MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11a161f3413da2cb192c2146d7d0ac592efa3d8fda9eaf64b59e03a2707671f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11a161f3413da2cb192c2146d7d0ac592efa3d8fda9eaf64b59e03a2707671f3
SHA3-384 hash: 641d4d3a6bcd20097e8928452591952b4af46271a8e3704c186de98755fe1d120679a50cfd390172b9ef8b9ecdb1ab51
SHA1 hash: a0337899eb6ac18a2010ff89c11a3fc43bea73c3
MD5 hash: 6b3ce871d1294f1859fc0adaef31f42a
humanhash: earth-nuts-utah-autumn
File name:11a161f3413da2cb192c2146d7d0ac592efa3d8fda9eaf64b59e03a2707671f3
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:6'360'056 bytes
First seen:2022-07-25 22:21:31 UTC
Last seen:2022-07-27 17:27:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ab9ff6e4872ea2766a5f5c6af5649e9d (20 x CryptOne, 13 x RedLineStealer, 6 x RecordBreaker)
ssdeep 196608:xJpN8EBEct/WzOfHlIjaMos14V5RnDrWo:rFt/WzOvy7osiV5Rn2o
TLSH T1FE5633167CD105B0EE2907B0B8B2A65476661DF3E3F9928B47C07D25F271BC17A2EB42
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9269e892b2b2d4a8 (1 x RecordBreaker)
Reporter crep1x
Tags:exe recordbreaker vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
437
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294124/
Detection(s):
PUA.Win.Packer.ArmadilloMinimumProtection-1
Create hunting rule

PUA.Win.Packer.Armadillo-2
Create hunting rule

Win.Malware.Zusy-9955823-0
Create hunting rule

Win.Downloader.Zusy-9955824-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Win.Malware.Mikey-9957589-0
Create hunting rule

Win.Malware.Pwsx-9957709-0
Create hunting rule

Win.Malware.Generickdz-9957808-0
Create hunting rule

Win.Malware.Pwsx-9957883-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Running batch commands
Launching a process
Delayed reading of the file
Creating a file in the Program Files subdirectories
Modifying a system file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Unauthorized injection to a browser process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27415/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62df180ba2f481deb967b902/reports/ba3936ea-af93-45ea-8a9f-2d49cf337d1f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Tandem Espionage
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9415c2c5-5caf-4362-b161-b85e0ca6f567
Result
Threat name:
Nitol, Raccoon Stealer v2, RedLine, Vida
Create hunting rule
Detection:
malicious
Classification:
bank.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1040734
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Nitol
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 673229 Sample: AHy2heusTp Startdate: 26/07/2022 Architecture: WINDOWS Score: 100 152 Snort IDS alert for network traffic 2->152 154 Malicious sample detected (through community Yara rule) 2->154 156 Antivirus detection for URL or domain 2->156 158 18 other signatures 2->158 9 AHy2heusTp.exe 14 2->9         started        12 rundll32.exe 2->12         started        14 kEly3TBkMRLxAxOd.exe 2->14         started        process3 file4 106 C:\Users\...aseUS Data Recovery Wizard.exe, PE32 9->106 dropped 108 C:\Users\user\AppData\Local\...\loaps.exe, PE32 9->108 dropped 110 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 9->110 dropped 112 3 other files (none is malicious) 9->112 dropped 17 file.exe 17 9->17         started        21 Install.exe 9->21         started        23 dngondon1.exe 3 9->23         started        25 EaseUS Data Recovery Wizard.exe 2 9->25         started        27 rundll32.exe 12->27         started        190 Writes to foreign memory regions 14->190 192 Allocates memory in foreign processes 14->192 194 Creates a thread in another existing process (thread injection) 14->194 196 Injects a PE file into a foreign processes 14->196 30 XiYncGDqAXvBGiXSrxQ.exe 14->30 injected 32 XiYncGDqAXvBGiXSrxQ.exe 14->32 injected signatures5 process6 dnsIp7 114 yesilyasam.eu 185.175.200.64, 443, 49760, 49761 ASTRALUSNL Netherlands 17->114 84 C:\Users\user\AppData\Roaming\00004823..exe, PE32 17->84 dropped 86 C:\Users\user\AppData\Roaming\00000029..exe, PE32 17->86 dropped 88 C:\Users\user\AppData\Local\...\fw4[1].exe, PE32 17->88 dropped 90 C:\Users\user\AppData\Local\...\fw3[1].exe, PE32 17->90 dropped 34 00004823..exe 17->34         started        38 00000029..exe 17->38         started        41 cmd.exe 17->41         started        92 C:\Program Files (x86)\...\tag12312341.exe, PE32 21->92 dropped 94 C:\Program Files (x86)\...\safert44.exe, PE32 21->94 dropped 100 7 other malicious files 21->100 dropped 49 11 other processes 21->49 96 C:\Users\user\AppData\Local\...\dngondon.exe, PE32 23->96 dropped 98 C:\Users\user\AppData\Local\...\logger 1.exe, PE32 23->98 dropped 43 dngondon.exe 1 23->43         started        45 logger 1.exe 15 3 23->45         started        51 2 other processes 25->51 184 Writes to foreign memory regions 27->184 186 Allocates memory in foreign processes 27->186 188 Creates a thread in another existing process (thread injection) 27->188 47 svchost.exe 27->47 injected 53 4 other processes 27->53 file8 signatures9 process10 dnsIp11 102 C:\Users\user\...\kEly3TBkMRLxAxOd.exe, PE32 34->102 dropped 160 Drops PE files to the startup folder 34->160 162 Writes to foreign memory regions 34->162 164 Allocates memory in foreign processes 34->164 182 2 other signatures 34->182 72 2 other processes 34->72 116 87.251.77.179 HOSTKEY-ASNL Russian Federation 38->116 166 Tries to harvest and steal browser information (history, passwords, etc) 38->166 168 Tries to steal Crypto Currency Wallets 38->168 55 cmd.exe 38->55         started        170 Uses ping.exe to check the status of other devices and networks 41->170 57 PING.EXE 41->57         started        60 conhost.exe 41->60         started        172 Detected unpacking (changes PE section rights) 43->172 174 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 43->174 62 dngondon.exe 43->62         started        118 iplogger.org 148.251.234.83, 443, 49758 HETZNER-ASDE Germany 45->118 120 192.168.2.1 unknown unknown 45->120 176 System process connects to network (likely due to code injection or exploit) 47->176 178 Sets debug register (to hijack the execution of another thread) 47->178 180 Modifies the context of a thread in another process (thread injection) 47->180 64 svchost.exe 47->64         started        122 103.89.90.61 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 49->122 124 146.19.247.145 FITC-ASUS France 49->124 128 3 other IPs or domains 49->128 68 chrome.exe 49->68         started        74 7 other processes 49->74 126 v.xyzgamev.com 104.21.40.196, 443, 49757, 49759 CLOUDFLARENETUS United States 51->126 104 C:\Users\user\AppData\Local\Temp\db.dll, PE32 51->104 dropped 70 conhost.exe 51->70         started        file12 signatures13 process14 dnsIp15 76 conhost.exe 55->76         started        78 timeout.exe 55->78         started        130 127.0.0.1 unknown unknown 57->130 132 15.235.171.56 HP-INTERNET-ASUS United States 62->132 134 208.95.112.1 TUT-ASUS United States 64->134 140 2 other IPs or domains 64->140 80 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 64->80 dropped 82 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 64->82 dropped 144 Query firmware table information (likely to detect VMs) 64->144 146 Installs new ROOT certificates 64->146 148 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 64->148 150 Tries to harvest and steal browser information (history, passwords, etc) 64->150 136 142.250.181.227 GOOGLEUS United States 68->136 138 142.250.184.237 GOOGLEUS United States 68->138 142 5 other IPs or domains 68->142 file16 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11a161f3413da2cb192c2146d7d0ac592efa3d8fda9eaf64b59e03a2707671f3/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2022-07-24 17:08:08 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
35 of 40 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cgqwd42bhwrmwgjmefdnpufmlexpupmp3kpk6zfvtyb2e4dwohzq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:eternity family:redline family:vidar botnet:1521 botnet:4 botnet:@tag12312341 botnet:nam3 botnet:vukong discovery infostealer spyware stealer vmprotect
Link:
https://tria.ge/reports/220725-198j8sehc4/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Detects Eternity stealer
Eternity
Process spawned unexpected child process
RedLine
RedLine payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
15.235.171.56:30730
103.89.90.61:18728
31.41.244.134:11643
62.204.41.144:14096
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
https://t.me/korstonsales
https://climatejustice.social/@ffoleg94
Unpacked files
SH256 hash:
e0eec0c067706cbfb574a7468593c5b4ccd740f8a509a0d14de05185cceeb3ab
MD5 hash:
7e342abbbc7c9ea9c18b655d53ac5148
SHA1 hash:
e4fb0c555e1befdc4e42d3699d9dc6cfe1dad168
Link:
https://www.unpac.me/results/af056616-333d-42f6-87a8-f24a4493c3ff/
SH256 hash:
e245c4a7d41e095b5c5136a89e698bd11e452594d864e250607cff2b2efadbab
MD5 hash:
6c991f5490cd23d8df31d89864395b21
SHA1 hash:
a6e3fde5d6f72fce36c5a8955a6025d92efb4356
Link:
https://www.unpac.me/results/af056616-333d-42f6-87a8-f24a4493c3ff/
SH256 hash:
3532741204df2f9f04dc6717dc17774eecb2b157577bba5eafdaf6943f841ec9
MD5 hash:
9d0566acca9d5ff8cb68779913668435
SHA1 hash:
074d5a054467c93b538c648e72ee0d71e42b5a72
Link:
https://www.unpac.me/results/af056616-333d-42f6-87a8-f24a4493c3ff/
SH256 hash:
4e5f4a021f712077e5d111451a5ee65efafbbd5e6a8a7da7e8cd235471da0590
MD5 hash:
64541d4e767bbb172a4970d0523324c1
SHA1 hash:
dc2326289d9e8030baa093bb1ed57ef58d766335
Link:
https://www.unpac.me/results/af056616-333d-42f6-87a8-f24a4493c3ff/
SH256 hash:
225a8241e24272a56a4693e62b21f76efd55a5ea1475a9a1439bb9b9a6dfbba7
MD5 hash:
02205b33e0905502c07c20dcd1d1e2ca
SHA1 hash:
b465d6426a7ad345daf210066faed75561c0dd5d
Link:
https://www.unpac.me/results/af056616-333d-42f6-87a8-f24a4493c3ff/
SH256 hash:
49005d06c933c3a49b506911e95483128f438202e842d25b7407e8d17cd880a4
MD5 hash:
7411a61bb1ebd3535cd876aabb03095e
SHA1 hash:
d7652e4f830e4c605b2c8a03e24a2f028bd8d2cd
Link:
https://www.unpac.me/results/af056616-333d-42f6-87a8-f24a4493c3ff/
SH256 hash:
1eeb886088db4a3b9749b31c710740646bc34baedbb3d900a39ef2b8b5fc3e9e
MD5 hash:
b4d6a3613a1d6b698746a6e89d31a58d
SHA1 hash:
18404e62555e32c508afca3a49e4eeb58ceb69fe
Link:
https://www.unpac.me/results/af056616-333d-42f6-87a8-f24a4493c3ff/
SH256 hash:
05b83a8a3a37ae9739abde552f8564d6f8e4f123c48ab8c7eb11d1e9327865b6
MD5 hash:
494616f084b63d6725a885c73d5026e7
SHA1 hash:
e6bd00b433ca0cc83c869100a8d76e29121e6dea
Link:
https://www.unpac.me/results/af056616-333d-42f6-87a8-f24a4493c3ff/
SH256 hash:
11a161f3413da2cb192c2146d7d0ac592efa3d8fda9eaf64b59e03a2707671f3
MD5 hash:
6b3ce871d1294f1859fc0adaef31f42a
SHA1 hash:
a0337899eb6ac18a2010ff89c11a3fc43bea73c3
Link:
https://www.unpac.me/results/af056616-333d-42f6-87a8-f24a4493c3ff/
Malware family:
BlackWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11a161f3413d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11a161f3413da2cb192c2146d7d0ac592efa3d8fda9eaf64b59e03a2707671f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/294124/

Comments