MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93cb7dd5d6bfd3d1d2d14b2f9bc1dbc57666343bfd42f289525e0999987c2d7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93cb7dd5d6bfd3d1d2d14b2f9bc1dbc57666343bfd42f289525e0999987c2d7e
SHA3-384 hash: 37070debb34e6e9046f318bc5c8f9e659766179628bd0863298adc740e1313f128a772846d5d2ec99e146cba3f856387
SHA1 hash: f03de44fc37e565100b09d2e49e467f6189f8b60
MD5 hash: 00d057121859b0cd9f095eccbb124acb
humanhash: nine-cat-tennessee-comet
File name:00d057121859b0cd9f095eccbb124acb.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:2'523'648 bytes
First seen:2022-11-11 07:30:24 UTC
Last seen:2022-11-11 09:49:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 20391e56b2f72042e49d1be61b3f7a1c (4 x RedLineStealer, 1 x ArkeiStealer, 1 x RecordBreaker)
ssdeep 49152:Zj8f/j/n1kEagQzAi4R02J45jTUp92POuzEo5EaYJ/QR:ZofL/nHagQznClJe8p92PJEg
Threatray 2'283 similar samples on MalwareBazaar
TLSH T115C5BE29EB4329B4D5175772815EE77B97187D38CC22AA3FEF7EEE0BA0723022815151
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70dca6b0b2b6cc70 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://164.92.186.156/

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
00d057121859b0cd9f095eccbb124acb.exe
Verdict:
Malicious activity
Analysis date:
2022-11-11 07:31:13 UTC
Tags:
trojan raccoon recordbreaker loader stealer
Link:
https://app.any.run/tasks/fa9a0050-1c7d-4054-9a9f-2c8b6247792f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/332324/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.46523.29082.15739.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/51249/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm packed redline
Link:
https://www.filescan.io/uploads/636dfa3720a0b4943a8edc02/reports/cf87f2ba-7d55-4362-bf6d-f26b00e83099/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4fc46a2b-85b4-476a-a288-34e03c9786f9
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1111086
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93cb7dd5d6bfd3d1d2d14b2f9bc1dbc57666343bfd42f289525e0999987c2d7e/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 19:19:08 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=spfx3vowx7j5duwrjmxzxqo3yv3gmnb37vbpfckslyeztgd4fv7a._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1a30ddc274cad08c53f96ac0fbe09be81a0155ebc65c213c7c94e164d3dfd807
RecordBreaker
5ae277d34684f2f410a179870d44d26c7be666bcd5654484b41ba9af15d83486
RecordBreaker
76b2a3865b39346b400bec0b19468abf38bcd337b100425bd2a1640d999e5d5a
RecordBreaker
a61f119e5e68c51c61950e3331664b8886a6b0ce19ab0cab38c0546c2b4b5db5
RecordBreaker
b8e31181d8f9fe4854e11f787df8561a0b00decdbff9308a95a5cce6a57d1275
RecordBreaker
d2b0eaa90a7d7f86595729690fa824450212cbaf3ec552ad30982f630fbe7438
RecordBreaker
+ 2'273 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:3a3e45a1a3ef665ee64f971dbb448f51 stealer
Link:
https://tria.ge/reports/221111-jcdj6aace5/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Raccoon
Malware Config
C2 Extraction:
http://164.92.186.156/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0d5edb12-7d98-43aa-8ef4-29f86971ad52
Unpacked files
SH256 hash:
148e5d6739b127c5de4c3d26068ace19b0e1c80eeb29d658fe2694313baa6be3
MD5 hash:
c9cdc85db0c3a12ae8202cf5b8cabf49
SHA1 hash:
d0a6d7266da2267daf927dc106ad1018db088ee8
Link:
https://www.unpac.me/results/1f541998-509a-4490-afb9-0e4b63d26de7/
SH256 hash:
93cb7dd5d6bfd3d1d2d14b2f9bc1dbc57666343bfd42f289525e0999987c2d7e
MD5 hash:
00d057121859b0cd9f095eccbb124acb
SHA1 hash:
f03de44fc37e565100b09d2e49e467f6189f8b60
Link:
https://www.unpac.me/results/1f541998-509a-4490-afb9-0e4b63d26de7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93cb7dd5d6bfd3d1d2d14b2f9bc1dbc57666343bfd42f289525e0999987c2d7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/332324/

Comments