MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268
SHA3-384 hash: 99b769ee555b6bd6ca94723a6b707e9e900c8b2d2854d9d5d23bcd07ce64c2303a999d8f7e11a9389550d004979aa9dc
SHA1 hash: e404c6041dca2f3b767231e38dfca8faecca10ca
MD5 hash: d74c5647d791583241baa5061e0063c9
humanhash: saturn-april-berlin-quebec
File name:d74c5647d791583241baa5061e0063c9
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:403'456 bytes
First seen:2023-01-19 22:43:13 UTC
Last seen:2023-01-20 00:46:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:rkNkHyWEXeqvQYVby7+OLn2yTp/uzdGDHpc:skDqvQYV+qOL2y9/uzdGL
Threatray 975 similar samples on MalwareBazaar
TLSH T149841292BFFC69A2C61F227174F0BF19A6B0E980D316E3052DD592C4D257BE85E006B6
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
2
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d74c5647d791583241baa5061e0063c9
Verdict:
No threats detected
Analysis date:
2023-01-19 22:46:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bd29297c-12ae-4d56-b9f1-1a29fb50cd4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354770/
Detection(s):
SecuriteInfo.com.Heuristic.HEUR.AGEN.1231966.7303.23783.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint packed stealer
Link:
https://www.filescan.io/uploads/63c9c7b3deddc48f89f83d18/reports/f9664a85-0b63-4d25-bb1e-93f4193bfef4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7e8c72d-297a-4254-8cf8-04a50b0fe611
Result
Threat name:
Laplas Clipper, Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1155165
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
DLL side loading technique detected
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Laplas Clipper
Yara detected Raccoon Stealer v2
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 787897 Sample: ibuzgS9JCe.exe Startdate: 19/01/2023 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 11 other signatures 2->69 9 ibuzgS9JCe.exe 3 2->9         started        13 ntlhost.exe 2->13         started        15 ntlhost.exe 2->15         started        process3 file4 49 C:\Users\user\AppData\...\ibuzgS9JCe.exe.log, CSV 9->49 dropped 89 Writes to foreign memory regions 9->89 91 Injects a PE file into a foreign processes 9->91 17 AddInProcess32.exe 26 9->17         started        93 Query firmware table information (likely to detect VMs) 13->93 95 Hides threads from debuggers 13->95 97 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->97 signatures5 process6 dnsIp7 51 krrkrkrgsa.ink 80.66.64.225, 49698, 80 VAD-SRL-AS1MD Russian Federation 17->51 53 77.73.134.24, 49699, 80 FIBEROPTIXDE Kazakhstan 17->53 55 77.73.134.35, 49700, 80 FIBEROPTIXDE Kazakhstan 17->55 39 C:\Users\user\AppData\Roaming\HUlBjcC8.exe, PE32+ 17->39 dropped 41 C:\Users\user\AppData\Roaming\6maITTZS.exe, PE32+ 17->41 dropped 43 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 17->43 dropped 45 6 other files (4 malicious) 17->45 dropped 71 Tries to harvest and steal browser information (history, passwords, etc) 17->71 73 DLL side loading technique detected 17->73 75 Tries to steal Crypto Currency Wallets 17->75 77 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 17->77 22 6maITTZS.exe 1 2 17->22         started        26 HUlBjcC8.exe 17->26         started        file8 signatures9 process10 dnsIp11 47 C:\Users\user\AppData\Roaming\...\ntlhost.exe, PE32+ 22->47 dropped 79 Antivirus detection for dropped file 22->79 81 Query firmware table information (likely to detect VMs) 22->81 83 Machine Learning detection for dropped file 22->83 87 2 other signatures 22->87 29 ntlhost.exe 22->29         started        57 youtube-ui.l.google.com 142.250.180.174 GOOGLEUS United States 26->57 59 www.youtube.com 26->59 85 Tries to harvest and steal browser information (history, passwords, etc) 26->85 33 cmd.exe 1 26->33         started        file12 signatures13 process14 dnsIp15 61 45.159.189.105 HOSTING-SOLUTIONSUS Netherlands 29->61 99 Query firmware table information (likely to detect VMs) 29->99 101 Hides threads from debuggers 29->101 103 Tries to detect sandboxes / dynamic malware analysis system (registry check) 29->103 35 conhost.exe 33->35         started        37 choice.exe 1 33->37         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268/
Threat name:
Win64.Spyware.Raccoonstealer
Create hunting rule
Status:
Suspicious
First seen:
2023-01-19 22:44:06 UTC
File Type:
PE+ (.Net Exe)
AV detection:
16 of 26 (61.54%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xlderd3w3jdjcvaeafquxrtf37c35sgyoxfsnzzioddfvrb74jua._file
Verdict:
malicious
Similar samples:
357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51
RecordBreaker
41955ff332c22ffa3c2014f4bdffc2db6b5ae75d8289df443929a507dca525cd
RecordBreaker
46ef02874c713328d14ecbe37fdd1cada98c9e049afd132debbc095164dae778
RecordBreaker
59494a51618f234021c0dae2d87667ce9e431b8a75a1b4952d3e48bf71492fbb
RecordBreaker
67ffb10d7ef8cc9b49ef3ad7affcd7f865391cac2cdbad7ae1d259ec6a4a0cb8
RecordBreaker
b0500e38803ac3ca6b3fde965b1c03bfcae5cbe3a4a01a199d161e1371ced34d
RecordBreaker
bc8560177aa43a687207e68c27c1c9378eb6fff83e61d279641c9256d79ea055
RecordBreaker
c23263bd63c444fd26b4653e26332fcb6f7444064d282c2327983d92fe3e5046
RecordBreaker
+ 965 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:6c8968d2498b99bf2d581580178f5f14 evasion persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/230119-2ns34ahf48/
Behaviour
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Uses the VBS compiler for execution
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Raccoon
Malware Config
C2 Extraction:
http://krrkrkrgsa.ink/
Unpacked files
SH256 hash:
bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268
MD5 hash:
d74c5647d791583241baa5061e0063c9
SHA1 hash:
e404c6041dca2f3b767231e38dfca8faecca10ca
Link:
https://www.unpac.me/results/90c50930-2f84-4ec8-bbbd-df995c7cc964/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2512837/
Cape
Cape
https://www.capesandbox.com/analysis/354770/

Comments


Avatar
zbet commented on 2023-01-19 22:43:20 UTC

url : hxxp://77.73.134.35/test.exe