MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff764f0ab5f7a6c6fc5358a3bcc556e6d1e96fb80b9c2030f8f46b2d51ef241a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	ff764f0ab5f7a6c6fc5358a3bcc556e6d1e96fb80b9c2030f8f46b2d51ef241a
SHA3-384 hash:	5c5dbbba2f1b49645ce5084ada3f1fab5fd74fb64b0966991c65a6f8b579dc0491126aa7dfbb9f2ece6329e2224f50fd
SHA1 hash:	9035a28638dd4c5f13a2c4adc3e3cddd9b546ad4
MD5 hash:	2026a87d0beef3bbd06120e8f789e7b9
humanhash:	video-nitrogen-item-skylark
File name:	Main.exe
Download:	download sample
Signature	RecordBreaker Alert Create hunting rule
File size:	7'061'008 bytes
First seen:	2022-11-08 00:16:13 UTC
Last seen:	2022-11-08 01:57:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	15ed358fa115974747e3f37ab9f9725d (1 x RecordBreaker)
ssdeep	98304:FgNhnmEDKC/saNJIqSpSTYUPca17JICDkqh4PRYWv6V/hPF+Zn5WOOJ5Q1Hg:MhD1/ZJIqPYycaVJoqcYWSRk1c52g
Threatray	986 similar samples on MalwareBazaar
TLSH	T1616623A70761158DE1D6CC35853BFE9271F2035F8B82BCB969CF6CC124278EAE212957
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	tcains1
Tags:	exe recordbreaker

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

177

Origin country :

US

Vendor Threat Intelligence

ANY.RUN raccoon

Malware family:

raccoon

Alert

Create hunting rule

ID:

1

File name:

Main.exe

Verdict:

Malicious activity

Analysis date:

2022-11-08 00:05:53 UTC

Tags:

trojan raccoon recordbreaker loader stealer

Link:

https://app.any.run/tasks/cd072b68-06fa-4cc0-b2e2-86a479d4b6ce

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/330294/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.Win32.Redline.GKE.MTB.4316.4820.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Launching a process

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a system process

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/49913/overview

Behaviour

MalwareBazaar

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

overlay packed redline smoke

Link:

https://www.filescan.io/uploads/63699ffe1b78baadf87f96ec/reports/304f4541-77c1-4b2e-8f68-18178e205a26/overview

InQuest UNKNOWN

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Raccoon Stealer

Malware family:

Raccoon Stealer

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e516e29a-4018-4aa2-a2c7-21e192702450

Joe Sandbox Raccoon Stealer v2

Result

Threat name:

Raccoon Stealer v2

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1107834

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ff764f0ab5f7a6c6fc5358a3bcc556e6d1e96fb80b9c2030f8f46b2d51ef241a/

ReversingLabs TitaniumCloud Win32.Trojan.RedLine

Threat name:

Win32.Trojan.RedLine

Alert

Create hunting rule

Status:

Malicious

First seen:

2022-11-08 00:17:16 UTC

File Type:

PE (Exe)

Extracted files:

1

AV detection:

15 of 26 (57.69%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=753e6cvv66tmn7ctlcr3zrkw43i6s35yboocamhy6rvs2uppeqna._file

Threatray raccoon

Verdict:

malicious

Label(s):

raccoon

Alert

Create hunting rule

Similar samples:

1e5c7dcfbe4a1e9da06229b4512229c463b0268832b9cb6cdb35a1153963be37

RecordBreaker

37af8d63e8e5adb5a5f30b471fe4e29f686c7923507583a21f46d3b2eb554f09

RecordBreaker

43b95532737d0ccc0b957d1ab3e6ba4310b4618eec3fa485736b8f0a35cb157c

RecordBreaker

4d70a2e9f63fea018db99bef6cecbf094255c52f6e2bd9d1d7458e637efb9172

RecordBreaker

a3605eee1c54709d3a2cbc363d024e07c2e65d5cc080ff77a243920f8033f451

RecordBreaker

ba9b4ed1a5f1e4f658430f393969f1b6a602c5534d745ad3f12fae35cf2a64d1

RecordBreaker

+ 976 additional samples on MalwareBazaar

Hatching Triage raccoon

Result

Malware family:

raccoon

Alert

Create hunting rule

Score:

  10/10

Tags:

family:raccoon botnet:26da3677c0c8d50e82d1912ddd8af349 botnet:��e� spyware stealer upx

Link:

https://tria.ge/reports/221108-ak16ragcd9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Raccoon

Malware Config

C2 Extraction:

http://135.181.185.150/

Threat.Zone Suspicious

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a6b40639-0c64-4c5a-960e-dbb7d489d89a

UnpacMe 3

Unpacked files

SH256 hash:

41406b816c9a4551f5551d394c9027aaea9383f4ee3b40ddd3cd14c0459f001f

MD5 hash:

451098b106b311a928ad2651067c4623

SHA1 hash:

1789646fee93fea14a2f646f0e063b4bfe0bff01

Link:

https://www.unpac.me/results/db7b64ab-afd1-4f1e-96da-937ab94e2ec3/

SH256 hash:

c5970e1670098c23d01a49cb521f26538f2f945002cf47dc7b9ff6debf2370ac

MD5 hash:

018ca41404912d7c53de165b80e3fc3a

SHA1 hash:

6484dc3b0e54c54549725624e0f1110b2f4a2044

Link:

https://www.unpac.me/results/db7b64ab-afd1-4f1e-96da-937ab94e2ec3/

SH256 hash:

ff764f0ab5f7a6c6fc5358a3bcc556e6d1e96fb80b9c2030f8f46b2d51ef241a

MD5 hash:

2026a87d0beef3bbd06120e8f789e7b9

SHA1 hash:

9035a28638dd4c5f13a2c4adc3e3cddd9b546ad4

Link:

https://www.unpac.me/results/db7b64ab-afd1-4f1e-96da-937ab94e2ec3/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ff764f0ab5f7a6c6fc5358a3bcc556e6d1e96fb80b9c2030f8f46b2d51ef241a

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

exe ff764f0ab5f7a6c6fc5358a3bcc556e6d1e96fb80b9c2030f8f46b2d51ef241a

(this sample)

exe 77ed638394053fe4fef1486f85bac2423f392a1f5e523f9ddf3f5dec289868d8

  

Dropping

SHA256 77ed638394053fe4fef1486f85bac2423f392a1f5e523f9ddf3f5dec289868d8

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/330294/

  

Dropping

MD5 bce3160afb422785db0529c5066fd91c