MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 080599f44949d8022e1d5e210cd3db7ea3f02ecdaa3ccf38e93fdb933dd6eebb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 080599f44949d8022e1d5e210cd3db7ea3f02ecdaa3ccf38e93fdb933dd6eebb
SHA3-384 hash: 34a22789771a90ab71c5d91cbd25f34f02b2f886bee6690a78aa98f159dc47bc7bf66b6fd5d45408c697c65629592404
SHA1 hash: 5e5bb11ec0a2adc2cd3fd4d51f2fdbc49015cdc2
MD5 hash: 0cc066cf1fcda06eb375e9ae5bcd730d
humanhash: robert-early-speaker-cardinal
File name:0cc066cf1fcda06eb375e9ae5bcd730d.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'773'509 bytes
First seen:2023-06-08 02:05:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ab9ff6e4872ea2766a5f5c6af5649e9d (20 x CryptOne, 13 x RedLineStealer, 6 x RecordBreaker)
ssdeep 49152:NJ4HL+sY0BKdXpnsOtzxhTl0+F43YKfCI48b:NJ4HaPXpFtbR0gdKfCI4M
Threatray 10 similar samples on MalwareBazaar
TLSH T13185121E7DB0C531C47156390ABDA3247B2C3D27FAE3C6DF1FD8BB2909A089166256D2
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 2c8dcc30f1ec6e87 (2 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://212.118.43.80/

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0cc066cf1fcda06eb375e9ae5bcd730d.exe
Verdict:
Malicious activity
Analysis date:
2023-06-08 02:06:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e013a1c1-a6dc-4e8e-9c5a-785b948e97be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/396723/
Detection(s):
Win.Malware.Fragtor-10001983-0
Create hunting rule

SecuriteInfo.com.Variant.Fugrafa.249470.10364.14457.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Moving a file to the %temp% subdirectory
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Creating a file
Launching a service
DNS request
Downloading the file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/89817/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
alien greyware lolbin overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6481378bb5c38e10046bec9e/reports/f086300a-6e1f-4061-9215-f396e3ce41f6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/080599f44949d8022e1d5e210cd3db7ea3f02ecdaa3ccf38e93fdb933dd6eebb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9f00c689-311f-4685-b49f-60e9e9e63426
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1250783
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sample uses string decryption to hide its real strings
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Download and Execute IEX
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Raccoon Stealer v2
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 883803 Sample: DAOZV20Esb.exe Startdate: 08/06/2023 Architecture: WINDOWS Score: 100 103 Snort IDS alert for network traffic 2->103 105 Multi AV Scanner detection for domain / URL 2->105 107 Found malware configuration 2->107 109 14 other signatures 2->109 11 DAOZV20Esb.exe 10 2->11         started        14 cmd.exe 2->14         started        17 cmd.exe 2->17         started        19 AYoRCDEhmlqaEiiES.exe 2->19         started        process3 file4 85 C:\Users\user\AppData\Local\Temp\...\pmon.exe, PE32 11->85 dropped 87 C:\Users\user\AppData\Local\...87pIQcuW.exe, PE32 11->87 dropped 21 NpIQcuW.exe 21 11->21         started        25 pmon.exe 15 11->25         started        131 Adds a directory exclusion to Windows Defender 14->131 28 conhost.exe 14->28         started        30 powershell.exe 14->30         started        32 conhost.exe 17->32         started        34 powershell.exe 17->34         started        signatures5 process6 dnsIp7 77 C:\Users\user\AppData\Local\...ngine.exe, PE32 21->77 dropped 123 Multi AV Scanner detection for dropped file 21->123 36 Engine.exe 503 21->36         started        97 intercobak.com 51.68.178.175, 443, 49698, 49699 OVHFR France 25->97 79 C:\ProgramData\946E.tmp.exe, PE32 25->79 dropped 125 Machine Learning detection for dropped file 25->125 39 946E.tmp.exe 25->39         started        42 cmd.exe 25->42         started        44 cmd.exe 25->44         started        file8 signatures9 process10 file11 111 Contains functionality to detect sleep reduction / modifications 36->111 46 cmd.exe 1 36->46         started        81 C:\Users\user\...\AYoRCDEhmlqaEiiES.exe, PE32 39->81 dropped 113 Antivirus detection for dropped file 39->113 115 Multi AV Scanner detection for dropped file 39->115 117 Machine Learning detection for dropped file 39->117 119 Drops PE files to the startup folder 39->119 121 Adds a directory exclusion to Windows Defender 42->121 49 powershell.exe 42->49         started        52 conhost.exe 42->52         started        54 PING.EXE 44->54         started        56 conhost.exe 44->56         started        signatures12 process13 dnsIp14 133 Obfuscated command line found 46->133 135 Uses ping.exe to sleep 46->135 137 Drops PE files with a suspicious file extension 46->137 139 Uses ping.exe to check the status of other devices and networks 46->139 58 cmd.exe 4 46->58         started        62 conhost.exe 46->62         started        91 intercobak.com 49->91 93 77.73.131.21, 49707, 80 AS43260TR Kazakhstan 49->93 95 127.0.0.1 unknown unknown 54->95 signatures15 process16 file17 83 C:\Users\user\AppData\Local\...\Bang.exe.pif, PE32 58->83 dropped 127 Obfuscated command line found 58->127 129 Uses ping.exe to sleep 58->129 64 Bang.exe.pif 58->64         started        68 powershell.exe 11 58->68         started        70 powershell.exe 11 58->70         started        72 2 other processes 58->72 signatures18 process19 dnsIp20 89 uLBSrSAkyQmABiE.uLBSrSAkyQmABiE 64->89 101 Injects a PE file into a foreign processes 64->101 74 Bang.exe.pif 64->74         started        signatures21 process22 dnsIp23 99 212.118.43.80, 49708, 80 CITYLAN-ASRU Russian Federation 74->99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/080599f44949d8022e1d5e210cd3db7ea3f02ecdaa3ccf38e93fdb933dd6eebb/
Threat name:
Win32.Spyware.Tmloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-05 14:28:12 UTC
AV detection:
29 of 37 (78.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=baczt5cjjhmaelq5lyqqzu63p2r7alwnvi6m6ohjh7nzgpow525q._file
Verdict:
malicious
Similar samples:
1f215f2d9148c8c275951c0245c9e59da552b87129343fe37364d0d281769e83
RecordBreaker
229a362af904ef7a4e3f570733f8f39689e7f79851e85c9e2b58810b6b489e41
RecordBreaker
52b32037689b59700d0b6bca6a5ceaf5ed59f5aa7b29909cdd8d2a0df04f00b5
RecordBreaker
5c4e3ad7d3bc423db78ccfa66e4c4fda9045844a802eeaed3d1dea8a936b9e10
RecordBreaker
7d21a43745dc810948ce492bda04d7efa6c7252da2083c4d21ef7c5fead6eabd
RecordBreaker
82b3797d5b89cdf94fb0b35af9b5504148d23b9dec19daadbedd36a9d3a89d8d
RecordBreaker
82cdaa8e3d8a67e7253431f84545ddccf1006fa2edaaab932669e89eded3ad5d
RecordBreaker
911b862b41c49463c28e91ff8c87aa15057a094cceb98f941af2055ebb85dd39
RecordBreaker
95c5e04a12bab61c95de5e63cb0b8730599772d3f4f46a9d6487b90841128a99
RecordBreaker
ca163d59c8bfdc492f10f130db1980c1300d9a73119475c2f5933c6b8acb46d5
RecordBreaker
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx
Link:
https://tria.ge/reports/230608-cjebpsbc3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies registry class
Runs ping.exe
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
UPX packed file
Blocklisted process makes network request
Downloads MZ/PE file
Malware Config
Dropper Extraction:
https://intercobak.com/personal/loans/debug2.ps1
Unpacked files
SH256 hash:
0132c185e69550ae7fa93410b2898ef4b2d43b793bd40ccc98dd4ee9111b4f5c
MD5 hash:
3f32dd4e028f3041d35652d956742db9
SHA1 hash:
a212613b5efba77395ca764e5ab586269fbac79d
Link:
https://www.unpac.me/results/c630611a-ebc9-4006-8ba2-cd587d9b4219/
SH256 hash:
18479a0a722d7346505ac27b20a8c4ea6ac8b087010a6ed02aeb5833c9d9e7ff
MD5 hash:
8085a7221b1ca6dc5be44e029c7eb9e7
SHA1 hash:
2bffedeea6da345f53d3c27b112b0a3fbc5bb22c
Link:
https://www.unpac.me/results/c630611a-ebc9-4006-8ba2-cd587d9b4219/
SH256 hash:
1f0e489f7c3e429cf3f9fd646b37f70a4cee92d782e9e6c3de2e4877acab05aa
MD5 hash:
6adb4a40719a11471c2b455041ae5e0e
SHA1 hash:
244138c707f5f2b30736c16071203762bffba108
Link:
https://www.unpac.me/results/c630611a-ebc9-4006-8ba2-cd587d9b4219/
SH256 hash:
ea3b521ea354562c494f89a56f05bc9028d77c9b0d1e3ba404d8f274376afa5c
MD5 hash:
d33a45e0408cd91a5420ef925475db6d
SHA1 hash:
07d30282da28121517346740445559cb0241caf8
Link:
https://www.unpac.me/results/c630611a-ebc9-4006-8ba2-cd587d9b4219/
SH256 hash:
646a1598a2cb72d128a96635fa70640f85a3c1126dc55b5d137cbbce2a6db10a
MD5 hash:
48624d6fbd08e82001163125dec0cc26
SHA1 hash:
e5ed9bd8f7e17961299de3567826455a2115b02c
Link:
https://www.unpac.me/results/c630611a-ebc9-4006-8ba2-cd587d9b4219/
SH256 hash:
080599f44949d8022e1d5e210cd3db7ea3f02ecdaa3ccf38e93fdb933dd6eebb
MD5 hash:
0cc066cf1fcda06eb375e9ae5bcd730d
SHA1 hash:
5e5bb11ec0a2adc2cd3fd4d51f2fdbc49015cdc2
Link:
https://www.unpac.me/results/c630611a-ebc9-4006-8ba2-cd587d9b4219/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/080599f44949d8022e1d5e210cd3db7ea3f02ecdaa3ccf38e93fdb933dd6eebb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/396723/

Comments