
TLSH T142162333536121D1D4DDCCBAC837FEE6FAFA436F8E41A8346599A9C129129E1D603B43
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 60e0a4a6aca4e4d8 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://193.38.55.82/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://193.38.55.82/ https://threatfox.abuse.ch/ioc/845693/

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
bbf0ff77-9016-4a26-bfb7-27fe66e2f392
Verdict:
Malicious activity
Analysis date:
2022-08-23 06:19:36 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/daaf36b4-fdf6-4528-bbf6-05341076a83a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301587/
Detection(s):
Win.Packed.Redline-9964525-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30299/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed redline
Link:
https://www.filescan.io/uploads/6309f025c9bbd9909799e2de/reports/7145112b-f8f4-4d54-88ea-5885d2201341/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2d85e224-86ca-45ac-8c48-a44efc0fc4ec
Result
Threat name:
PrivateLoader, Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1058873
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
DLL side loading technique detected
Downloads files with wrong headers with respect to MIME Content-Type
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 691390 Sample: ik7Pl5lYzz.exe Startdate: 27/08/2022 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Antivirus detection for URL or domain 2->45 47 10 other signatures 2->47 9 ik7Pl5lYzz.exe 1 2->9         started        process3 signatures4 59 Writes to foreign memory regions 9->59 61 Tries to detect virtualization through RDTSC time measurements 9->61 63 Injects a PE file into a foreign processes 9->63 12 AppLaunch.exe 26 9->12         started        17 conhost.exe 9->17         started        process5 dnsIp6 37 193.38.55.82, 49723, 80 SERVERIUS-ASNL Russian Federation 12->37 39 bpphoto.top 116.202.186.210, 49724, 80 HETZNER-ASDE Germany 12->39 29 C:\Users\user\AppData\Roaming\Cg3R58IE.exe, PE32 12->29 dropped 31 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->31 dropped 33 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 12->33 dropped 35 5 other files (2 malicious) 12->35 dropped 65 Tries to harvest and steal browser information (history, passwords, etc) 12->65 67 DLL side loading technique detected 12->67 69 Tries to steal Crypto Currency Wallets 12->69 19 Cg3R58IE.exe 1 12->19         started        file7 signatures8 process9 signatures10 49 Machine Learning detection for dropped file 19->49 51 Contains functionality to inject code into remote processes 19->51 53 Writes to foreign memory regions 19->53 55 2 other signatures 19->55 22 AppLaunch.exe 1 19->22         started        25 conhost.exe 19->25         started        process11 signatures12 57 DLL side loading technique detected 22->57 27 conhost.exe 22->27         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fad15e5560a44aab6c5cbee221013ea141bc27251b351702349a86781c1a54e6/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-08-24 21:01:00 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
27 of 41 (65.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7liv4vlaurfkw3c4x3rccaj6ufa3yjzfdm2roarutkdhqha2ktta._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0fa60d79f881f8616d2b92c02874f6f2a5c16b216b1e256fc31c176355b5c076
RecordBreaker
142bd5cafadc7dbdeb4c50c917a4956c8122761ee92272efeea11bcb0cb449a8
RecordBreaker
47c43c3ea712d82820dcdc399010fdf39306346d31cb9a95892e44c6fa725ac5
RecordBreaker
78c6f90eac23139048bd81c970f7fa9c9dc50e7ba0e75106f330ac1906a9fde7
RecordBreaker
8328a866d6094c361f988ef4147c06a07f000101909df338f9c28c4b373813ec
RecordBreaker
bdbd5a0fb6a3ab99f0cfa3cee7e3f7f8f7ec078eeb628aadfb8a32a5df2be3b9
RecordBreaker
c35d4e641adf21bead54611499c416c8e2de75ac9609832d1f32c476140c38d4
RecordBreaker
dd0145067f81bf5aff9a7ee7eb56c11a98a5f69a9bdbc36744919ee49890de5a
RecordBreaker
+ 223 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:9b05850140e82e0266543e92bee2eb08 botnet:�$l spyware stealer
Link:
https://tria.ge/reports/220827-mdncjaafb5/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Malware Config
C2 Extraction:
http://193.38.55.82/
Unpacked files
SH256 hash:
3a109b1303ea5d3afd8ed222c9ea87c440e8d121411ef45a9491b4b27b064b71
MD5 hash:
79a600fd6cb37825cb951084bf711a9f
SHA1 hash:
bb9fa0e7df3d0e9d07d542fce6c2b399d332c185
Detections:
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/d5e422da-2315-4549-b5bb-0ddf6c0ae9ae/
SH256 hash:
c8b92a2bbfbd768304a802b21becf48a0f1c1e790ecdfd55fdb0482d7a957714
MD5 hash:
66513bf631439a01e7fbeec783e3f7cc
SHA1 hash:
b4465c4d82b15986f0e180fbff445a5e13268b05
Link:
https://www.unpac.me/results/d5e422da-2315-4549-b5bb-0ddf6c0ae9ae/
SH256 hash:
fad15e5560a44aab6c5cbee221013ea141bc27251b351702349a86781c1a54e6
MD5 hash:
c3654b51ced8ff0851491f49511c38b3
SHA1 hash:
865a133a93d62b5388bc10d5cb01c97777300fc9
Link:
https://www.unpac.me/results/d5e422da-2315-4549-b5bb-0ddf6c0ae9ae/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fad15e5560a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fad15e5560a44aab6c5cbee221013ea141bc27251b351702349a86781c1a54e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/301587/

Comments