MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcaea3df855bc03a2723979525b63da64e13958a68741ddbe92e183135fc9247. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 13

Intelligence 13 IOCs YARA 9 File information Comments

SHA256 hash:	dcaea3df855bc03a2723979525b63da64e13958a68741ddbe92e183135fc9247
SHA3-384 hash:	2ec53779815dadd2f06cb4b70ede2b8d59ba94f8e73b499d4b3f1277f28f17e1f0fb6952f750b09799e56eae6b359e10
SHA1 hash:	72411751972fac27bccc40df6daf287893a82a2d
MD5 hash:	c3e9908d1e901feba57d1787d20890bb
humanhash:	colorado-autumn-neptune-west
File name:	dcaea3df855bc03a2723979525b63da64e13958a68741.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	994'440 bytes
First seen:	2023-07-08 04:47:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:qJjXuA5ao5Xc3Foj2btm0S82Iz89LUzLeGOMFWhLpUrc+nT9vwM5Lru7h2xC+:smBF2C20LDIhLpUI+vHxC+
Threatray	1'287 similar samples on MalwareBazaar
TLSH	T152252A4273E85141E4F23A708CBB44740AB7BE63A930D50F1E94BD8E2D717C49E96B6B
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f8e4c0d8f8e4e4f8 (1 x RecordBreaker)
Reporter	abuse_ch
Tags:	exe recordbreaker signed

Code Signing Certificate

Organisation:	Beko CSKDN6250MA0W (WHITE)
Issuer:	Beko CSKDN6250MA0W (WHITE)
Algorithm:	sha1WithRSAEncryption
Valid from:	2023-07-06T20:41:14Z
Valid to:	2033-07-07T20:41:14Z
Serial number:	235daf884868aa964f68516e055947a0
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	739202ac57f296761e17b2043e48cfee84a23d39b1210a9ec6fecaaa91cce221
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

RecordBreaker C2:
http://91.242.229.237/

Intelligence

File Origin

# of uploads :

# of downloads :

328

Origin country :

Vendor Threat Intelligence

Malware family:

raccoon

ID:

File name:

dcaea3df855bc03a2723979525b63da64e13958a68741.exe

Verdict:

Malicious activity

Analysis date:

2023-07-08 04:50:38 UTC

Tags:

raccoon recordbreaker trojan loader stealer

Link:

https://app.any.run/tasks/c6e9cbdf-43cd-40ee-88e7-e7e987e51b6c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/411402/

Detection(s):

Win.Packed.Zusy-10002054-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Reading critical registry keys

Launching a process

Creating a file

Сreating synchronization primitives

Sending an HTTP POST request

Sending an HTTP GET request

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

apt control greyware lolbin overlay packed remote replace

Link:

https://www.filescan.io/uploads/64a8ea87879586917b239682/reports/7140aad0-3185-4f35-8cb8-62a3fe5af133/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/dcaea3df855bc03a2723979525b63da64e13958a68741ddbe92e183135fc9247

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b74e87a4-a0c3-49e5-affd-7df2ea8527ba

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dcaea3df855bc03a2723979525b63da64e13958a68741ddbe92e183135fc9247/

Threat name:

Win32.Spyware.Raccoonstealer

Status:

Malicious

First seen:

2023-07-08 04:48:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

390

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3sxkhx4flpadujzds6kslnr5uzhbhfmknb2b3w7jfymdcnp4sjdq._file

Verdict:

malicious

Label(s):

raccoon

RecordBreaker

66aba326f753f1d952e03cdae48806b64965572b400a9ad38da882d55515a2d5

RecordBreaker

8367690dbcabb0b6d7906f6c05b05109f286cea2683bdaefff93b04af8f10cbe

RecordBreaker

b777ca54d5d8a17240013432313cdd8068ae03e04e97dbd8dc1f4268964a6526

RecordBreaker

ca2b5c5792b601cf1f3f9951078a220cca8a11953b2d8dc506b7114ecf641d8b

RecordBreaker

d8559130616dcb860a123fd7228fda07563e4623efc4cc186fba1a695d8c83a2

RecordBreaker

e11f3e5a187ddbb67ea48d2f9a97b088355ebccc5e3de9299c84a8d38b5b32a9

RecordBreaker

e441f76f21f624136a63e22a03fe2f32674d47e9869091524eb5037303e60a51

RecordBreaker

f47935627a5be41526be384d115b1f291d854063d0b31bee2c9c11dc65695438

RecordBreaker

+ 1'277 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:3f5db940cf0d55359bd7997f1d8cbde7 stealer

Link:

https://tria.ge/reports/230708-fe4ycadg61/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Raccoon

Raccoon Stealer payload

Malware Config

C2 Extraction:

http://91.242.229.237:80/

Unpacked files

SH256 hash:

42786801456c05c6172b6fdee202d1f905ee150cfc5ab46fdca158a9cd6e1200

MD5 hash:

8be3742f3e99ef88c591c5ca60499331

SHA1 hash:

dd2138c21c5a5eadc36103d2c7eafd8a397c328c

Link:

https://www.unpac.me/results/7ddb688b-ae92-4f8e-94ca-12edf412885e/

SH256 hash:

fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb

MD5 hash:

d93c5f59ddc41313bf36f106a2f1fe17

SHA1 hash:

97c5cd9d0689c1cd74685bc979122a13eba3fcc9

Link:

https://www.unpac.me/results/7ddb688b-ae92-4f8e-94ca-12edf412885e/

SH256 hash:

441463c5aa552e9ab31437318c3b2869e10b0f2d2c5278cf48fdad04597b43ba

MD5 hash:

a61c1dd604cf7a5fd76a77c5d0a56981

SHA1 hash:

7a40e37828d67dd409d1d6211165a082818bdddb

Link:

https://www.unpac.me/results/7ddb688b-ae92-4f8e-94ca-12edf412885e/

SH256 hash:

42786801456c05c6172b6fdee202d1f905ee150cfc5ab46fdca158a9cd6e1200

MD5 hash:

8be3742f3e99ef88c591c5ca60499331

SHA1 hash:

dd2138c21c5a5eadc36103d2c7eafd8a397c328c

Link:

https://www.unpac.me/results/7ddb688b-ae92-4f8e-94ca-12edf412885e/

SH256 hash:

fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb

MD5 hash:

d93c5f59ddc41313bf36f106a2f1fe17

SHA1 hash:

97c5cd9d0689c1cd74685bc979122a13eba3fcc9

Link:

https://www.unpac.me/results/7ddb688b-ae92-4f8e-94ca-12edf412885e/

SH256 hash:

441463c5aa552e9ab31437318c3b2869e10b0f2d2c5278cf48fdad04597b43ba

MD5 hash:

a61c1dd604cf7a5fd76a77c5d0a56981

SHA1 hash:

7a40e37828d67dd409d1d6211165a082818bdddb

Link:

https://www.unpac.me/results/7ddb688b-ae92-4f8e-94ca-12edf412885e/

SH256 hash:

42786801456c05c6172b6fdee202d1f905ee150cfc5ab46fdca158a9cd6e1200

MD5 hash:

8be3742f3e99ef88c591c5ca60499331

SHA1 hash:

dd2138c21c5a5eadc36103d2c7eafd8a397c328c

Link:

https://www.unpac.me/results/7ddb688b-ae92-4f8e-94ca-12edf412885e/

SH256 hash:

fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb

MD5 hash:

d93c5f59ddc41313bf36f106a2f1fe17

SHA1 hash:

97c5cd9d0689c1cd74685bc979122a13eba3fcc9

Link:

https://www.unpac.me/results/7ddb688b-ae92-4f8e-94ca-12edf412885e/

SH256 hash:

441463c5aa552e9ab31437318c3b2869e10b0f2d2c5278cf48fdad04597b43ba

MD5 hash:

a61c1dd604cf7a5fd76a77c5d0a56981

SHA1 hash:

7a40e37828d67dd409d1d6211165a082818bdddb

Link:

https://www.unpac.me/results/7ddb688b-ae92-4f8e-94ca-12edf412885e/

SH256 hash:

dcaea3df855bc03a2723979525b63da64e13958a68741ddbe92e183135fc9247

MD5 hash:

c3e9908d1e901feba57d1787d20890bb

SHA1 hash:

72411751972fac27bccc40df6daf287893a82a2d

Link:

https://www.unpac.me/results/7ddb688b-ae92-4f8e-94ca-12edf412885e/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dcaea3df855b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dcaea3df855bc03a2723979525b63da64e13958a68741ddbe92e183135fc9247

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_DustSquad_PE_Nov19_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	APT_DustSquad_PE_Nov19_2 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RaccoonV2 Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution).
Reference:	https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/