MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec0fc7c5cd56c65fa1f3abf388d318eb1a8fc2cc7a9de0799ab8b51db54d4361. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	ec0fc7c5cd56c65fa1f3abf388d318eb1a8fc2cc7a9de0799ab8b51db54d4361
SHA3-384 hash:	d058675f0dba2126e2d2dee2a5cbd3dd7d8254d4434c60e81a5ad861e678429703ce74c2cdbd030f37ec10c6cd267a02
SHA1 hash:	f653fd7904196401f67ad4f3eee799662b102b18
MD5 hash:	050fef7beaff8f6959b5ddadbe9595ca
humanhash:	twenty-ohio-uncle-friend
File name:	ec0fc7c5cd56c65fa1f3abf388d318eb1a8fc2cc7a9de0799ab8b51db54d4361
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	6'367'232 bytes
First seen:	2022-11-04 18:27:07 UTC
Last seen:	2022-11-08 03:09:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2f285ed6f05eae8b1321ad1b364e9c75 (19 x RecordBreaker, 2 x RaccoonStealer)
ssdeep	196608:FGhReGOPsulvS7SqhZcyISwrrup2adKVPf:6RokuhuFZTJWap2e
Threatray	1'061 similar samples on MalwareBazaar
TLSH	T13E5623F1F2166986D8868DB1883BEEA030B52F6F4DC1993C60A93F5736733922517D4B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	68d8d88999a981a9 (1 x XFilesStealer, 1 x RecordBreaker)
Reporter	vxunderground
Tags:	exe recordbreaker

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

Vendor Threat Intelligence

Malware family:

raccoon

ID:

File name:

ec0fc7c5cd56c65fa1f3abf388d318eb1a8fc2cc7a9de0799ab8b51db54d4361

Verdict:

Malicious activity

Analysis date:

2022-11-04 18:35:55 UTC

Tags:

trojan raccoon recordbreaker loader stealer

Link:

https://app.any.run/tasks/d0b2d9d9-2473-4455-b813-d94dc1ff58a9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/328758/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.63166446.11054.19124.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP POST request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/48639/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/636559b315611f8d8bf8dec7/reports/b75dc301-6e1d-462c-8bfc-fef553ecfb54/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/03bb1026-ba53-4c67-bba7-6626d07a5168

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1105664

Signature

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Query firmware table information (likely to detect VMs)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec0fc7c5cd56c65fa1f3abf388d318eb1a8fc2cc7a9de0799ab8b51db54d4361/

Threat name:

Win32.Packed.Generic

Status:

Suspicious

First seen:

2022-10-27 13:11:25 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 41 (53.66%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5qh4pronk3df7iptvpzyruyy5mni7qwmpko6a6m2xc2r3nkninqq._file

Verdict:

malicious

Label(s):

raccoon

RecordBreaker

27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20

RecordBreaker

3c1b550a3afa8207c88ee4d267c096d4be36af794174345c5989a94351f62af4

RecordBreaker

6dd1973caebbffefb2df652852376397f00c6e60998620969173d3bb163bed31

RecordBreaker

754d637166838352780c8e0e611a21f4886f98a82cca0c8a32bf1df3e3c35f1f

RecordBreaker

8129a8a2a4c77198a9a65c393cfc37f8f6ab83842a9c9f430ab1186db9cd0771

RecordBreaker

d4169de488369dda6827795dfc9790587125fbe65a3e7ade917c2d2c52c8dd61

RecordBreaker

+ 1'051 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:a5c012069d303997501c3979cb81d974 discovery spyware stealer

Link:

https://tria.ge/reports/221104-w4bk4ahgb2/

Behaviour

Creates scheduled task(s)

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Raccoon

Malware Config

C2 Extraction:

http://159.69.241.241/

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/aa603a9a-597d-49bd-b916-762b736a5a61

Unpacked files

SH256 hash:

bcf0a530d546109694a5a5720b25b0548d28f0a96349443bea04e8cafb3ded5b

MD5 hash:

bd822db641636c8e63b213371467fb3e

SHA1 hash:

fe5323c601bf696a5fa5678e7be211f8ace80161

Link:

https://www.unpac.me/results/6c65f325-bc44-4088-8d4c-ea04efa537b2/

SH256 hash:

ec0fc7c5cd56c65fa1f3abf388d318eb1a8fc2cc7a9de0799ab8b51db54d4361

MD5 hash:

050fef7beaff8f6959b5ddadbe9595ca

SHA1 hash:

f653fd7904196401f67ad4f3eee799662b102b18

Link:

https://www.unpac.me/results/6c65f325-bc44-4088-8d4c-ea04efa537b2/

Malware family:

RecordBreaker

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ec0fc7c5cd56/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/328758/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample