MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 113b4a475304071ca2045537f2af8ba4c5db14a4ab20b2f97fa0037bbb212fda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 113b4a475304071ca2045537f2af8ba4c5db14a4ab20b2f97fa0037bbb212fda
SHA3-384 hash: e57eeb83f1740452dbc0168a3dc3b6ec719a0ebaf386404af73dc5eca9dc2710185db8bebb4ece46b9878e5528e4f4c1
SHA1 hash: b5bdda3660d883104c4e0e5b80e17f274771ecba
MD5 hash: a172adb4fda4e45585a1c794620e9d72
humanhash: johnny-queen-jupiter-six
File name:a172adb4fda4e45585a1c794620e9d72.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:849'824 bytes
First seen:2022-08-29 04:15:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 48c28d9f3783f0e32815b0b4c57a60a9 (73 x RecordBreaker, 23 x RedLineStealer, 21 x ArkeiStealer)
ssdeep 12288:cKXyc9N48+0TPYobS1rAAYaHoDJo3I4wjsgIqYlr6KEpbhruvMUm1p7n:cKXyWN48RTPYobiSjs7qWrGbhz1Z
Threatray 115 similar samples on MalwareBazaar
TLSH T1D1058E313DC48172EDE310BA46ECF931467EE0B00B2647DB5AC45BEED6606D16F32A96
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
78.153.144.6:2510

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
78.153.144.6:2510 https://threatfox.abuse.ch/ioc/845912/

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a172adb4fda4e45585a1c794620e9d72.exe
Verdict:
No threats detected
Analysis date:
2022-08-29 04:17:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/960b241b-6a0e-44f9-ac7e-bae3d1309074

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301992/
Detection(s):
SecuriteInfo.com.Variant.Lazy.238286.16821.28206.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30626/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckNumberOfProcessor
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes overlay packed wacatac
Link:
https://www.filescan.io/uploads/630c3dc02fdf5a08259012be/reports/a806e3ee-f1de-446b-90d9-5f8455c7a224/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a89707a8-70a7-40ef-9204-74fd09806593
Result
Threat name:
Raccoon Stealer v2, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1059480
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 691997 Sample: apA04iXllV.exe Startdate: 29/08/2022 Architecture: WINDOWS Score: 100 82 coinsurf.com 2->82 84 ultra-cheat.ru.net 2->84 86 in.appcenter.ms 2->86 102 Snort IDS alert for network traffic 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Antivirus detection for URL or domain 2->106 108 9 other signatures 2->108 11 apA04iXllV.exe 2->11         started        13 ehiujve 2->13         started        signatures3 process4 process5 15 AppLaunch.exe 11->15         started        18 WerFault.exe 23 9 11->18         started        file6 136 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->136 138 Maps a DLL or memory area into another process 15->138 140 Checks if the current machine is a virtual machine (disk enumeration) 15->140 142 Creates a thread in another existing process (thread injection) 15->142 21 explorer.exe 12 15->21 injected 58 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->58 dropped signatures7 process8 dnsIp9 96 belladama.fr 207.174.214.200, 443, 49755, 49759 PUBLIC-DOMAIN-REGISTRYUS United States 21->96 98 ilab8snah5ysh.top 194.87.94.240, 49740, 49741, 49746 MTW-ASRU Russian Federation 21->98 100 8 other IPs or domains 21->100 70 C:\Users\user\AppData\Roaming\ehiujve, PE32 21->70 dropped 72 C:\Users\user\AppData\Local\Temp\DF77.exe, PE32 21->72 dropped 74 C:\Users\user\AppData\Local\Temp\C5B5.exe, PE32 21->74 dropped 76 3 other files (2 malicious) 21->76 dropped 116 System process connects to network (likely due to code injection or exploit) 21->116 118 Benign windows process drops PE files 21->118 120 Performs DNS queries to domains with low reputation 21->120 122 3 other signatures 21->122 26 B103.exe 21->26         started        29 DF77.exe 21->29         started        31 781F.exe 4 21->31         started        34 5 other processes 21->34 file10 signatures11 process12 file13 124 Contains functionality to inject code into remote processes 26->124 126 Writes to foreign memory regions 26->126 128 Allocates memory in foreign processes 26->128 36 AppLaunch.exe 18 26->36         started        41 WerFault.exe 26->41         started        130 Machine Learning detection for dropped file 29->130 132 Injects a PE file into a foreign processes 29->132 43 AppLaunch.exe 29->43         started        45 WerFault.exe 29->45         started        80 C:\Users\user\AppData\Local\...\Update.exe, PE32 31->80 dropped 134 Multi AV Scanner detection for dropped file 31->134 47 Update.exe 8 31->47         started        49 AppLaunch.exe 34->49         started        51 AppLaunch.exe 34->51         started        53 WerFault.exe 34->53         started        signatures14 process15 dnsIp16 88 t.me 149.154.167.99, 443, 49760 TELEGRAMRU United Kingdom 36->88 90 transfer.sh 144.76.136.153, 443, 49798 HETZNER-ASDE Germany 36->90 92 49.12.72.35, 49761, 80 HETZNER-ASDE Germany 36->92 60 C:\ProgramData\40093583045216172860.exe, PE32 36->60 dropped 110 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->110 112 Tries to harvest and steal browser information (history, passwords, etc) 36->112 114 Tries to steal Crypto Currency Wallets 36->114 55 40093583045216172860.exe 36->55         started        62 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 41->62 dropped 64 C:\Users\user\AppData\Local\...\Update.exe, PE32 47->64 dropped 94 46.249.58.152, 49800, 80 SERVERIUS-ASNL Netherlands 49->94 66 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 49->66 dropped 68 C:\Users\user\AppData\LocalLow\msvcp140.dll, PE32 49->68 dropped file17 signatures18 process19 file20 78 C:\Users\user\AppData\Local\Temp\...\work.exe, PE32 55->78 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/113b4a475304071ca2045537f2af8ba4c5db14a4ab20b2f97fa0037bbb212fda/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-08-29 04:16:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ce5uur2taqdrziqeku37fl4lutc5wffevmqlf6l7uabxxozbf7na._file
Verdict:
malicious
Similar samples:
0a9a86d87da4b6984d7c09566b49776e41a3445aafbb1e4496925131e53b9aff
RecordBreaker
2f780fbe426ec668667aaa54a902cfab80f47cc1e3ef39017ef15845279384db
RecordBreaker
4ab91c72d0d913c2a18a74a2b9ea5bcd8b77bfb68110e56767a552a358fa0687
RecordBreaker
50b87ee5a6cb9ee5b9a40a7fe5adb1f807c3876f7499565f3f8754537945174e
RecordBreaker
6a56ad7cc45d701696652e3be5275f37f09527ecd7fdacbbf634b2532f97027a
RecordBreaker
8acf3d9eea531ae8c1ab8eabe3f22206f3771c6c25ed577a6c0010b0a43cfcc0
RecordBreaker
9c8c0c8e368d5895d29bb917517bab1bd71e529adfbd6e7c1619774c05bc0594
RecordBreaker
c6f08559551f3db557a40537c7686831bffc968df3aa6221082fa2479be4a5fa
RecordBreaker
e6173a0a906d3259d4a9006b61901262705e309a6e5bc1cdfc035e3a78e2f225
RecordBreaker
f8fbc50db8de41fbcf7dcf31883c086b50d0cc74fbbd94979893fc26c9898f76
RecordBreaker
+ 105 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220829-evspkscfc8/
Unpacked files
SH256 hash:
418d8547b63eccc2a97bc8b281c9b07cc6f5953d6b6424483595fefb14268867
MD5 hash:
f4e3c05647e8e2286ce66a4d8a442ed2
SHA1 hash:
6e3e8d1182bf6b3d396183c5cb1ee8bc76cfd4c9
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/5632bbdd-c496-4c8c-bc0f-41190cbfc1de/
Parent samples :
b5aedf88db5ca22f172a80f49264d768d19c0481e12ffd1b653ed01a2d6be104
3b5adc36b8fd04b224008a8b2fc3770532115de8973d21a0f8b3226df887c1d4
7fd6ca38752917a128110b73a95e598f823b59ad272f69fed37a6cc51919fe22
f88f894dac9ff490c6814df230381e0ec6a4a530ee701a275c7d71216ce28fdf
45ef26c608cac927535d8b6372782c09a6455184c16fa46475245fff49aaf8a8
2c440478968af666a120debc6d82a54a731ba91ac3f9b160eb356c9b52104609
cc0be8927a70eb065fc069c07204c32898074038a52cb3a689f0044d03ec0804
5b6092b1e5a7c5fd607eb7fcd5a4ae3209348893f24a38b7058862bc5e8eef3c
209b80c93f611ef2769e5d5e35c2d3ceb23a39b96ee25d3d1ea07a44e9acb520
57855f6d8037dcc7270a7a0f7a0f9e0b0613fac31b5138438a628f844f828752
8f169d7df300ae72ab257a9ad6701984419cb603707dd119df9dd5659fe8553a
314e8b9fbb7e7a02666e7c30553e56293735ece385ff77e51f0727cc79b50f0d
fde8390ff71afd7c9b0681899a26e1a6dd32b5514bb4f4f455410f8ac353f136
996ad34c1b3c0f7692ea01423ef3ab8397f84ca31af7d494bfc7df02dc95875a
6b620f28239ea5ca6db5d7b09b39d26f6686642a13746d0f9c8f6c569109295a
3c52b3fdf22c0640f3dfe322c757ee090fb39dc8237e695b7e31dbe713101275
df63ebccda1abc8744bbecfa8c8932bfe0d05539a90d0be599a5ed59c9c8ed4c
e6b4bbb310236b3f5ffe9339b74110bee9945fd033d40d5f211ac1704a44d5ce
79f68e5ca30b0b726b17f15598f6a1e72b03f9b0b0267b7d7a1171b0881ab418
aa85baadc48d92a9ac6e88cd00c82a0b71ebcd2b5500596d684dfd2f949107b9
bd70d4eb636884a814558adce76844188ac186a283fb8e6aaf9f154ae74f8513
2368195d636eeaa64af2606c602dab0ae07f06db61ca0e792337063c277f314d
d8db36a3dd6410eac0216b0dbc0b045e27058567baafa3f47309516beb5e8641
2f780fbe426ec668667aaa54a902cfab80f47cc1e3ef39017ef15845279384db
f8fbc50db8de41fbcf7dcf31883c086b50d0cc74fbbd94979893fc26c9898f76
e6173a0a906d3259d4a9006b61901262705e309a6e5bc1cdfc035e3a78e2f225
e591b90146b4483163c89abfb8186c2cb3612419210b995d44da912a0edbb3f5
c6f08559551f3db557a40537c7686831bffc968df3aa6221082fa2479be4a5fa
8a3fbe98382adc07249d50db1aab8377b9587018be3598ef35cfc5d35495519a
a6620b369dee6c28694126b0082095615115654e5bc3b71f333f4a3fe21f6738
113b4a475304071ca2045537f2af8ba4c5db14a4ab20b2f97fa0037bbb212fda
3bd622b55a64a74a2452fc882cd26f3adef86400b4d4000aed0791682dd43a25
f350aca2f9d006666d3db133138e81016910ca7a9fa759e94d99b66a49ec959a
829211e85341e401813b02bb507b55fe9c2cddd752d33bc0cf369501b257756e
1d4a3cf7719a5214e5dbb705e32ffb0f20af374d74e96b22256f96ce9eede77d
c9be74e0f09e7121dda6dbeef885d161c31c547ace3b662716674d2f3b3be668
5c9b485eebb9a1fb8301d5bc8ea80a1bf18af72ef3b885fdb7ae24c5d3fa9277
9b80c2bd0c5ec2dfe2582f49a7b58332d8a2081032bdf29ff8929c1ba0701c00
4f7ad0e22d4587766d583ec889c0062801ca9edd6ed50b9ad7154fe9e305b858
SH256 hash:
113b4a475304071ca2045537f2af8ba4c5db14a4ab20b2f97fa0037bbb212fda
MD5 hash:
a172adb4fda4e45585a1c794620e9d72
SHA1 hash:
b5bdda3660d883104c4e0e5b80e17f274771ecba
Link:
https://www.unpac.me/results/5632bbdd-c496-4c8c-bc0f-41190cbfc1de/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/113b4a475304/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/113b4a475304071ca2045537f2af8ba4c5db14a4ab20b2f97fa0037bbb212fda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 113b4a475304071ca2045537f2af8ba4c5db14a4ab20b2f97fa0037bbb212fda

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2281631/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/301992/

Comments