MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87
SHA3-384 hash: 38204c1e1620df70b47c190c8d9f0e1f89a94fc81723f0048ab5f579a1fd75d807129f4c5ee894dcf38c837512829dae
SHA1 hash: 9daa168735a3f72e715f87d952a18f6c8f00238c
MD5 hash: 010d3ed12031239d3f314f66bb28d58d
humanhash: delaware-bravo-nitrogen-ack
File name:010D3ED12031239D3F314F66BB28D58D.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:2'434'560 bytes
First seen:2024-07-22 14:50:17 UTC
Last seen:2024-07-22 15:29:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02239f44af58f239fdbf86374b44c426 (1 x RecordBreaker)
ssdeep 49152:MJ8U/HLU3Yp7dPM8V/HLU3Yp7CgUxK3h7/SEyIas8JWsa6HdLm:MJ8U/HQ3r8V/HQ3BbxKxD9jXsj9Lm
TLSH T1F6B535F321C16672D07FE0B88616754391339A3DF6D83D925DC8AA241E206EEC7A5DCE
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 30f0b286ccdcf030 (1 x Formbook, 1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://147.45.44.25/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://147.45.44.25/ https://threatfox.abuse.ch/ioc/1302966/

Intelligence

File Origin
# of uploads :
2
# of downloads :
378
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Verdict:
Malicious activity
Analysis date:
2024-07-23 14:46:17 UTC
Tags:
raccoon stealer recordbreaker
Link:
https://app.any.run/tasks/3cf40a07-74c5-49ac-a184-f478fba498f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.10246.30581.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669e71d62f6eaff4b90f3278
Tags:
Encryption Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Restart of the analyzed sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint microsoft_visual_cc overlay packed
Link:
https://www.filescan.io/uploads/669e71d8f1068d66afc033c6/reports/de041cb1-5e68-455c-ada1-cdcada2d8b5a/overview
Verdict:
Malicious
Labled as:
Adware.Generic
Link:
https://www.hybrid-analysis.com/sample/0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae62443b-5037-4367-9625-43fcfff8be7c
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1478479
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1478479 Sample: KbJWC7Zz3h.exe Startdate: 22/07/2024 Architecture: WINDOWS Score: 92 34 Found malware configuration 2->34 36 Antivirus detection for URL or domain 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 5 other signatures 2->40 14 KbJWC7Zz3h.exe 2->14         started        process3 process4 16 KbJWC7Zz3h.exe 14->16         started        process5 18 KbJWC7Zz3h.exe 16->18         started        process6 20 KbJWC7Zz3h.exe 18->20         started        process7 22 KbJWC7Zz3h.exe 20->22         started        process8 24 KbJWC7Zz3h.exe 22->24         started        process9 26 KbJWC7Zz3h.exe 24->26         started        process10 28 KbJWC7Zz3h.exe 26->28         started        process11 30 KbJWC7Zz3h.exe 28->30         started        process12 32 KbJWC7Zz3h.exe 30->32         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2024-07-19 01:39:00 UTC
File Type:
PE (Exe)
Extracted files:
63
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzr3vglw6ctf654lodcfezm275nsqrocclkywjmduteqgy3cnodq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:dd188c0be5001b2c8fb76d74174694cd stealer
Link:
https://tria.ge/reports/240722-r75k5atfql/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Raccoon
Raccoon Stealer V2 payload
Malware Config
C2 Extraction:
http://147.45.44.25:80/
http://85.28.47.116:80/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0e23b3bc-6ac6-4330-aba0-89793928b17a
Unpacked files
SH256 hash:
f071bd5c4b2bb95deb075ab2fd5fa24112fbeebe727d32f1d5d94f68b8240fd6
MD5 hash:
c6836e2669972c0984849fd7368bd912
SHA1 hash:
8976fa7f1f9b90492ebd0178a0811712cef46260
Link:
https://www.unpac.me/results/b634f9ad-5116-4d5e-8b42-23945ceacc7b/
SH256 hash:
0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87
MD5 hash:
010d3ed12031239d3f314f66bb28d58d
SHA1 hash:
9daa168735a3f72e715f87d952a18f6c8f00238c
Link:
https://www.unpac.me/results/b634f9ad-5116-4d5e-8b42-23945ceacc7b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetStartupInfoW

Comments