MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c1b550a3afa8207c88ee4d267c096d4be36af794174345c5989a94351f62af4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 14

Intelligence 14 IOCs 1 YARA File information Comments

SHA256 hash:	3c1b550a3afa8207c88ee4d267c096d4be36af794174345c5989a94351f62af4
SHA3-384 hash:	8edb407e62153df04fbb576111e1704abecc183335e86bcf23f05bbaaccd10274c4913e472077955bd36ac22d6bac01a
SHA1 hash:	6a37c23397b7a1c488d9ac55a1c05f6e718ad125
MD5 hash:	031470072fc5b7e6c79b8fae55718eae
humanhash:	eleven-muppet-alaska-fifteen
File name:	031470072fc5b7e6c79b8fae55718eae.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	7'196'160 bytes
First seen:	2022-08-13 22:15:35 UTC
Last seen:	2022-08-13 22:29:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	937ca6cd69333a6430e6daf1950bd1fe (5 x RecordBreaker)
ssdeep	98304:+NPhil0OC+RJnjivB3kFpicC4bp56jPfMQ2SqVJGEDrAwunL3h4A0nsbBotWLUky:Cu8KljDu4bgPxjMHA7L3h4rnsNETkn
Threatray	123 similar samples on MalwareBazaar
TLSH	T17C76233732194180E5ED8539893BBE9476F35DFED980C87DB6F6B6C02732990E212A53
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	669878ecd0e12408 (1 x RecordBreaker)
Reporter	abuse_ch
Tags:	exe recordbreaker

abuse_ch

RecordBreaker C2:
http://88.119.170.105/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://88.119.170.105/	https://threatfox.abuse.ch/ioc/842989/

Intelligence

File Origin

# of uploads :

# of downloads :

562

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

raccoon

ID:

File name:

031470072fc5b7e6c79b8fae55718eae.exe

Verdict:

Malicious activity

Analysis date:

2022-08-13 22:15:52 UTC

Tags:

trojan raccoon recordbreaker loader stealer

Link:

https://app.any.run/tasks/af886eec-b040-4e36-b5a8-bdf0d485c54c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RaccoonV2

Link:

https://www.capesandbox.com/analysis/298456/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.61255895.15218.4074.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/28895/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed raccoon

Link:

https://www.filescan.io/uploads/62f822e1c8022caa1abe752c/reports/13199535-cdc5-498c-9b12-2702cf13f0a4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d426bea1-0f50-4888-a54e-0b67327da146

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1051071

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3c1b550a3afa8207c88ee4d267c096d4be36af794174345c5989a94351f62af4/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-08-09 15:10:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 40 (60.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hqnvkcr27kbapseo4tjgpqew2s7dnl3zif2dixczrguugupwfl2a._file

Verdict:

malicious

RecordBreaker

287dc092e02a5c76b02c4142357f6a4a5c9a420430b616a1d14dfe0266875ecd

RecordBreaker

3427583e84dda3d92aab9f9b9050d7cfe9bcb43094acc08f02f0166f310702cc

RecordBreaker

463e7bb6693b947b343cd1ba77247bc8e6504a1fe80f36cdf2a3d7d345e15fd3

RecordBreaker

57c9630ff4575c0881314c5f31f4177249c84218642cef6c3896fbc6337c380a

RecordBreaker

6887d3d4d5baa135418c2305915c56b448960d03c427f6c63c430465ddaa6547

RecordBreaker

6f91871f4fb08ca2553a80a053d983d39fabf1efc619b2e4b87972bd0d9c0d80

RecordBreaker

c35d4e641adf21bead54611499c416c8e2de75ac9609832d1f32c476140c38d4

RecordBreaker

e7924441cf355557372d5d058eeb30341f9bb4be80f54449ea66b288d183b928

RecordBreaker

+ 113 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:e477781063c065ab8a0c91bcc1de61f0 stealer

Link:

https://tria.ge/reports/220813-16r33segal/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of NtSetInformationThreadHideFromDebugger

Raccoon

Raccoon Stealer payload

Malware Config

C2 Extraction:

http://88.119.170.105/

Unpacked files

SH256 hash:

49713c0a4ef948948d4e96884f349f85ec236d755656c76a630615e062f0ba1f

MD5 hash:

41696279b131274d103d2b00a2c9fde9

SHA1 hash:

b8df71ea338db4c9e77245325b945fc4e2c1001a

Link:

https://www.unpac.me/results/8823f33a-3b7a-4e67-9e70-960c6e610a28/

SH256 hash:

3c1b550a3afa8207c88ee4d267c096d4be36af794174345c5989a94351f62af4

MD5 hash:

031470072fc5b7e6c79b8fae55718eae

SHA1 hash:

6a37c23397b7a1c488d9ac55a1c05f6e718ad125

Link:

https://www.unpac.me/results/8823f33a-3b7a-4e67-9e70-960c6e610a28/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3c1b550a3afa8207c88ee4d267c096d4be36af794174345c5989a94351f62af4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/298456/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample