MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de0eb9f1d712ec2c91fea05e26fb01a019cadcc8beb4ad6d2f4a0b4db2cfbfaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments 1

SHA256 hash:	de0eb9f1d712ec2c91fea05e26fb01a019cadcc8beb4ad6d2f4a0b4db2cfbfaf
SHA3-384 hash:	24ebe57e7d77d4ecfcd7912a23969fac5eb138f649d4e68e31bc1bed6f57fb1e57debaa14f7837bd89fa201e0ca903c2
SHA1 hash:	ed586dd2973f3126ff07950dacbd484643de06f7
MD5 hash:	7f9a14f5eb35f5edd11624abfafba8f0
humanhash:	nitrogen-victor-august-foxtrot
File name:	7f9a14f5eb35f5edd11624abfafba8f0
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	7'296'304 bytes
First seen:	2022-10-24 07:25:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	abfc65b151256b9d4d4477d8a4ecd261 (1 x RecordBreaker)
ssdeep	196608:XOsjbn5PXb+DnnLlyTYL/8ICpuYcQcSaRV3fijsgRVAZc:XOO7l6nLl84/NDYO1vipAi
TLSH	T13376123793710046D497CC368A37FDE271FA1F6A8B81ACF665CA7DC129235E0A227953
TrID	66.0% (.EXE) InstallShield setup (43053/19/16) 10.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.9% (.EXE) Win32 Executable (generic) (4505/5/1) 3.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	cc2b69ccec692bcc (2 x RecordBreaker, 1 x Arechclient2, 1 x LaplasClipper)
Reporter	zbetcheckin
Tags:	32 exe recordbreaker

Intelligence

File Origin

# of uploads :

# of downloads :

208

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

raccoon

ID:

File name:

7f9a14f5eb35f5edd11624abfafba8f0

Verdict:

Malicious activity

Analysis date:

2022-10-24 07:35:34 UTC

Tags:

installer trojan raccoon recordbreaker loader stealer

Link:

https://app.any.run/tasks/f14d094c-c718-4744-b7ab-bf7e2fe62546

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/323281/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.63063114.3707.5827.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP POST request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Sending a custom TCP request

Creating a window

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f7018996-24cd-44c5-a870-a7726900ba02

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1096275

Signature

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Potentially malicious time measurement code found

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de0eb9f1d712ec2c91fea05e26fb01a019cadcc8beb4ad6d2f4a0b4db2cfbfaf/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-10-23 22:58:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 41 (48.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3yhlt4oxclwczep6ubpcn6ybuam4vxgix22k23jpjifu3mwpx6xq._file

Verdict:

malicious

Label(s):

raccoon

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/221024-h9ja8sfdbk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Unpacked files

SH256 hash:

de0eb9f1d712ec2c91fea05e26fb01a019cadcc8beb4ad6d2f4a0b4db2cfbfaf

MD5 hash:

7f9a14f5eb35f5edd11624abfafba8f0

SHA1 hash:

ed586dd2973f3126ff07950dacbd484643de06f7

Link:

https://www.unpac.me/results/3b8c74f7-76cd-4dd1-9792-e3ee94dbb8e7/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/de0eb9f1d712/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/de0eb9f1d712ec2c91fea05e26fb01a019cadcc8beb4ad6d2f4a0b4db2cfbfaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	RaccoonV2 Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution).
Reference:	https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/