MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 006c93dbcc3938755328928bf3d8e94684de290fe3bf0cbfacdf0448ed0b96ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 006c93dbcc3938755328928bf3d8e94684de290fe3bf0cbfacdf0448ed0b96ed
SHA3-384 hash: 824b84fc1f817a7d14319fe188d73c2be5280f66c3952eade3a4ea2271718ef2a7f08917d935ebf11cdf16130e00d1f1
SHA1 hash: 5dd51ccefc6f45fe3fc5e26b4986227a70749e1e
MD5 hash: 392d74f5a99301c537b4e843e8c9d66e
humanhash: nineteen-undress-moon-ohio
File name:392d74f5a99301c537b4e843e8c9d66e.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'757'728 bytes
First seen:2022-09-16 15:25:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 69e030207ea80bf8d3d586a5d49aecc2 (1 x RecordBreaker)
ssdeep 24576:YFzZUezXpkyKbO1zcrSGv/fSx/w9R5JiaUsuwfArXCsqm7q5y03+clm1SaCanwm5:6ZUmpIypcOGXfS6NwpSArhuaAhanwf
Threatray 618 similar samples on MalwareBazaar
TLSH T12685F175E7BAC379F62780F05D96A355CAA00CBB704562C1F2714F915EE00BA3EB25A3
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 13cccccccc4d688c (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker signed

Code Signing Certificate

Organisation:*.global.com
Issuer:DigiCert TLS RSA SHA256 2020 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-02T00:00:00Z
Valid to:2023-01-31T23:59:59Z
Serial number: 05bfa8d492eeefa8051c29945a12d712
Thumbprint Algorithm:SHA256
Thumbprint: 28c38c6babf7fd384e180c0b6a5421db4c5ebf8020dc755035f0e22442860a86
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.131.107.60/ https://threatfox.abuse.ch/ioc/850097/

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-16 14:36:27 UTC
Tags:
loader
Link:
https://app.any.run/tasks/d8cf6b9e-a066-4bbb-910b-e9e9e45c080e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/310604/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6324960cba7b8113dd6af02d/reports/33b2be80-7a41-47f2-a9d1-3c3a57107d7d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8670c7c5-7648-4287-881c-dc161e977759
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1071728
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/006c93dbcc3938755328928bf3d8e94684de290fe3bf0cbfacdf0448ed0b96ed/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2022-09-14 16:35:03 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
22 of 26 (84.62%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=abwjhw6mhe4hkuziskf7hwhji2cn4kip4o7qzp5m34cer3ils3wq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
209a53f3bf3914f9324083785621e84d231e41a40eb5b224cd0d90f1788417d9
RecordBreaker
57154e873b6bebab85bdf3e656fe7fa117c5cf3c14926c22c4cac143622f779d
RecordBreaker
647c4d0f6b9b7817dac9d3ee9c2efd9c9409d6cd4a43fa66bd9d43601537d56b
RecordBreaker
68ac2d5bd9270f9ed2396cddf25c6b2734b42b938ff0ae19964d43616553e7da
RecordBreaker
7fa1b425c7bc7f04e84aae8b76cd1e6d1db56dab966ff273b5101816525f61c4
RecordBreaker
8129a8a2a4c77198a9a65c393cfc37f8f6ab83842a9c9f430ab1186db9cd0771
RecordBreaker
8acf3d9eea531ae8c1ab8eabe3f22206f3771c6c25ed577a6c0010b0a43cfcc0
RecordBreaker
c145721cdaf2ddac4fb96f3f37f56987751731734723436314137c8186f2b34f
RecordBreaker
f8fbc50db8de41fbcf7dcf31883c086b50d0cc74fbbd94979893fc26c9898f76
RecordBreaker
+ 608 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:a1c82a612810c69701f8c72096e6a567 stealer
Link:
https://tria.ge/reports/220916-st7c8sbghm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Raccoon
Malware Config
C2 Extraction:
http://94.131.107.60/
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4ba59be5-fd19-4d73-bf1f-3d04fcfcfe91
Unpacked files
SH256 hash:
79e2a9e95b5cf396f8a8b15b6254082a6d8f2fcc51520c20477c8ce8f7b72060
MD5 hash:
1cd28fcd6fca3db7e458b8739c014a53
SHA1 hash:
9fcbff3f5f4e636a6ee42ee7c0b59e294767a19a
Detections:
raccoonstealer
Create hunting rule
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/bc8ae0c2-f557-427d-b88e-31ee0a9959ae/
SH256 hash:
224880c2fee13d73d65af15242f4df5f0e74ed5853e9a16b1f6305c69aca5f6f
MD5 hash:
cc104787b6c5a327cf7f2838eefe5d0f
SHA1 hash:
55bf05202a714f26f86d9eeb18270398551f8867
Link:
https://www.unpac.me/results/bc8ae0c2-f557-427d-b88e-31ee0a9959ae/
SH256 hash:
006c93dbcc3938755328928bf3d8e94684de290fe3bf0cbfacdf0448ed0b96ed
MD5 hash:
392d74f5a99301c537b4e843e8c9d66e
SHA1 hash:
5dd51ccefc6f45fe3fc5e26b4986227a70749e1e
Link:
https://www.unpac.me/results/bc8ae0c2-f557-427d-b88e-31ee0a9959ae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/006c93dbcc3938755328928bf3d8e94684de290fe3bf0cbfacdf0448ed0b96ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:recordbreaker_win_generic
Create hunting rule
Author:_kphi
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 006c93dbcc3938755328928bf3d8e94684de290fe3bf0cbfacdf0448ed0b96ed

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/310604/
  
URLhaus
https://urlhaus.abuse.ch/url/2305341/
  
Delivery method
Distributed via web download

Comments