MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 263e49853d7b11e3acf805d65e774b258ccef3c837e3f5e048c3d575578c5b4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 4


Intelligence 4 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 263e49853d7b11e3acf805d65e774b258ccef3c837e3f5e048c3d575578c5b4c
SHA3-384 hash: ffc3a9f4411742aca25aaa25a53a78c76cc2123b4a179724475c30a7bc62cb93e25a2392889f8b178dea4d686adf108f
SHA1 hash: 92797e91024607106532a81d191187323de40e7e
MD5 hash: 0cfea019c972b2efb5d3d1d59c3ee482
humanhash: hydrogen-saturn-red-uniform
File name:DeBank congratulates you !.zip
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:6'851'379 bytes
First seen:2022-11-18 13:24:40 UTC
Last seen:Never
File type: zip
MIME type:application/zip
Note:This file is a password protected archive. The password is: DeBank2022
ssdeep 196608:oL0uOn7cN9T9hy0uQnKkGMlodF8axqsMHzUAAtRGkLoKS:o676TXuXkdlodGKqsMThSRGkLa
TLSH T1BA663332C2E3B4C3591D5A5B8494BE722858363EB18C49B71695EFCE83B15B1D48FEC8
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter iamdeadlyz
Tags:185-246-220-214 file-pumped pw DeBank2022 RaccoonStealer scr zip


Avatar
Iamdeadlyz
Social engineering attack done by malicious actor ethereumimpulse@gmail.com via Twitter ATO of @SKYserves
Bitly URL shortener -> IP Logger -> Google Drive
RaccoonStealer C&C: http://185.246.220.214/ | 185.246.220.214:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.246.220.214/ https://threatfox.abuse.ch/ioc/1020706/

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:DeBank_Information_for_payment.docx.scr
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:761'270'272 bytes
SHA256 hash: f58fbe5d81f4d9fc48fd0e0da1a2739a68c22d28db95b0386fb7421aa28fd2a5
MD5 hash: b9775d5a7d5c74f447d5b3298011e520
De-pumped file size:6'295'552 bytes (Vs. original size of 761'270'272 bytes)
De-pumped SHA256 hash: f9806a31364a4f864f7018e2f827d6bd5cc0052eab849f9fda1e7af45625ed93
De-pumped MD5 hash: 51b10a29cbff676ea10a43b627f3f937
MIME type:application/x-dosexec
Signature RecordBreaker
File name:Instructions for winning.txt
File size:455 bytes
SHA256 hash: 30bbe4b30481f11b2e11269e164ca1d180f200c277d23811b45180e43f213391
MD5 hash: 9ae32314bdc6b60cd07881823f1aaf1e
MIME type:text/plain
Signature RecordBreaker
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Foxhole.Zip_docx.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/263e49853d7b11e3acf805d65e774b258ccef3c837e3f5e048c3d575578c5b4c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/263e49853d7b11e3acf805d65e774b258ccef3c837e3f5e048c3d575578c5b4c/
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-18 04:16:22 UTC
File Type:
Binary (Archive)
AV detection:
4 of 26 (15.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ey7etbj5pmi6hlhyaxlf452lewgm546ig7r7lyciypkxkv4mlnga._file
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:958de3ad66aa98208c0dbc4d93c17d68 stealer
Link:
https://tria.ge/reports/221118-rrwchshe84/
Behaviour
Suspicious behavior: EnumeratesProcesses
Raccoon
Malware Config
C2 Extraction:
http://185.246.220.214/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

zip 263e49853d7b11e3acf805d65e774b258ccef3c837e3f5e048c3d575578c5b4c

(this sample)

f58fbe5d81f4d9fc48fd0e0da1a2739a68c22d28db95b0386fb7421aa28fd2a5

  
Dropping
SHA256 f58fbe5d81f4d9fc48fd0e0da1a2739a68c22d28db95b0386fb7421aa28fd2a5
  
Dropping
SHA256 f9806a31364a4f864f7018e2f827d6bd5cc0052eab849f9fda1e7af45625ed93
  
Delivery method
Distributed via web download
  
X
https://twitter.com/Iamdeadlyz/status/1593603340067561472
  
URLhaus
https://urlhaus.abuse.ch/url/2425771/
  
Dropping
MD5 51b10a29cbff676ea10a43b627f3f937

Comments