MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e14e69c82dba513c5185ea0dd09168303d76130b00160acb8bdda0f7636c7623. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 2 File information Comments

SHA256 hash:	e14e69c82dba513c5185ea0dd09168303d76130b00160acb8bdda0f7636c7623
SHA3-384 hash:	507c9db7764c3939d244ee17cf74c586c82216b80dbd85f7aec6eedf0ec4785dcb5f11e399481651bd548b5b278ed542
SHA1 hash:	2138bd8e621ae4e30d6ba8ea07618f340f2b420d
MD5 hash:	0675abca1692a361b45333c4c42197a4
humanhash:	white-colorado-mars-hawaii
File name:	0675abca1692a361b45333c4c42197a4.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	637'952 bytes
First seen:	2022-08-17 13:40:16 UTC
Last seen:	2022-08-17 14:48:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a4cd83b8ce590c2a79cc70d68d8cd343 (1 x RecordBreaker)
ssdeep	12288:G3sIFy9RA/KmZJrs3Lq7A7bEcz6Q31IzCLzucpWG1cQCuqQb946zyyMNbFCS65o:5IFyY/KmZJGZ31I+LzucvcQt946dMDCW
TLSH	T189D4AE2534C08033DA7334315AAAF6795ABEB4701B2246EFA3D8167E5F345E16F3613A
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe recordbreaker

abuse_ch

RecordBreaker C2:
http://185.51.247.192/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.51.247.192/	https://threatfox.abuse.ch/ioc/843656/

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

raccoon

ID:

File name:

0675abca1692a361b45333c4c42197a4.exe

Verdict:

Malicious activity

Analysis date:

2022-08-17 13:45:12 UTC

Tags:

trojan raccoon recordbreaker loader

Link:

https://app.any.run/tasks/5e5dee8b-5da6-49c2-9987-d6a06bca8a51

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/299306/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.34126.2227.1852.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/29250/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckNumberOfProcessor

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware keylogger packed wacatac

Link:

https://www.filescan.io/uploads/62fcf02d6df203c16a8c62a3/reports/15a1deb7-8323-484b-959c-680f67b196db/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/34b43c8c-39d9-477e-aa45-258f28b8e90c

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1053159

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes to foreign memory regions

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e14e69c82dba513c5185ea0dd09168303d76130b00160acb8bdda0f7636c7623/

Threat name:

Win32.Trojan.RaccoonSteal

Status:

Malicious

First seen:

2022-08-14 01:43:08 UTC

File Type:

PE (Exe)

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4fhgtsbnxjityumf5ig5beliga6xmeylaalavs4l3wqpoy3moyrq._file

Verdict:

malicious

Label(s):

raccoon

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220817-qy4f2abcb6/

Unpacked files

SH256 hash:

c9a009d0632530345ced8a350e9dbdc615adea876d69c1697450e5288b2f503e

MD5 hash:

bcea12bd78313c43728a970eed3d44f3

SHA1 hash:

f86c128287483d8019123d8aee186171dce0e1d0

Detections:

win_recordbreaker_auto

Link:

https://www.unpac.me/results/142dfe0f-3a38-4ce7-924a-6b2ff114c503/

SH256 hash:

e14e69c82dba513c5185ea0dd09168303d76130b00160acb8bdda0f7636c7623

MD5 hash:

0675abca1692a361b45333c4c42197a4

SHA1 hash:

2138bd8e621ae4e30d6ba8ea07618f340f2b420d

Link:

https://www.unpac.me/results/142dfe0f-3a38-4ce7-924a-6b2ff114c503/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e14e69c82dba513c5185ea0dd09168303d76130b00160acb8bdda0f7636c7623

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/299306/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample