MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 026f8c480b69457ff76c209dcee8eef06d1586c56b4f49a5dba739b46d68e942. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 026f8c480b69457ff76c209dcee8eef06d1586c56b4f49a5dba739b46d68e942
SHA3-384 hash: 1a400617cb7eb41a343651bc47176b440b1880f9d066d4b8bae977ee61f70739b0b3d1b82fc3f4cfc90f9cea0e39a9f6
SHA1 hash: a7452f6e006a60c744b0a031f4ba516c63946751
MD5 hash: 38742a7027af41338837295a760ddfe8
humanhash: washington-california-whiskey-hotel
File name:38742a7027af41338837295a760ddfe8.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:278'016 bytes
First seen:2022-10-05 17:25:45 UTC
Last seen:2022-10-05 17:28:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a596efd3ece07541c870212462e1f62 (4 x GCleaner, 3 x RedLineStealer, 2 x RecordBreaker)
ssdeep 6144:5JJFQoLh0o+2zk1dnk6d2Wbn4bNppkuzbgwuPFxwVfUl:56o90o+2Q1dk6k5NkunnSl
Threatray 10'196 similar samples on MalwareBazaar
TLSH T18E44CF30B6AEC475D6A315704874DBA12B3BBC7255B4814B3B14265E1EB3ACC9AF231F
TrID 39.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 10f0ccc8c8c4f010 (2 x RecordBreaker, 1 x Smoke Loader)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://45.67.231.93/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.67.231.93/ https://threatfox.abuse.ch/ioc/871648/

Intelligence

File Origin
# of uploads :
2
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316990/
Detection(s):
Win.Packed.Zard-9972749-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41363/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware
Link:
https://www.filescan.io/uploads/633dbe2a49c58ce767c63f92/reports/8a11135f-55d7-4434-86cd-37181a2059c0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f838a1ba-2ba6-4a5a-8a0d-d6af4395f0e8
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1084328
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 716886 Sample: 6vfENgzvcM.exe Startdate: 05/10/2022 Architecture: WINDOWS Score: 100 24 Multi AV Scanner detection for domain / URL 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus detection for URL or domain 2->28 30 4 other signatures 2->30 6 6vfENgzvcM.exe 2->6         started        9 dvifcff 2->9         started        process3 signatures4 32 Detected unpacking (changes PE section rights) 6->32 34 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 6->34 36 Maps a DLL or memory area into another process 6->36 38 Creates a thread in another existing process (thread injection) 6->38 11 explorer.exe 2 6->11 injected 40 Multi AV Scanner detection for dropped file 9->40 42 Machine Learning detection for dropped file 9->42 44 Checks if the current machine is a virtual machine (disk enumeration) 9->44 process5 dnsIp6 20 host-file-host6.com 176.124.192.17, 49703, 80 GULFSTREAMUA Russian Federation 11->20 22 host-host-file8.com 11->22 16 C:\Users\user\AppData\Roaming\dvifcff, PE32 11->16 dropped 18 C:\Users\user\...\dvifcff:Zone.Identifier, ASCII 11->18 dropped 46 System process connects to network (likely due to code injection or exploit) 11->46 48 Benign windows process drops PE files 11->48 50 Deletes itself after installation 11->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->52 file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/026f8c480b69457ff76c209dcee8eef06d1586c56b4f49a5dba739b46d68e942/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 18:14:56 UTC
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ajxyysalnfcx753meco452ho6bwrlbwfnnhutjo3u443i3li5fba._file
Verdict:
malicious
Similar samples:
02bcb080116ab55475edbcd1293246a0e5d8894793ee9e699db805bff2935408
RecordBreaker
1d99ddd268999f74dca4db86de66032f58dc3e4674f2af2b0ed0770eff565c11
RecordBreaker
4341a8545883c15a609e8ed0b76c28e2ba3a82192e895b1f82b64a1d3258bb15
RecordBreaker
4f9f2d3789809c1f34877a5cd109aabeccea14c1cfe423ea271cc7cd0178b23a
RecordBreaker
59875a842587d6a4e76304ab84b621513b5f3714680ff3a5c71733fc5178865b
RecordBreaker
6f219b6db1cbae753d727d2c90a0699b36f2da08a7a27781e1757abae28d6777
RecordBreaker
742d2a8c9a56567941c05d9d55a29c25da0a5fc5737e5720e1bdb3a50912d1f6
RecordBreaker
88626ba260ddb895a68d546cfb33eac0bb9c598286f20d581a755439f014a66c
RecordBreaker
d675bcdbbbafe997bc10ac363266e76a8337901b4129e2401cb810c5ab561c55
RecordBreaker
+ 10'186 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/221005-vzvyhafcbp/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Detects Smokeloader packer
SmokeLoader
Unpacked files
SH256 hash:
026f8c480b69457ff76c209dcee8eef06d1586c56b4f49a5dba739b46d68e942
MD5 hash:
38742a7027af41338837295a760ddfe8
SHA1 hash:
a7452f6e006a60c744b0a031f4ba516c63946751
Link:
https://www.unpac.me/results/9dbdd9e6-8f41-4343-9c34-47363dae73e9/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/026f8c480b69/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/026f8c480b69457ff76c209dcee8eef06d1586c56b4f49a5dba739b46d68e942

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 026f8c480b69457ff76c209dcee8eef06d1586c56b4f49a5dba739b46d68e942

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2309167/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2312380/
Cape
Cape
https://www.capesandbox.com/analysis/316990/

Comments