MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9b8420f43c338d46ad5f6d437778a6951b3dfb15ee527dcef00ac6cfe680cd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9b8420f43c338d46ad5f6d437778a6951b3dfb15ee527dcef00ac6cfe680cd9
SHA3-384 hash: 8ab9693c5bf50cb8a58fb2e1f6a749fcc497462f411e6ee05bfc45ff7675d4749017c9088db141b97386d3d4a223170c
SHA1 hash: 9a38b8a1ef7a5feb9cc7f5d638a3e53c75b50025
MD5 hash: acb2c61f7aef6a7ead6f5036049123c2
humanhash: hydrogen-emma-social-juliet
File name:acb2c61f7aef6a7ead6f5036049123c2.bin
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:251'184 bytes
First seen:2023-03-06 06:29:50 UTC
Last seen:2023-03-06 08:28:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e62cf079a569680546bbc29ad2c24f46 (1 x DCRat, 1 x RedLineStealer, 1 x RecordBreaker)
ssdeep 3072:Rm53edA66LmM8BhZaUa44/WHyu2NGuxmDRm8Ju1s9CKdStZBl1eFW6wzDGvY6KW7:mSA6zaUajnmpX4Ht6wzDGw6fNmeNQm
Threatray 4 similar samples on MalwareBazaar
TLSH T14734BF22338D8010F868CCFE95B3DE678CED7939275F64CBB79941294A627D0E275623
TrID 39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:bin exe recordbreaker

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
acb2c61f7aef6a7ead6f5036049123c2.bin
Verdict:
No threats detected
Analysis date:
2023-03-06 06:31:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6dcc1764-44c2-4741-b984-1b301e07ada1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371778/
Detection(s):
SecuriteInfo.com.Variant.Ser.Fragtor.2111.6779.18451.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6405886e93921fa04236b69b/reports/360e4b0f-3b50-4036-bffc-51816056ef60/overview
Verdict:
Malicious
Labled as:
Ser.Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/f9b8420f43c338d46ad5f6d437778a6951b3dfb15ee527dcef00ac6cfe680cd9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0939f35c-3554-41ef-979d-245d9f05105a
Result
Threat name:
Laplas Clipper, Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187526
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Found potential ransomware demand text
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Laplas Clipper
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820402 Sample: 563BKfynp8.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected Laplas Clipper 2->63 65 4 other signatures 2->65 9 563BKfynp8.exe 1 2->9         started        12 ntlhost.exe 2->12         started        14 ntlhost.exe 2->14         started        process3 signatures4 73 Writes to foreign memory regions 9->73 75 Allocates memory in foreign processes 9->75 77 Sample uses process hollowing technique 9->77 79 Injects a PE file into a foreign processes 9->79 16 AppLaunch.exe 27 9->16         started        21 conhost.exe 9->21         started        23 AppLaunch.exe 9->23         started        process5 dnsIp6 51 185.106.92.101, 49697, 80 SUPERSERVERSDATACENTERRU Russian Federation 16->51 53 transfer.sh 144.76.136.153, 443, 49700, 49701 HETZNER-ASDE Germany 16->53 41 C:\Users\user\AppData\Local\...\i5XxC93J.exe, PE32+ 16->41 dropped 43 C:\Users\user\AppData\Local\...\9iBonxki.exe, PE32+ 16->43 dropped 45 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 16->45 dropped 47 6 other files (4 malicious) 16->47 dropped 67 Tries to harvest and steal browser information (history, passwords, etc) 16->67 69 DLL side loading technique detected 16->69 71 Tries to steal Crypto Currency Wallets 16->71 25 9iBonxki.exe 1 2 16->25         started        29 i5XxC93J.exe 16->29         started        file7 signatures8 process9 file10 49 C:\Users\user\AppData\Roaming\...\ntlhost.exe, PE32+ 25->49 dropped 81 Antivirus detection for dropped file 25->81 83 Multi AV Scanner detection for dropped file 25->83 85 Machine Learning detection for dropped file 25->85 31 ntlhost.exe 25->31         started        87 Tries to harvest and steal browser information (history, passwords, etc) 29->87 35 cmd.exe 1 29->35         started        signatures11 process12 dnsIp13 55 185.106.92.104, 49703, 49704, 49705 SUPERSERVERSDATACENTERRU Russian Federation 31->55 57 Antivirus detection for dropped file 31->57 37 conhost.exe 35->37         started        39 choice.exe 1 35->39         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9b8420f43c338d46ad5f6d437778a6951b3dfb15ee527dcef00ac6cfe680cd9/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 06:40:54 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 25 (96.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7g4eed2dym4ni2wv63kdo54knfi3hx5rl3sspxhpacwgz7tibtmq._file
Verdict:
malicious
Similar samples:
be6f2d0e8bc44799f04488d565b3550008ba754233217b3f7b3a6b92c0840caa
RecordBreaker
e1fd2d534eed837ebb0fb3b0f25732dadaf4bfd95de92b6c44935d624d991dab
RecordBreaker
e69312127d70accf9e2c20606b600b566507ae679e1b910341403a07eb57d881
RecordBreaker
e9af7f0df0759fc3dd61d34f0db78c556bb1d35df28cd683b0fddc296a8e3146
RecordBreaker
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230306-g9g8haad9s/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
32feb266db561b35249c771bdae0f1d3ad1dff502aba41d1e0c347b6500c319e
MD5 hash:
35fc2ac24b0f69804fa24923e99035b8
SHA1 hash:
6dd1e0060c19dfefbe949054677065acf66e8182
Link:
https://www.unpac.me/results/c298aeeb-f7b3-44ed-8f28-17db827c45e3/
SH256 hash:
f9b8420f43c338d46ad5f6d437778a6951b3dfb15ee527dcef00ac6cfe680cd9
MD5 hash:
acb2c61f7aef6a7ead6f5036049123c2
SHA1 hash:
9a38b8a1ef7a5feb9cc7f5d638a3e53c75b50025
Link:
https://www.unpac.me/results/c298aeeb-f7b3-44ed-8f28-17db827c45e3/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9b8420f43c3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9b8420f43c338d46ad5f6d437778a6951b3dfb15ee527dcef00ac6cfe680cd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371778/

Comments