MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9716a41f6865025271a42553f3240810b678f89bffaa2a5c69a0576757947ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9716a41f6865025271a42553f3240810b678f89bffaa2a5c69a0576757947ab
SHA3-384 hash: c4166047fede778e78f6740b32927a9de20e014fd6e6a725f09339ebe6e7c4508e823da90137b00be2f078a7b72844b9
SHA1 hash: cca2a8c695e4328b09689666de42d13386b0ce13
MD5 hash: 3a049aee3f55f0baca2e2a34592928c7
humanhash: music-undress-cola-south
File name:SеТuр_patched.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:11'539'968 bytes
First seen:2023-02-27 23:46:37 UTC
Last seen:2023-02-28 01:29:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cdf44720c7910f1a70d7d2a345132c9f (1 x RecordBreaker)
ssdeep 196608:PrQt9IzyHyvJ1fJ1JtJxb0ORJmBHnI6JzxrkxzUBKdgrvW:Ef2yANJ/tJxJJmZnIszxrkxzKrvW
Threatray 4 similar samples on MalwareBazaar
TLSH T170C6331758CFE5CAEBE128344F17D3EA33FB42A54D808C3DBCC69DC566A5BA4600E562
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter atomiczsec
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
2
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SеТuр_patched.exe
Verdict:
No threats detected
Analysis date:
2023-02-27 23:48:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/87644829-c4e7-4fc3-9cd0-79369a9c504f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370457/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.22348.29437.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63fd40fb5d47c2515e80b804/reports/6df80930-4f21-481a-827c-4bbdff0ab05c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/c9716a41f6865025271a42553f3240810b678f89bffaa2a5c69a0576757947ab
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8483916d-fbb5-4bf6-a585-a29333802187
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1183703
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
DLL side loading technique detected
Found potential ransomware demand text
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 816533 Sample: S#U0435#U0422u#U0440_patched.exe Startdate: 28/02/2023 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Antivirus detection for URL or domain 2->45 47 6 other signatures 2->47 8 S#U0435#U0422u#U0440_patched.exe 1 2->8         started        process3 signatures4 61 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->61 63 Writes to foreign memory regions 8->63 65 Allocates memory in foreign processes 8->65 67 Injects a PE file into a foreign processes 8->67 11 AppLaunch.exe 34 8->11         started        16 conhost.exe 8->16         started        process5 dnsIp6 35 83.217.11.34, 49712, 80 ATLEX-ASRU Russian Federation 11->35 37 77.73.134.24, 49713, 80 FIBEROPTIXDE Kazakhstan 11->37 39 77.73.134.35, 49714, 80 FIBEROPTIXDE Kazakhstan 11->39 27 C:\Users\user\AppData\Roamingbehaviorgrapht0dA54r.exe, PE32 11->27 dropped 29 C:\Users\user\AppData\Local\...\1G5xj329.exe, PE32+ 11->29 dropped 31 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 11->31 dropped 33 6 other files (4 malicious) 11->33 dropped 69 Tries to harvest and steal browser information (history, passwords, etc) 11->69 71 DLL side loading technique detected 11->71 73 Tries to steal Crypto Currency Wallets 11->73 75 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->75 18 Gt0dA54r.exe 1 11->18         started        21 1G5xj329.exe 11->21         started        file7 signatures8 process9 signatures10 49 Machine Learning detection for dropped file 18->49 51 Writes to foreign memory regions 18->51 53 Allocates memory in foreign processes 18->53 55 Injects a PE file into a foreign processes 18->55 23 AppLaunch.exe 4 18->23         started        25 conhost.exe 18->25         started        57 Antivirus detection for dropped file 21->57 59 Tries to harvest and steal browser information (history, passwords, etc) 21->59 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9716a41f6865025271a42553f3240810b678f89bffaa2a5c69a0576757947ab/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-27 23:47:13 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
15 of 25 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zfywuqpwqzickjy2ijkt6msaqefwpd4jx75kfjogticxm5lzi6vq._file
Verdict:
malicious
Similar samples:
0aaaeeb2a4317258353d646cadba368cef0d2e477b3e559f656aff75a3a40946
RecordBreaker
2485066b0a47ef5a72bed598787fc60afa1e15727e0fcb987ba47c9e100a01b1
RecordBreaker
48b226bb739aac1a4f9d90b898aeae795dff4a2035ae2805b8a43ba11ddaa667
RecordBreaker
d429c7f575a65bc5bb031d953315379f8a2b2bcd8bbb9c40b4a1f1d005a10370
RecordBreaker
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:f26f614d4c0bc2bcd6601785661fb5cf stealer
Link:
https://tria.ge/reports/230227-3svyxsgc3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Raccoon
Malware Config
C2 Extraction:
http://83.217.11.34
http://83.217.11.35
Unpacked files
SH256 hash:
f828a72a4151595a8380108f94ecd9a0d954a40506ff7acca7f50c1cedd6b5d3
MD5 hash:
ebcd30a8135327c06fe8fcbe6fe3d801
SHA1 hash:
ca129e9702dac690b755f505b944fd8ad36b3e08
Link:
https://www.unpac.me/results/85b27321-f0c3-4683-92b5-2bbc03e38cf9/
SH256 hash:
bad9459d155d080543c51c0f01713372c797858933a3a82d0efe1dd5b06933b9
MD5 hash:
c8a2bef3293119df68971574b7441628
SHA1 hash:
81f0e0a2ecf830d1a4a3daac63123a707ef1db83
Link:
https://www.unpac.me/results/85b27321-f0c3-4683-92b5-2bbc03e38cf9/
SH256 hash:
c9716a41f6865025271a42553f3240810b678f89bffaa2a5c69a0576757947ab
MD5 hash:
3a049aee3f55f0baca2e2a34592928c7
SHA1 hash:
cca2a8c695e4328b09689666de42d13386b0ce13
Link:
https://www.unpac.me/results/85b27321-f0c3-4683-92b5-2bbc03e38cf9/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9716a41f686/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/c9716a41f6865025271a42553f3240810b678f89bffaa2a5c69a0576757947ab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/370457/

Comments


Avatar
at0m commented on 2023-02-27 23:47:18 UTC

Part of #OperationPhotoshop - https://twitter.com/atomiczsec