MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13b68ce3e31ce67cdf7aeb5b43cc4a4b0125ed81cfa057e54041cf8b83969188. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13b68ce3e31ce67cdf7aeb5b43cc4a4b0125ed81cfa057e54041cf8b83969188
SHA3-384 hash: 83164e9408f28db5edd6555857f5a8d4d6d3aaa183bc37c32ecb0033f249fcd3a32740e16cb6326d5dec0fdf08170bc6
SHA1 hash: 1cc5059c7102e996372ec19516e9158ff53b3438
MD5 hash: 8b11167e9e9ad7ea46a62761af2278c8
humanhash: pip-nine-muppet-floor
File name:skinny_raccoon.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:6'568'960 bytes
First seen:2022-11-14 06:40:32 UTC
Last seen:2022-11-14 08:48:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f285ed6f05eae8b1321ad1b364e9c75 (19 x RecordBreaker, 2 x RaccoonStealer)
ssdeep 98304:uYqwuTHubzT9SgGmPpTIQ14TLk+8QVBpVwZoZI//AzYDcAWPUIhd9o:RsTObzTAgG25Iu4Tt8QV3VwZKkJIX8I
Threatray 1'016 similar samples on MalwareBazaar
TLSH T129662393E6D834D1F894893C4C27BCB537F62A369A416C392C73A9C515315A2BBB3C4E
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jomphatt
Tags:exe RaccoonStealer recordbreaker


Avatar
jomphatt
Since the original file is 700+ MB in size, I failed to upload it here. So, I followed the technique described in https://forensicitguy.github.io/pecheck-malware-weight-loss/ to remove null bytes, so its size was reduced.
Original SHA1: effe6185010adada3c25873dab9cc54c46c5fc6a

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
TH TH
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
skinny_raccoon.exe
Verdict:
Malicious activity
Analysis date:
2022-11-14 06:42:12 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/4b9e07b9-2db8-4ee1-bf50-19d71d241c04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333581/
Detection(s):
Can't access file ERROR
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Sending a custom TCP request
Creating a window
Running batch commands
Creating a process with a hidden window
DNS request
Launching a process
Searching for synchronization primitives
Stealing user critical data
Downloading the file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/52234/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed raccoon
Link:
https://www.filescan.io/uploads/6371e2ff65b4ed3de8c83a9e/reports/21a4f61a-2d89-44bc-9756-a71114d8ee0e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5d3d44bb-bd9d-4c63-acb1-68d187b656a5
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1112624
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 745321 Sample: skinny_raccoon.exe Startdate: 14/11/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 8 skinny_raccoon.exe 25 2->8         started        process3 dnsIp4 43 146.70.125.95, 49697, 80 TENET-1ZA United Kingdom 8->43 29 C:\Users\user\AppData\...\vcruntime140.dll, PE32 8->29 dropped 31 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 8->31 dropped 33 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 8->33 dropped 35 4 other files (none is malicious) 8->35 dropped 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->55 57 Tries to harvest and steal browser information (history, passwords, etc) 8->57 59 Tries to detect virtualization through RDTSC time measurements 8->59 61 Tries to steal Crypto Currency Wallets 8->61 13 cmd.exe 3 3 8->13         started        file5 signatures6 process7 signatures8 63 Suspicious powershell command line found 13->63 65 Tries to download and execute files (via powershell) 13->65 16 powershell.exe 15 15 13->16         started        20 AcroRd32.exe 15 38 13->20         started        22 conhost.exe 13->22         started        process9 dnsIp10 37 edge-block-www-env.dropbox-dns.com 162.125.66.15, 443, 49702 DROPBOXUS United States 16->37 39 www-env.dropbox-dns.com 162.125.66.18, 443, 49700, 49701 DROPBOXUS United States 16->39 41 2 other IPs or domains 16->41 27 C:\...\Cooperative-Agreement-MBRS-project.pdf, PDF 16->27 dropped 24 RdrCEF.exe 78 20->24         started        file11 process12 dnsIp13 45 192.168.2.1 unknown unknown 24->45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13b68ce3e31ce67cdf7aeb5b43cc4a4b0125ed81cfa057e54041cf8b83969188/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Suspicious
First seen:
2022-11-14 06:41:17 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
18 of 26 (69.23%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=co3izy7ddtthzx325nnuhtckjmasl3mbz6qfpzkaihhyxa4wsgea._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0c1226d05d81a2f2f9ed910fff598bd00a0cb7ae43b3793735d45de1f35b838f
RecordBreaker
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
RecordBreaker
6dd1973caebbffefb2df652852376397f00c6e60998620969173d3bb163bed31
RecordBreaker
754d637166838352780c8e0e611a21f4886f98a82cca0c8a32bf1df3e3c35f1f
RecordBreaker
75fdaa0818914d1fea617ddcff0d0b1f5f6f9f24a543e8413a769d438a3620f3
RecordBreaker
+ 1'006 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:3efe9181f37a78f608e51162796a63f7 discovery spyware stealer
Link:
https://tria.ge/reports/221114-hfrqhsfd37/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Raccoon
Malware Config
C2 Extraction:
http://146.70.125.95/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6edaaa96-3864-44f1-9bdd-a0318f740b5f
Unpacked files
SH256 hash:
94817e9d2c127e8f9fa3f66c36730d2036f52c91e811b778c5567ac6db8a18bd
MD5 hash:
a115f7b59a3dbe78822872d584d8e03f
SHA1 hash:
6cdf1ac5fecc987aedcb06e3db860ab4743eff5a
Link:
https://www.unpac.me/results/2ec1f5d3-a0b6-44db-8bd9-32ddcb50a108/
SH256 hash:
13b68ce3e31ce67cdf7aeb5b43cc4a4b0125ed81cfa057e54041cf8b83969188
MD5 hash:
8b11167e9e9ad7ea46a62761af2278c8
SHA1 hash:
1cc5059c7102e996372ec19516e9158ff53b3438
Link:
https://www.unpac.me/results/2ec1f5d3-a0b6-44db-8bd9-32ddcb50a108/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/13b68ce3e31c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13b68ce3e31ce67cdf7aeb5b43cc4a4b0125ed81cfa057e54041cf8b83969188

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/333581/

Comments