MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9063dd7d69236cca3007587ccc04334b4289ec456f6983673f3d9f749092a29c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9063dd7d69236cca3007587ccc04334b4289ec456f6983673f3d9f749092a29c
SHA3-384 hash: 8f83c8b6627251584feb445986cd7f9d06082611012db2b9bc466e766e3b95bff60440bd29a2fc4c898be18236061bab
SHA1 hash: 27a369afc3127e58c968c4ea07a69c3e0053e8db
MD5 hash: 6ef647cfe131f11e48e3acfd2b52595d
humanhash: salami-oklahoma-magnesium-stream
File name:6ef647cfe131f11e48e3acfd2b52595d.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:936'448 bytes
First seen:2022-11-26 16:20:32 UTC
Last seen:2022-11-26 17:31:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:3QGX47KXoN7mu8x65nf861hFPV+XN4spG/Ojx:HI72oNL8x65nf860c/Oj
Threatray 17'417 similar samples on MalwareBazaar
TLSH T1AE1533B66E2416B3EDE735BD7DEAD800931499BA5081C136F0F047BCEB4E71064A74BA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://waldo.ac.ug/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
407
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
6ef647cfe131f11e48e3acfd2b52595d.exe
Verdict:
Malicious activity
Analysis date:
2022-11-26 16:21:56 UTC
Tags:
trojan raccoon recordbreaker loader stealer rat azorult remcos
Link:
https://app.any.run/tasks/c4dac2f3-dde8-464e-b444-a50f519f8cbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338819/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Bladabindi.1.7786.19322.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file
Сreating synchronization primitives
Connecting to a non-recommended domain
Sending an HTTP POST request
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file in the %temp% subdirectories
Running batch commands
Unauthorized injection to a recently created process
Stealing user critical data
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi obfuscated packed
Link:
https://www.filescan.io/uploads/63823cf194f9bac087b36e88/reports/4bde0a48-03a7-4ab8-ba80-610e458de864/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb1fc182-733a-4d03-9305-4c9804d85387
Result
Threat name:
Azorult, Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121646
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 754363 Sample: MhQTqiCvm1.exe Startdate: 26/11/2022 Architecture: WINDOWS Score: 100 74 tuekisaa.ac.ug 2->74 76 parthaha.ac.ug 2->76 78 3 other IPs or domains 2->78 88 Snort IDS alert for network traffic 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Antivirus detection for URL or domain 2->92 94 10 other signatures 2->94 10 MhQTqiCvm1.exe 3 2->10         started        14 Ovgxkcit.exe 2 2->14         started        16 Rnjeh.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 68 C:\Users\user\AppData\...\MhQTqiCvm1.exe.log, ASCII 10->68 dropped 102 Injects a PE file into a foreign processes 10->102 20 MhQTqiCvm1.exe 29 10->20         started        25 MhQTqiCvm1.exe 10->25         started        104 Antivirus detection for dropped file 14->104 106 Machine Learning detection for dropped file 14->106 signatures6 process7 dnsIp8 80 193.106.191.150, 49698, 80 BOSPOR-ASRU Russian Federation 20->80 82 paldo.ac.ug 193.106.191.196, 49701, 49702, 80 BOSPOR-ASRU Russian Federation 20->82 50 C:\Users\user\AppData\Roaming\u0K7Kkc1.exe, PE32 20->50 dropped 52 C:\Users\user\AppData\Roaming\h2w35kd4.exe, PE32+ 20->52 dropped 54 C:\Users\user\AppData\Roaming\X2T6g11F.exe, PE32 20->54 dropped 56 8 other files (6 malicious) 20->56 dropped 96 Tries to harvest and steal browser information (history, passwords, etc) 20->96 98 Tries to steal Crypto Currency Wallets 20->98 27 u0K7Kkc1.exe 1 5 20->27         started        31 X2T6g11F.exe 1 5 20->31         started        33 h2w35kd4.exe 2 20->33         started        35 8I3ke5pZ.exe 13 20->35         started        file9 signatures10 process11 file12 70 C:\Users\user\AppData\...\Ovgxkcit.exe, PE32 27->70 dropped 108 Antivirus detection for dropped file 27->108 110 Machine Learning detection for dropped file 27->110 112 Creates multiple autostart registry keys 27->112 114 Injects a PE file into a foreign processes 27->114 37 u0K7Kkc1.exe 27->37         started        72 C:\Users\user\AppData\Roaming\...\Rnjeh.exe, PE32 31->72 dropped 41 cmd.exe 31->41         started        44 8I3ke5pZ.exe 35->44         started        signatures13 process14 dnsIp15 84 192.168.2.1 unknown unknown 37->84 86 waldo.ac.ug 37->86 58 C:\...\api-ms-win-core-handle-l1-1-0.dll, PE32 37->58 dropped 60 C:\Users\...\api-ms-win-core-file-l2-1-0.dll, PE32 37->60 dropped 62 C:\Users\...\api-ms-win-core-file-l1-2-0.dll, PE32 37->62 dropped 66 5 other files (none is malicious) 37->66 dropped 100 Encrypted powershell cmdline option found 41->100 46 conhost.exe 41->46         started        48 powershell.exe 41->48         started        64 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 44->64 dropped file16 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9063dd7d69236cca3007587ccc04334b4289ec456f6983673f3d9f749092a29c/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2022-11-26 16:21:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sbr527ljenwmumahlb6mybbtjnbit3cfn5uygzz7hwpxjeesukoa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
remcos
Create hunting rule
raccoon
Create hunting rule
Similar samples:
06b2f4503ff44aeb98aefb8f65f5392c7b90f1ca8dc618a249b866914590a40f
RecordBreaker
260d69ea7e9147cacca89536dc28598a00707c37c568c610d119faa532ac0a8d
RecordBreaker
7e4371101f788c3f31179a2d0ee6fdb933367f21cc9dc28a65928373d2253d2f
RecordBreaker
bc45ddc6da1d094442c0962a1c37522fe719aff822097960f6f68b8b9bad0322
RecordBreaker
c00a6a16560557073649393b2ef306dbc831c8bd6ca53882f6e3363a0ed82380
RecordBreaker
d4227ec9dd2159223342099e0ed7d55c0691fe677ab2fc513c149a137e50ced8
RecordBreaker
df7cfb28f642a2341b0cf3d5626ec787a7afb0aacd3e6806b7a0caa3a6dd73ee
RecordBreaker
+ 17'407 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:5d704573a0f97fb52a93667085c18b77 discovery spyware stealer
Link:
https://tria.ge/reports/221126-ttn3bsgb53/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Raccoon
Malware Config
C2 Extraction:
http://193.106.191.150/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d083d089-2572-465b-bbc3-becd8e207499
Unpacked files
SH256 hash:
1d28b14a3cd4946afc402ad8b7bd37eab4830ab7bad5e95cd5c1613f6a3406ef
MD5 hash:
44a3c9605a634aa20c144c6872b567f3
SHA1 hash:
a55bea85adae834978b10075c898cb6529280086
Detections:
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/e93e6a22-be20-47d5-9018-180170c0c929/
SH256 hash:
1dcd217326d59013541bf4c0017c95d1f47ca39cdcfd1ef3a2c2269c26660204
MD5 hash:
efa15437e9c5ce0494e5b1321eadee60
SHA1 hash:
67294e3bc18f711baf3f07cca20c0aaf17f430d9
Link:
https://www.unpac.me/results/e93e6a22-be20-47d5-9018-180170c0c929/
SH256 hash:
9063dd7d69236cca3007587ccc04334b4289ec456f6983673f3d9f749092a29c
MD5 hash:
6ef647cfe131f11e48e3acfd2b52595d
SHA1 hash:
27a369afc3127e58c968c4ea07a69c3e0053e8db
Link:
https://www.unpac.me/results/e93e6a22-be20-47d5-9018-180170c0c929/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9063dd7d6923/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9063dd7d69236cca3007587ccc04334b4289ec456f6983673f3d9f749092a29c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 9063dd7d69236cca3007587ccc04334b4289ec456f6983673f3d9f749092a29c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1539152/
  
URLhaus
https://urlhaus.abuse.ch/url/2257588/
  
URLhaus
https://urlhaus.abuse.ch/url/1596393/
  
URLhaus
https://urlhaus.abuse.ch/url/2141170/
Cape
Cape
https://www.capesandbox.com/analysis/338819/
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
  
URLhaus
https://urlhaus.abuse.ch/url/2254174/
  
URLhaus
https://urlhaus.abuse.ch/url/2271067/
  
URLhaus
https://urlhaus.abuse.ch/url/1514313/

Comments