MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dd1973caebbffefb2df652852376397f00c6e60998620969173d3bb163bed31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6dd1973caebbffefb2df652852376397f00c6e60998620969173d3bb163bed31
SHA3-384 hash: 045548842d922540e6b38bca62cbd9d1144568d5414e395d1265342a4a96ab942d2f081610a9d9e7f9625e46a1eef47a
SHA1 hash: 496c09258fe92b9df52dfd1a4aab7ccf39a35dc7
MD5 hash: ca97bcc6f6af773faff3bb5ab904d184
humanhash: batman-pluto-hawaii-lithium
File name:My1Wallet.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:6'593'536 bytes
First seen:2022-10-29 17:05:32 UTC
Last seen:2022-10-29 18:12:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 55b10b9a68cf4c9445f709a0442d415e (6 x RecordBreaker)
ssdeep 196608:LkrtXBZ7+Guenjn2zG2uT4LYGtWPETtq:QrtXBZaG9TiRULKwMt
Threatray 841 similar samples on MalwareBazaar
TLSH T1BF66236352720142D0D4CD3E8A27FEB176B70E9A4602EC3616EA5CD3352B997B3169F3
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://193.233.48.6/

Intelligence

File Origin
# of uploads :
2
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
My1Wallet.exe
Verdict:
No threats detected
Analysis date:
2022-10-29 17:08:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d1ed23e7-158c-4f37-870e-a9c44f1deec5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/325918/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.32195.25647.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/46656/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/635d5d7ca5db8d309cbbd4bf/reports/4e1b7036-d8ec-4aa8-8081-f44c82cb505d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d542af8b-ada8-492d-98de-dd7a3c89f216
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1100986
Signature
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6dd1973caebbffefb2df652852376397f00c6e60998620969173d3bb163bed31/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-29 17:06:19 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
20 of 26 (76.92%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxizopfoxp767mw7muufen3ds7yay3tatgdcbfuropj3wfr35uyq._file
Verdict:
suspicious
Label(s):
raccoon
Create hunting rule
Similar samples:
024942079cc304c42d6d4f0663ec1acfe93684a643847d137f890ed54fa60cb7
RecordBreaker
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
RecordBreaker
3c1b550a3afa8207c88ee4d267c096d4be36af794174345c5989a94351f62af4
RecordBreaker
754d637166838352780c8e0e611a21f4886f98a82cca0c8a32bf1df3e3c35f1f
RecordBreaker
7fa1b425c7bc7f04e84aae8b76cd1e6d1db56dab966ff273b5101816525f61c4
RecordBreaker
8129a8a2a4c77198a9a65c393cfc37f8f6ab83842a9c9f430ab1186db9cd0771
RecordBreaker
db0d7b2975ad69353f3bb5b20c8c13c8ca8ab0ab9ae601b350c676a445871a1f
RecordBreaker
e3f6666bcc343098a21a2c52ee8a63d03c042b9dfd4cb1dfbf984c6d0e985da0
RecordBreaker
+ 831 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:b7bab002427c88579e33c8afea65e2df discovery spyware stealer
Link:
https://tria.ge/reports/221029-vmd48afdd3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Malware Config
C2 Extraction:
http://193.233.48.6/
Unpacked files
SH256 hash:
e67fb1596bdda275cf9e74760f570638b25d7df98eb55cd82c84ff16e50df823
MD5 hash:
bb678bbab1f2630d71d344a07b404a56
SHA1 hash:
33dceb6951530848eb07ac92d44a4a78b14511c5
Detections:
raccoonstealer
Create hunting rule
Link:
https://www.unpac.me/results/ea9cfab4-5f38-402a-b0d5-e7c6c5391726/
SH256 hash:
6dd1973caebbffefb2df652852376397f00c6e60998620969173d3bb163bed31
MD5 hash:
ca97bcc6f6af773faff3bb5ab904d184
SHA1 hash:
496c09258fe92b9df52dfd1a4aab7ccf39a35dc7
Link:
https://www.unpac.me/results/ea9cfab4-5f38-402a-b0d5-e7c6c5391726/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6dd1973caebbffefb2df652852376397f00c6e60998620969173d3bb163bed31

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/325918/

Comments