MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7dbd00ed7ac7cc441643b96aa96a1bc994f64ad20fe2d894f5a51b3d50ab53a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	d7dbd00ed7ac7cc441643b96aa96a1bc994f64ad20fe2d894f5a51b3d50ab53a
SHA3-384 hash:	ff68346dd032a45ea8b341761d34c84289b40372c09eeb18469b91f3b1947b0954668af652788b1a1accf8f388aa127c
SHA1 hash:	3f73c8dddf8a9ab8b346251ed7f430a884e017c1
MD5 hash:	b2767e277c25ce9cb08f8d4d3b48f135
humanhash:	bakerloo-oven-ink-oregon
File name:	b2767e277c25ce9cb08f8d4d3b48f135.bin.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	299'520 bytes
First seen:	2023-03-19 14:55:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	322ed0186ab1b10915e176da453e7963 (10 x RedLineStealer, 5 x Rhadamanthys, 2 x Amadey)
ssdeep	3072:oDsVXnLjNFHTP33ApIUlbu+FMdibV9qh4FUc5ZLnKtmhfu:VXnLjDL3+1lbu+mKV9JFUwjDfu
Threatray	687 similar samples on MalwareBazaar
TLSH	T12B54F81393A17D58E9268B739E1FC2E8F71DF671DF497B653218AA2B04B0172C163B90
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	1212284212200a00 (1 x RecordBreaker)
Reporter	abuse_ch
Tags:	exe recordbreaker

abuse_ch

RecordBreaker C2:
http://195.133.40.111/

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

raccoon

ID:

File name:

b2767e277c25ce9cb08f8d4d3b48f135.bin.exe

Verdict:

Malicious activity

Analysis date:

2023-03-19 14:58:13 UTC

Tags:

raccoon recordbreaker trojan loader stealer

Link:

https://app.any.run/tasks/f62c47ce-06f9-4ac7-b5d8-0bd5198527f3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/375675/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/74109/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64172284c60b3295f52be699/reports/3d169eb5-9597-47fb-aca3-6d82afa27603/overview

Verdict:

Malicious

Labled as:

Babar.Generic

Link:

https://www.hybrid-analysis.com/sample/d7dbd00ed7ac7cc441643b96aa96a1bc994f64ad20fe2d894f5a51b3d50ab53a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6b6725f6-554e-4e3b-abcf-884b6a99ff47

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1197119

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found potential ransomware demand text

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d7dbd00ed7ac7cc441643b96aa96a1bc994f64ad20fe2d894f5a51b3d50ab53a/

Threat name:

Win32.Trojan.Babar

Status:

Malicious

First seen:

2023-03-19 14:56:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=27n5adwxvr6miqleholkvfvbxsmu6zfned7c3ckplji3hvikwu5a._file

Verdict:

malicious

Label(s):

raccoon

RecordBreaker

1892c694c836ad1904869d468f68fd534f674af32645574d70f708343aef5849

RecordBreaker

25139b1e194865c93db98514375b74971e11a690d53b6030014830d019458313

RecordBreaker

5bcb11e6da792b8b7650df280f0d04f299f7183c97253a3607b5baf84defc56f

RecordBreaker

64d3f7548cc05520bd5e88d4bfdae38a57886127b7be55b7e6d09636f123cb22

RecordBreaker

928377073c45f7fb59591af49620d5afc581ce27c4727f7aa77fd23af85b0145

RecordBreaker

cdeb9be7775e33f2a21bae7329d39a7ee8c29697143a704baa6ac22e323b1c00

RecordBreaker

cf16aaa4e7e4e906915e9901e93f4de670355784d5350991e8f09b813cc7988d

RecordBreaker

f93ba32f22e747dec19ebdf57fc8b1f775feca04f70a69d0660b905956b246f4

RecordBreaker

+ 677 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:31f1dd78cfcb010a34ba4139e2e6892e discovery spyware stealer

Link:

https://tria.ge/reports/230319-sa1rcaah5y/

Behaviour

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Raccoon

Malware Config

C2 Extraction:

http://45.144.31.31/
http://195.133.40.111/

Unpacked files

SH256 hash:

bad51064d37028878d53da7b634bf05633b6eb7ae75900077fadf34bfba42553

MD5 hash:

44f3d82c9ddc5732d7c826d470cfef67

SHA1 hash:

03f2d9916e32637ac4f33c25fe64a5dd2024d3a9

Link:

https://www.unpac.me/results/48985718-0e08-40ab-8143-6ba6a285e971/

SH256 hash:

d7dbd00ed7ac7cc441643b96aa96a1bc994f64ad20fe2d894f5a51b3d50ab53a

MD5 hash:

b2767e277c25ce9cb08f8d4d3b48f135

SHA1 hash:

3f73c8dddf8a9ab8b346251ed7f430a884e017c1

Link:

https://www.unpac.me/results/48985718-0e08-40ab-8143-6ba6a285e971/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d7dbd00ed7ac7cc441643b96aa96a1bc994f64ad20fe2d894f5a51b3d50ab53a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/375675/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample