MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1ff33ee4dab36c7f0cf9e8abf6f1ce95fbe23e3b02d076b56d720f98cc163f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1ff33ee4dab36c7f0cf9e8abf6f1ce95fbe23e3b02d076b56d720f98cc163f0
SHA3-384 hash: 67ead6fb3b6a7668c195773b23b2e7e4521f42930456e52dd8da05071a58efe7243d1ec0b49feb182d19e5791bf597ce
SHA1 hash: dc7bcfaad8689ada88c7437724d8fac2b1d9e2e7
MD5 hash: d02286e8a720199858061d34c451c0af
humanhash: steak-autumn-spaghetti-massachusetts
File name:zxc.bin
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:659'968 bytes
First seen:2022-10-24 08:32:45 UTC
Last seen:2022-10-24 09:00:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 800e93b76bb0af86258910988701686b (2 x RecordBreaker)
ssdeep 12288:WQhNMpHQaQhG14OstzDjlEFPmm0qK2KRbeh02cpkwbVpuCU1PkCLTd0:WQhNHaQhG14xNm0L2+beh7Y
Threatray 740 similar samples on MalwareBazaar
TLSH T117E4AE1534C1C036C67B34318AE9E6B49ABEB4310B6246EF53C81A7E5F395E16E3253B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:exe nanoplow-space RaccoonStealer recordbreaker

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://172.86.120.142/ https://threatfox.abuse.ch/ioc/916315/

Intelligence

File Origin
# of uploads :
4
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
197.exe
Verdict:
Malicious activity
Analysis date:
2022-10-24 08:26:22 UTC
Tags:
trojan raccoon recordbreaker loader stealer opendir vidar
Link:
https://app.any.run/tasks/14067504-3ad7-49b3-add5-d8bf09d3077a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323308/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63063450.25951.29414.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0692aa07-4847-450c-b04c-2baced3e0e63
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096330
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1ff33ee4dab36c7f0cf9e8abf6f1ce95fbe23e3b02d076b56d720f98cc163f0/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2022-10-23 22:22:16 UTC
File Type:
PE (Exe)
AV detection:
19 of 41 (46.34%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4h7th3snvm3mp4gpt2fl63y45fp34i7dwawqo22w24qptdgbmpya._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
3570f64dd06f8496b8cab7886c22034651cac26003c6d6d0e7d86bf245c8919e
RecordBreaker
43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c
RecordBreaker
4dd0e5762e6ae6553863f594262e8a1d3f48635d1f49ced7975fc5842fa69a14
RecordBreaker
70b5392192a57314e1c7793599439b518dbf2a0affcbd849cecf779063bd792a
RecordBreaker
72da013062ea0fd8acf955c4517f8998fef0f6f6d467c9610f8d9b5f77169f57
RecordBreaker
980095faad7ac452f5f2827290c5f00904f9aaed2facf9ed690850f8739437ed
RecordBreaker
cabcffe00d781032c39fc98acf5ec96687c5ce26b21b38ef9499213ed591fbde
RecordBreaker
+ 730 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/221024-kft7rafeb7/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Downloads MZ/PE file
Unpacked files
SH256 hash:
e1ff33ee4dab36c7f0cf9e8abf6f1ce95fbe23e3b02d076b56d720f98cc163f0
MD5 hash:
d02286e8a720199858061d34c451c0af
SHA1 hash:
dc7bcfaad8689ada88c7437724d8fac2b1d9e2e7
Link:
https://www.unpac.me/results/69f917a8-571a-4b41-8256-31cbe9cd5106/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e1ff33ee4dab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1ff33ee4dab36c7f0cf9e8abf6f1ce95fbe23e3b02d076b56d720f98cc163f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution).
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe e1ff33ee4dab36c7f0cf9e8abf6f1ce95fbe23e3b02d076b56d720f98cc163f0

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/323308/
  
URLhaus
https://urlhaus.abuse.ch/url/2382105/
  
Delivery method
Distributed via web download

Comments