MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ebf0acdd1d2164ca7f33b1129c1975edd0206e8bbccd3f3411baf7834768c3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ebf0acdd1d2164ca7f33b1129c1975edd0206e8bbccd3f3411baf7834768c3e
SHA3-384 hash: d9b8f3598afbbedab7d3e73799fa6d2ee12a35402dc19d32443b096846a7a6f1bdbe6707849271856f7da29fdd9a1e2d
SHA1 hash: 20263b1e7864683aa94b4cb59dab8474811ad18a
MD5 hash: 416548b49d7af935b823cbbdabc971e0
humanhash: pip-hotel-iowa-louisiana
File name:416548b49d7af935b823cbbdabc971e0.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:6'963'200 bytes
First seen:2022-10-03 20:36:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5af53b96a03972def1a5f287c0c1d5c (23 x RecordBreaker, 8 x RaccoonStealer)
ssdeep 196608:f98RHxTXtNAfMwQNXS+kpYKYEeMcLrHjpOn:f9GxXW7QNXS+kpEfHjUn
Threatray 583 similar samples on MalwareBazaar
TLSH T1F66623E713215089E6EA8C34E433FD7172F29E6B4980983C20FDBDC779365A6260B957
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e6c3b2ecccf193e0 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://45.147.231.141/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.147.231.141/ https://threatfox.abuse.ch/ioc/870292/

Intelligence

File Origin
# of uploads :
1
# of downloads :
368
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/316238/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.34590.14765.31666.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Sending a custom TCP request
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/40928/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed raccoon racealer
Link:
https://www.filescan.io/uploads/633b47b878d4acb349f48ef2/reports/421f37f4-d8ef-410b-b7d6-c7d4c406e644/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f0c6144e-24c3-4d76-9877-c8a998b4ab59
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082807
Signature
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ebf0acdd1d2164ca7f33b1129c1975edd0206e8bbccd3f3411baf7834768c3e/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-09-30 17:22:00 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
25 of 41 (60.98%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r27qvtor2ilezj7thmistqmxl3oqebxixpgnh42bdoxxqndwrq7a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
06cd1b17015926da3c902f7b67e130054e9170f355a1cdf1274ddc955f4152ee
RecordBreaker
1e5c7dcfbe4a1e9da06229b4512229c463b0268832b9cb6cdb35a1153963be37
RecordBreaker
4d70a2e9f63fea018db99bef6cecbf094255c52f6e2bd9d1d7458e637efb9172
RecordBreaker
4e73230986aab0ad40dbd475ca56fe0f207ff5d935f766a46cd4675e6bc27229
RecordBreaker
774fa8863d2cb1747c338ef9023103d535715b30b6d5450a9ee146663d77c89b
RecordBreaker
81ae7aea498cdd4d50470b3dcd54088d7bce5bf5f6019b08d9d558acd190cb4d
RecordBreaker
83ad440cf8c2cdd99ec8b184590fe0e9138cccd686b2136eaddc2cdfcf85aecc
RecordBreaker
ba9b4ed1a5f1e4f658430f393969f1b6a602c5534d745ad3f12fae35cf2a64d1
RecordBreaker
+ 573 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:075cf0a1e3c12548e3e0d97c6aca5b39 discovery spyware stealer
Link:
https://tria.ge/reports/221003-zdlj6aefaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Malware Config
C2 Extraction:
http://45.147.231.141/
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e3f68cc6-97c7-4821-93db-a59c5d05d8b7
Unpacked files
SH256 hash:
087d324f66a9aaed3736d6551b360538983f565e6a6c9eaba2af844c4bec9fb3
MD5 hash:
6989301cca32705edb39f104f6396b5b
SHA1 hash:
f0bbb44e42060f4555cf5a2f1ad76a446485ab0e
Link:
https://www.unpac.me/results/2e7af8a1-78c4-4608-bf67-1774a98a4a62/
SH256 hash:
8ebf0acdd1d2164ca7f33b1129c1975edd0206e8bbccd3f3411baf7834768c3e
MD5 hash:
416548b49d7af935b823cbbdabc971e0
SHA1 hash:
20263b1e7864683aa94b4cb59dab8474811ad18a
Link:
https://www.unpac.me/results/2e7af8a1-78c4-4608-bf67-1774a98a4a62/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8ebf0acdd1d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ebf0acdd1d2164ca7f33b1129c1975edd0206e8bbccd3f3411baf7834768c3e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316238/

Comments