MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 382cc180516898230a242e80456ef81647d83a9d2edb82ecbc809daa65219147. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 382cc180516898230a242e80456ef81647d83a9d2edb82ecbc809daa65219147
SHA3-384 hash: 7fde085ad28251edb4c7cdd67739503f217284a11fc0192e76dde68076dc94f7e968eca7581a8d33267ccd8b44af762d
SHA1 hash: 76974ed8c36c6f672d9e7787c19d84aaef4f319b
MD5 hash: c0bcb75c2f7d520bc0312a9813fe8ef9
humanhash: sweet-finch-oklahoma-network
File name:382CC180516898230A242E80456EF81647D83A9D2EDB8.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:6'703'616 bytes
First seen:2022-10-25 18:16:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8f1a9288bae20d24c92d3d27d642d92e (14 x RecordBreaker)
ssdeep 196608:yvWdZ/kNlRG7L7Hv9PuMpDdqAdBlUGSB6c+q:yvq/1v7pDspB6cX
Threatray 160 similar samples on MalwareBazaar
TLSH T1A266229392580150D885CF359A33EE7572763EAA9D70983C14DEBDC33B7B6E2A017A43
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://51.195.166.180/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://51.195.166.180/ https://threatfox.abuse.ch/ioc/948819/

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
https://cdn.discordapp.com/attachments/1018900372603015171/1018907535459221574/Confirmacion_de_pago_de_Caja_281911910A_0927_12_09_2022_pdf.rar
Verdict:
Malicious activity
Analysis date:
2022-09-15 08:58:11 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/c35bd54b-42c5-448c-8581-4da628f44dce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324108/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45465/overview
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/98d277fe-8595-4ff1-aa93-b467e236b0a3
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097813
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/382cc180516898230a242e80456ef81647d83a9d2edb82ecbc809daa65219147/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-09-08 19:29:31 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
22 of 26 (84.62%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hawmdacrncmcgcref2aek3xyczd5qou5f3nyf3f4qco2uzjbsfdq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
411c449f978ff2425a9ee85a26157a0ba45a4895f6c1401a7c4d9a9c42c6a73b
RecordBreaker
4e73230986aab0ad40dbd475ca56fe0f207ff5d935f766a46cd4675e6bc27229
RecordBreaker
6b8dac8326076b76369a8eb4e316a86a7663b597aeffe89b35e86c02aa5df4c0
RecordBreaker
83303bd8432e42ddbc86aa5f2fba7b07ded48ef47ec39d42f62b410081b14090
RecordBreaker
ba9b4ed1a5f1e4f658430f393969f1b6a602c5534d745ad3f12fae35cf2a64d1
RecordBreaker
e92b4f323c469808f029e3d970b30684c4a23d652fa1c7da324e14cbd6d04709
RecordBreaker
fd3f9ee2a7b4e35be97140818562dc4470f90705cbd959e87c07ed983692e33d
RecordBreaker
+ 150 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:6538e8e545462905a8c8944ed60ea4dc stealer
Link:
https://tria.ge/reports/221025-ww1v1sddb8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Raccoon
Malware Config
C2 Extraction:
http://51.195.166.180/
Gathering data
Unpacked files
SH256 hash:
3e0665a57817d22fd164860bce35e4ef1b38d9bb79a41cb1dcbb21e576a0c07c
MD5 hash:
7b4b33fd787223d178a5a2d89fdc5fcd
SHA1 hash:
82f8a748f96a963bb31b0222f3c072a7c6106d70
Detections:
raccoonstealer
Create hunting rule
Link:
https://www.unpac.me/results/d956b100-d6d4-49ec-8232-725cb662f18f/
SH256 hash:
382cc180516898230a242e80456ef81647d83a9d2edb82ecbc809daa65219147
MD5 hash:
c0bcb75c2f7d520bc0312a9813fe8ef9
SHA1 hash:
76974ed8c36c6f672d9e7787c19d84aaef4f319b
Link:
https://www.unpac.me/results/d956b100-d6d4-49ec-8232-725cb662f18f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/382cc180516898230a242e80456ef81647d83a9d2edb82ecbc809daa65219147

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324108/

Comments