{ "id": "bdab48ff-cd40-4223-b50d-e13dca0bd2ff", "created_at": "2026-04-06T00:09:25.665873Z", "updated_at": "2026-04-10T03:37:09.351243Z", "deleted_at": null, "sha1_hash": "179188eb9d14e02b9eb0318161c50bb3dcfd4474", "title": "New Info-stealer Disguised as Crack Being Distributed", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1818861, "plain_text": "New Info-stealer Disguised as Crack Being Distributed\r\nBy ATCP\r\nPublished: 2022-06-21 · Archived: 2026-04-05 21:06:44 UTC\r\nThe ASEC analysis team has previously uploaded posts about various malware types that are being distributed by disguising\r\nthemselves as software cracks and installers. CryptBot, RedLine, and Vidar are major example cases. Recently, a single\r\nmalware type of RedLine has disappeared (it is still being distributed as a dropper type) and a new infostealer malware is\r\nbeing actively distributed instead. Its distribution became in full swing starting from May 20th, globally categorized as\r\n“Recordbreaker Stealer.” Some analyses see it as a new version of Raccoon Stealer.\r\nThe malware is created when users search for cracks, serial numbers, installers, etc. of commercial software and access the\r\nwebpage to download and decompress files.\r\nIt is mainly distributed in an abnormally large size with a huge amount of padding added. The padding is inserted between\r\nthe last section and the certificate area.\r\nAs such, the size of file downloaded from a website is between 3 to 7MB, while the size of the malware created upon\r\ndecompressing the file is between 300 to 700MB. The malware icons use installer images or those of popular software. In\r\nsome cases, it may be distributed in a typical packing method by dropper or downloader.\r\nhttps://asec.ahnlab.com/en/35981/\r\nPage 1 of 6\n\nWhen the malware is run, it downloads additional libraries depending on the command from C2 (settings value) to collect\r\nvarious sensitive information from the user PC and send it back to C2. The target information for stealing is decided by the\r\nC2 settings. Additional malware strains may also be installed. The following figure shows the network behaviors for the\r\noverall execution flow.\r\nWhen it first accesses C2, the malware sends the user name, MachineGUID value, and hard-coded key values within the\r\nsample and receives the settings data. The data includes the list of information that will be stolen and the download URL for\r\nthe libraries needed to collect information.\r\nInitial samples had different domains for C2 and downloading libraries, but recent samples use the same URL for both. The\r\nC2s for the malware do not tend to last long. In fact, about 2 – 3 samples with new C2 domains are being distributed in a\r\nsingle day. The malware uses the “record” string as a value for User-Agent when communicating with the C2.\r\nhttps://asec.ahnlab.com/en/35981/\r\nPage 2 of 6\n\nThe targets for stealing in the settings data are mainly strings related to cryptocurrencies such as browser plugin wallets and\r\nopen source wallets. It seems basic targets such as browser cookies, IDs, and passwords are chosen if the related libraries\r\nexist. The table below shows an example of the settings data for the analysis sample.\r\nlibs_nss3:http://146.19.247[.28/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll libs_msvcp140:http://146.19.247[.28/aN7jD0qO6kT5bK5bQ4e\r\nExtension Settings\r\news_tronl:ibnejdfjmmkpcnlpebklmnkoeoihofec;TronLink;Local Extension Settings\r\nlibs_sqlite3:http://146.19.247[.28/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll\r\news_bsc:fhbohimaelbohpjbbldcngcnapndodjp;BinanceChain;Local Extension Settings\r\news_ronin:fnjhmkhhmkbjkkabndcnnogagogbneec;Ronin;Local Extension Settings\r\nwlts_exodus:Exodus;26;exodus;*;*partitio*,*cache*,*dictionar*\r\nwlts_atomic:Atomic;26;atomic;*;*cache*,*IndexedDB*\r\nwlts_jaxxl:JaxxLiberty;26;com.liberty.jaxx;*;*cache*\r\nwlts_binance:Binance;26;Binance;*app-store.*;-\r\nwlts_coinomi:Coinomi;28;Coinomi\\Coinomi\\wallets;*;-\r\nwlts_electrum:Electrum;26;Electrum\\wallets;*;-\r\nwlts_elecltc:Electrum-LTC;26;Electrum-LTC\\wallets;*;-\r\nwlts_elecbch:ElectronCash;26;ElectronCash\\wallets;*;-\r\nwlts_guarda:Guarda;26;Guarda;*;*cache*,*IndexedDB*\r\nwlts_green:BlockstreamGreen;28;Blockstream\\Green;*;cache,gdk,*logs*\r\nwlts_ledger:Ledger Live;26;Ledger Live;*;*cache*,*dictionar*,*sqlite*\r\news_ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings\r\news_meta:nkbihfbeogaeaoehlefnkodbefgpgknn;MetaMask;Local Extension Settings\r\nsstmnfo_System Info.txt:System Information:\r\n|Installed applications:\r\n|\r\nlibs_nssdbm3:http://146.19.247[.28/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nssdbm3.dll\r\nwlts_daedalus:Daedalus;26;Daedalus Mainnet;*;log*,*cache,chain,dictionar*\r\nwlts_mymonero:MyMonero;26;MyMonero;*;*cache*\r\nwlts_xmr:Monero;5;Monero\\\\wallets;*.keys;- wlts_wasabi:Wasabi;26;WalletWasabi\\\\Client;*;*tor*,*log*\r\news_metax:mcohilncbfahbmgdjkbpemcciiolgcge;MetaX;Local Extension Settings\r\news_xdefi:hmeobnfnfcmdkdcmlblgagmfpfboieaf;XDEFI;IndexedDB\r\news_waveskeeper:lpilbniiabackdjcionkobglmddfbcjo;WavesKeeper;Local Extension Settings\r\news_solflare:bhhhlbepdkbapadjdnnojkbgioiodbic;Solflare;Local Extension Settings\r\news_rabby:acmacodkjbdgmoleebolmdjonilkdbch;Rabby;Local Extension Settings\r\news_cyano:dkdedlpgdmmkkfjabffeganieamfklkm;CyanoWallet;Local Extension Settings\r\news_coinbase:hnfanknocfeofbddgcijnmhnfnkdnaad;Coinbase;IndexedDB\r\news_auromina:cnmamaachppnkjgnildpdmkaakejnhae;AuroWallet;Local Extension Settings\r\news_khc:hcflpincpppdclinealmandijcmnkbgn;KHC;Local Extension Settings\r\news_tezbox:mnfifefkajgofkcjkemidiaecocnkjeh;TezBox;Local Extension Settings\r\news_coin98:aeachknmefphepccionboohckonoeemg;Coin98;Local Extension Settings\r\news_temple:ookjlbkiijinhpmnjffcofjonbfbgaoc;Temple;Local Extension Settings\r\news_iconex:flpiciilemghbmfalicajoolhkkenfel;ICONex;Local Extension Settings\r\news_sollet:fhmfendgdocmcbmfikdcogofphimnkno;Sollet;Local Extension Settings\r\news_clover:nhnkbkgjikgcigadomkphalanndcapjk;CloverWallet;Local Extension Settings\r\news_polymesh:jojhfeoedkpkglbfimdfabpdfjaoolaf;PolymeshWallet;Local Extension Settings\r\news_neoline:cphhlgmgameodnhkjdmkpanlelnlohao;NeoLine;Local Extension Settings\r\news_keplr:dmkamcknogkgcdfhhbddcghachkejeap;Keplr;Local Extension Settings\r\news_terra_e:ajkhoeiiokighlmdnlakpjfoobnjinie;TerraStation;Local Extension Settings\r\news_terra:aiifbnbfobpmeekipheeijimdpnlpgpp;TerraStation;Local Extension Settings\r\news_liquality:kpfopkelmapcoipemfendmdcghnegimn;Liquality;Local Extension Settings\r\news_saturn:nkddgncdjgjfcddamfgcmfnlhccnimig;SaturnWallet;Local Extension Settings\r\news_guild:nanjmdknhkinifnkgdcggcfnhdaammmj;GuildWallet;Local Extension Settings\r\nhttps://asec.ahnlab.com/en/35981/\r\nPage 3 of 6\n\news_phantom:bfnaelmomeimhlpmgjnjophhpkkoljpa;Phantom;Local Extension Settings\r\news_tronlink:ibnejdfjmmkpcnlpebklmnkoeoihofec;TronLink;Local Extension Settings\r\news_brave:odbfpeeihdkbihmopkbjmoonfanlbfcl;Brave;Local Extension Settings\r\news_meta_e:ejbalbakoplchlghecdalmeeeajnimhm;MetaMask;Local Extension Settings\r\news_ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings\r\news_mewcx:nlbmnnijcnlegkjjpcfjclmcfggfefdm;MEW_CX;Sync Extension Settings\r\news_ton:cgeeodpfagjceefieflmdfphplkenlfk;TON;Local Extension Settings\r\news_goby:jnkelfanjkeadonecabehalmbgpfodjm;Goby;Local Extension Settings\r\news_ton_ex:nphplpgoakhhjchkkhmiggakijnkhfnd;TON;Local Extension Settings\r\nscrnsht_Screenshot.jpeg:1\r\ntlgrm_Telegram:Telegram Desktop\\tdata|*|*emoji*,*user_data*,*tdummy*,*dumps*\r\ntoken:e1cf7053cd9066b051c048495a128811  \r\nTable 1. Full text for C2 response setting data\r\nThe sample steals basic system information, the list of installed programs, screenshots, data saved in browsers, and various\r\ncryptocurrency wallet information. The information that is stolen may vary depending on the C2’s response. For example,\r\none type of C2 does not steal screenshots but commands the malware to steal all txt files within the desktop and subfolders\r\nof My Documents.\r\nSince June 17th, the C2s have been responding with settings value that downloads and runs additional malware besides\r\nlibraries that will be used to steal information. The currently installed malware is ClipBanker\r\n(74744fc068f935608dff34ecd0eb1f96). It stays in the system by being registered in the task scheduler and changes the\r\ncryptocurrency wallet address string in the clipboard to that of the attacker. The history of related samples implies that the\r\nmalware additionally installed other malware strains during the initial distribution stage.\r\nThe process of stealing information and installing ClipBanker is similar to that of CryptBot distribution. CryptBot is also\r\nbeing actively distributed at the moment.\r\nCryptBot Infostealer Constantly Changing and Being Distributed\r\nTable 2. Settings value for installing additional malware\r\nThe following table shows a part of the attacker’s wallet address.\r\nBTC\r\n19iQuuqoVQPAtRhzm4GvNuM3bj4Nm29ByX\r\n32h53ccRQW6Vyw4rqR22xmip34WcC6pnFL\r\nhttps://asec.ahnlab.com/en/35981/\r\nPage 4 of 6\n\nbc1qnd4p4vh6zvq68s7m70dvuzejfq2rfmqdlzmmse\r\nETH\r\n0xF22ffD5be6efc35390dfD044B7156CC56C5d41f8\r\nDASH\r\nXb2miQJ1JjBJA6CTh1GYfDnzduSfRacTVg\r\nDOGE\r\nD7kjwr9bTZCd4u8ws7KLvKsv71ai53vppJ\r\nLTC\r\nLUYBs28KD92zYYjG28gWq9GFvvsWE6KoeN\r\n…\r\nTable 3. Wallet address for alteration\r\nOne characteristic of Record Stealer is that it uses strings with certain meanings when decrypting strings it uses. At the\r\ninitial stage, it used “credit19” as a key. Samples that are distributed after May 28th use the string “edinayarossiya”.\r\nThe sample has a code that checks if the user’s default locale (language) is Russian, but the result does not make any\r\ndifference for the behaviors.\r\nBecause malware distributed by being disguised as software cracks has diverse variants and is distributed in large amounts,\r\nusers need to take caution. They should not download files from untrusted websites. Also, executables that are downloaded\r\nafter multiple redirections are most likely to be malicious files. Moreover, if the file’s size increases to an abnormal degree\r\nafter being decompressed, it might be the case discussed earlier in this post.\r\nAhnLab products detect and block the malware type using the following aliases:\r\nInfostealer/Win.RecordStealer.R498039\r\nInfostealer/Win.RecordStealer.R500009\r\nInfostealer/Win.PassStealer.R496906\r\nTrojan/Win.ClipBanker.C5166957\r\nand more\r\nMD5\r\n0013a631fa834f5bc5e030915f04bae3\r\n02b4bc8444cbbe15c4d5cac0c64dbd40\r\n058874fe5f95c762a3fa016faf1077a1\r\n06c09cc561f860fec73a342d5948c064\r\n074e3f68a87a7eed362466c685ca4190\r\nAdditional IOCs are available on AhnLab TIP.\r\nFQDN\r\nhttps://asec.ahnlab.com/en/35981/\r\nPage 5 of 6\n\nboth-those[.]xyz\r\nbrain-lover[.]xyz\r\nbroke-bridge[.]xyz\r\ncool-story[.]xyz\r\ncover-you[.]site\r\nAdditional IOCs are available on AhnLab TIP.\r\nIP\r\n135[.]181[.]105[.]89\r\n146[.]19[.]247[.]28\r\n146[.]19[.]247[.]52\r\n146[.]19[.]75[.]8\r\n146[.]70[.]124[.]71\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nSource: https://asec.ahnlab.com/en/35981/\r\nhttps://asec.ahnlab.com/en/35981/\r\nPage 6 of 6\n\nthe libraries needed Initial samples had to collect information. different domains for C2 and downloading libraries, but recent samples use the same URL for both. The\nC2s for the malware do not tend to last long. In fact, about 2-3 samples with new C2 domains are being distributed in a\nsingle day. The malware uses the “record” string as a value for User-Agent when communicating with the C2.\n Page 2 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/35981/" ], "report_names": [ "35981" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434165, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/179188eb9d14e02b9eb0318161c50bb3dcfd4474.pdf", "text": "https://archive.orkl.eu/179188eb9d14e02b9eb0318161c50bb3dcfd4474.txt", "img": "https://archive.orkl.eu/179188eb9d14e02b9eb0318161c50bb3dcfd4474.jpg" } }