MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f8f904598a1dd49277595855a35602aeecc1ce6471dcc949def88f27199388e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f8f904598a1dd49277595855a35602aeecc1ce6471dcc949def88f27199388e
SHA3-384 hash: 3d7513af0973c449eb81d79e43ee6e992cd30b3c15669f6ad2b646331576652a3f1b514bc808aa5ddab3ba4dbae83da0
SHA1 hash: d40437b4c236b045511d12a8796184ca6cbb5759
MD5 hash: 50add89e03f21d747247e5f4e0a27125
humanhash: neptune-island-ten-green
File name:50add89e03f21d747247e5f4e0a27125.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:6'596'096 bytes
First seen:2023-02-10 11:30:53 UTC
Last seen:2023-02-10 13:32:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 161839a78ef6f07a30d3f07895f6fe23 (27 x RecordBreaker)
ssdeep 98304:KPWWESUC4DAWNRhO4sya76yLSOL7V9AUtrclwUawBOxRaBc9+FJ:5W9WJONF76yLBZ95pRvjxRq
TLSH T143661262D7A8004DD1D18C3DCA27BEE132BA0B7B8B41E4B735CE79D51AF25E0DA26543
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2c4b035e4d691a8d (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://37.220.87.44/

Intelligence

File Origin
# of uploads :
2
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
50add89e03f21d747247e5f4e0a27125.exe
Verdict:
No threats detected
Analysis date:
2023-02-10 11:34:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0832f3c3-ac19-4733-b2a0-5fc3d4d67aa0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/363336/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65410965.9326.15430.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Connecting to a non-recommended domain
Sending an HTTP POST request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/67598/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63e62afbfc4dffab0ccfa66f/reports/fbad3b25-5a54-4a07-8376-eb23810dbf35/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6f8f904598a1dd49277595855a35602aeecc1ce6471dcc949def88f27199388e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2e136918-d0eb-48bc-b410-1f2a4288b7b5
Result
Threat name:
Laplas Clipper, Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1171101
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Laplas Clipper
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 803891 Sample: ZNc5xpmpyU.exe Startdate: 10/02/2023 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Multi AV Scanner detection for domain / URL 2->68 70 Antivirus detection for URL or domain 2->70 72 9 other signatures 2->72 8 ZNc5xpmpyU.exe 26 2->8         started        13 svcupdater.exe 17 2->13         started        process3 dnsIp4 46 77.73.134.24, 49704, 80 FIBEROPTIXDE Kazakhstan 8->46 48 37.220.87.44, 49703, 80 ARTEM-CATV-ASRU Russian Federation 8->48 50 77.73.134.35 FIBEROPTIXDE Kazakhstan 8->50 32 C:\Users\user\AppData\Roaming\Y6b81kSc.exe, PE32+ 8->32 dropped 34 C:\Users\user\AppData\Roaming\OBo6YG4V.exe, PE32 8->34 dropped 36 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 8->36 dropped 38 6 other files (4 malicious) 8->38 dropped 74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->74 76 Tries to harvest and steal browser information (history, passwords, etc) 8->76 78 Tries to detect virtualization through RDTSC time measurements 8->78 80 Tries to steal Crypto Currency Wallets 8->80 15 OBo6YG4V.exe 3 8->15         started        19 Y6b81kSc.exe 8->19         started        52 45.159.189.105 HOSTING-SOLUTIONSUS Netherlands 13->52 file5 signatures6 process7 dnsIp8 40 C:\Users\user\AppData\...\svcupdater.exe, PE32 15->40 dropped 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->54 56 Machine Learning detection for dropped file 15->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 15->58 22 schtasks.exe 1 15->22         started        42 youtube-ui.l.google.com 142.250.180.142 GOOGLEUS United States 19->42 44 www.youtube.com 19->44 60 Antivirus detection for dropped file 19->60 62 Multi AV Scanner detection for dropped file 19->62 64 Tries to harvest and steal browser information (history, passwords, etc) 19->64 24 cmd.exe 1 19->24         started        file9 signatures10 process11 process12 26 conhost.exe 22->26         started        28 conhost.exe 24->28         started        30 choice.exe 1 24->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f8f904598a1dd49277595855a35602aeecc1ce6471dcc949def88f27199388e/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-02-07 21:39:38 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
21 of 39 (53.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6hzarmyuhousj3vswcvunlaflxmyhhgi4o4zfe556epe4mzhcha._file
Verdict:
malicious
Result
Malware family:
laplas
Create hunting rule
Score:
  10/10
Tags:
family:laplas clipper discovery spyware stealer
Link:
https://tria.ge/reports/230210-nmqdxseb46/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Laplas Clipper
Malware Config
C2 Extraction:
http://45.159.189.105
Unpacked files
SH256 hash:
6f8f904598a1dd49277595855a35602aeecc1ce6471dcc949def88f27199388e
MD5 hash:
50add89e03f21d747247e5f4e0a27125
SHA1 hash:
d40437b4c236b045511d12a8796184ca6cbb5759
Link:
https://www.unpac.me/results/26d596ef-e713-41a5-af7c-ad2929830c10/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6f8f904598a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f8f904598a1dd49277595855a35602aeecc1ce6471dcc949def88f27199388e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/363336/

Comments