MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2f37daa119ae896f8303f16cadd0845e1e30a6fe2b922f22b8a53b6c475ccf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2f37daa119ae896f8303f16cadd0845e1e30a6fe2b922f22b8a53b6c475ccf7
SHA3-384 hash: 5bddf1ede1765db4707740365b4b5361e93309fb5fe00229f5c444a7db31c83d09c1379aa3231dd8eb77c00cdb843024
SHA1 hash: d40b685706a16dbe53179e940ee65113ffa2590b
MD5 hash: 47e060d7318b4a0cae94057b8f071ae2
humanhash: kitten-robin-vermont-solar
File name:47e060d7318b4a0cae94057b8f071ae2.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'779'487 bytes
First seen:2022-11-08 18:30:30 UTC
Last seen:2022-11-08 20:56:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 227d8e180539434a4545745b2a33e7ca (2 x RedLineStealer, 2 x TitanStealer, 1 x ArkeiStealer)
ssdeep 24576:E8kD8BaG+DK/cRgOnmq9g6InFkrPmcot0l3RuQ55313d:wDgaf4cOU7m6InK1l33
Threatray 1'394 similar samples on MalwareBazaar
TLSH T1B385E94319CF4E6ADDD17BF871C7231EA774ED30CF6A5B7AA50840364A933C8691AB42
TrID 32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
20.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://45.15.156.90/

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
47e060d7318b4a0cae94057b8f071ae2.exe
Verdict:
Suspicious activity
Analysis date:
2022-11-08 18:32:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1af3c7ce-66f8-4cbd-94a9-e9a9f7ce94fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/330776/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Launching a process
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed spyeye
Link:
https://www.filescan.io/uploads/636aa06738db7c2a0385fa8e/reports/07aa857e-1a80-4405-90c6-13fbd76ad469/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b589a00e-9c5e-4a72-9eff-3306f1e089e0
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1108515
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2f37daa119ae896f8303f16cadd0845e1e30a6fe2b922f22b8a53b6c475ccf7/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2022-11-04 18:44:22 UTC
File Type:
PE (Exe)
AV detection:
29 of 40 (72.50%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ulzx3kqrtlujn6bqh4lmvxiiixq6gctp4k4sf4rlrjj3nrdvzt3q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
30a261fb001f66df09d1eb84f378b8d43e61a13770de476601ea9d4457b7a8cb
RecordBreaker
64f9fa160bc97c437ad094a77ffdd68e0be3ae5372c40922b39f580c9ebc801c
RecordBreaker
70b5392192a57314e1c7793599439b518dbf2a0affcbd849cecf779063bd792a
RecordBreaker
99b0dac266ed96c1ae6a9b32b624e4697e1bac4348144376e737bf8e292e35f5
RecordBreaker
d2a3379a95cf890e4f8a739171aca247cd9cc40c90262d4eb42dccf9b420c59d
RecordBreaker
e1ff33ee4dab36c7f0cf9e8abf6f1ce95fbe23e3b02d076b56d720f98cc163f0
RecordBreaker
+ 1'384 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:e6f1b12870f8bcf7b22e3e1e2780f4d4 stealer
Link:
https://tria.ge/reports/221108-w52hxabfh8/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Raccoon
Malware Config
C2 Extraction:
http://45.15.156.90
Unpacked files
SH256 hash:
1e38d268a8f416a10be750fd2cca1b710343dcf08c7742800961ab389de46955
MD5 hash:
abccecf8da1f48e7c3ed0cec2fe9546d
SHA1 hash:
1925af53c258d1c34ad582e611940aa919eaeeac
Link:
https://www.unpac.me/results/03410a66-13fc-4ccb-9f4b-cdf29d7c3438/
SH256 hash:
1e85bfa30773e8e7c067c3097efa1b86339d495bea431a279e3903f282b427ed
MD5 hash:
3b0dedf9b904364e7673d1596cec0772
SHA1 hash:
ded9cdc4d0b12b008b9dd18ea32f33df35e35093
Link:
https://www.unpac.me/results/03410a66-13fc-4ccb-9f4b-cdf29d7c3438/
SH256 hash:
a2f37daa119ae896f8303f16cadd0845e1e30a6fe2b922f22b8a53b6c475ccf7
MD5 hash:
47e060d7318b4a0cae94057b8f071ae2
SHA1 hash:
d40b685706a16dbe53179e940ee65113ffa2590b
Link:
https://www.unpac.me/results/03410a66-13fc-4ccb-9f4b-cdf29d7c3438/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2f37daa119ae896f8303f16cadd0845e1e30a6fe2b922f22b8a53b6c475ccf7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/330776/

Comments