MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13744be5698ffddc96d55415fdeebde4921ed199b4174251d83f1fd5b5a05c66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13744be5698ffddc96d55415fdeebde4921ed199b4174251d83f1fd5b5a05c66
SHA3-384 hash: 5377568bb68b01edb733d406ea835ffded42f790be13354b01fd76a42eda2b2101dd0e09ccb9d81716d256b1444ebe61
SHA1 hash: 2dff944f970faef5c6fa92ac8fbe82c9251553f3
MD5 hash: 7a8e3d000fba0f5765b98e2d78eb9d12
humanhash: autumn-fix-lactose-alanine
File name:13744BE5698FFDDC96D55415FDEEBDE4921ED199B4174.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:288'768 bytes
First seen:2023-06-13 14:15:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2d9ed3462f8a74bfd1231e2e9de56b43 (2 x Smoke Loader, 2 x GCleaner, 1 x RedLineStealer)
ssdeep 3072:tiaWGvA5BMvdYuAJ2qiGD0swth9Ewaf/s7htn5gYTtic7:t4GvAMdj40th7a3s7SYTtic
Threatray 2'161 similar samples on MalwareBazaar
TLSH T194542A13A2E13C55EA264B76DE1FC6E8761EF5B08F197769321CBA1F08B01B2D163B11
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0222010212060600 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://95.164.86.208/

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
13744BE5698FFDDC96D55415FDEEBDE4921ED199B4174.exe
Verdict:
Malicious activity
Analysis date:
2023-06-13 14:16:17 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/4a4310b8-103d-4560-bf44-bd76b35f7815

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/398409/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Creating a process from a recently created file
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware mokes packed
Link:
https://www.filescan.io/uploads/64887a2408b287b7595b761a/reports/70cb9563-8786-4165-a447-6df9947dc9be/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/13744be5698ffddc96d55415fdeebde4921ed199b4174251d83f1fd5b5a05c66
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5289c865-6866-4cde-b5a2-2775fefd7df7
Result
Threat name:
Raccoon Stealer v2, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253671
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to infect the boot sector
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Raccoon Stealer v2
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 886691 Sample: 13744BE5698FFDDC96D55415FDE... Startdate: 13/06/2023 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 9 other signatures 2->72 8 13744BE5698FFDDC96D55415FDEEBDE4921ED199B4174.exe 2->8         started        11 ebfwfrh 2->11         started        13 9093.exe 2->13         started        process3 signatures4 84 Detected unpacking (changes PE section rights) 8->84 86 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->86 88 Maps a DLL or memory area into another process 8->88 90 Creates a thread in another existing process (thread injection) 8->90 15 explorer.exe 3 7 8->15 injected 92 Multi AV Scanner detection for dropped file 11->92 94 Machine Learning detection for dropped file 11->94 96 Checks if the current machine is a virtual machine (disk enumeration) 11->96 process5 dnsIp6 52 95.164.86.244, 49710, 80 VAKPoltavaUkraineUA Gibraltar 15->52 54 189.245.66.56, 49701, 80 UninetSAdeCVMX Mexico 15->54 56 5 other IPs or domains 15->56 34 C:\Users\user\AppData\Roaming\ebfwfrh, PE32 15->34 dropped 36 C:\Users\user\AppData\Local\Temp\C6BB.exe, PE32 15->36 dropped 38 C:\Users\user\AppData\Local\Temp\9093.exe, PE32 15->38 dropped 40 C:\Users\user\...\ebfwfrh:Zone.Identifier, ASCII 15->40 dropped 58 System process connects to network (likely due to code injection or exploit) 15->58 60 Benign windows process drops PE files 15->60 62 Deletes itself after installation 15->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->64 20 C6BB.exe 3 15->20         started        23 9093.exe 15->23         started        file7 signatures8 process9 signatures10 74 Multi AV Scanner detection for dropped file 20->74 76 Machine Learning detection for dropped file 20->76 25 C6BB.exe 23 20->25         started        30 C6BB.exe 20->30         started        32 C6BB.exe 20->32         started        78 Detected unpacking (changes PE section rights) 23->78 80 Detected unpacking (overwrites its own PE header) 23->80 82 Contains functionality to infect the boot sector 23->82 process11 dnsIp12 50 95.164.86.208, 49713, 80 VAKPoltavaUkraineUA Gibraltar 25->50 42 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 25->42 dropped 44 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 25->44 dropped 46 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 25->46 dropped 48 4 other files (2 malicious) 25->48 dropped 98 Tries to harvest and steal browser information (history, passwords, etc) 25->98 100 Tries to steal Crypto Currency Wallets 25->100 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13744be5698ffddc96d55415fdeebde4921ed199b4174251d83f1fd5b5a05c66/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-05-28 13:57:40 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
30 of 37 (81.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cn2exzljr765zfwvkqk733v54sjb5umzwqlueuoyh4p5lnnalrta._file
Verdict:
malicious
Similar samples:
0c26ec308dc78ef090ebec907e1eb15d6dfdc28a85fa27e0a945fc5354a3e5f9
RecordBreaker
0cc7060ce4d11da31e6de65632d1e78d2f6c9022393f1fa49b0bf845108ca3b1
RecordBreaker
1171766b3c8e74122333aedfcf8ff32bcd2e059043af434dc57a70b6015b3e63
RecordBreaker
314b7a6d969a0f4654bb6b3a80a58087dac25c26c5777270b0f53056ec5645c0
RecordBreaker
62d622e4c6581c0dd50e5623a3328cf60ffa7e87dea131c294883a2b610f80f4
RecordBreaker
6ba6ba1ad5f6525a76e854affad5bb28d1e59c93bd26d88a9cf1da7b84ed3b27
RecordBreaker
74e17b7264117df362eb097195ec2f45be5b98594953426f81a861299dbc6958
RecordBreaker
b92797965358585eadbe928c2b8531c5575caa87cbcef1171a48f1941a10b740
RecordBreaker
c9fde93529396b5fa4d49f8932ff113dcb813a30462c32312ff1ef259ab1989d
RecordBreaker
f93b85ca07f0392ab1516a34b157e175936e45b31773d1dce409b7e4872a8946
RecordBreaker
+ 2'151 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader botnet:pub1 backdoor trojan
Link:
https://tria.ge/reports/230613-rk5bvaha71/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
SmokeLoader
Malware Config
C2 Extraction:
http://toobussy.com/tmp/
http://wuc11.com/tmp/
http://ladogatur.ru/tmp/
http://kingpirate.ru/tmp/
Unpacked files
SH256 hash:
9e51c7d45f9edc3eb8f59f6a8b0dc4bcc716b5956171e6dde8bb51089b9c9a6a
MD5 hash:
e635ded1f5a9548bad84cc629f13d7de
SHA1 hash:
0603a76be16e973f2bc604f1aab4d396861b014d
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/941da0df-4250-432d-b6d4-9beffd2c117b/
Parent samples :
a51b880c04fcc66cc1c561b3b490b04db675f2775bbf1dfc299572d2401e706d
8ba95cf7643edb6a572e660d541d96c8e1c138c76dd6e476c5943fe2d50ef59a
6e06846b13c0f90b5c2a600b9a95106cb7af27b8fe78dba06916263c780eddb4
13744be5698ffddc96d55415fdeebde4921ed199b4174251d83f1fd5b5a05c66
SH256 hash:
13744be5698ffddc96d55415fdeebde4921ed199b4174251d83f1fd5b5a05c66
MD5 hash:
7a8e3d000fba0f5765b98e2d78eb9d12
SHA1 hash:
2dff944f970faef5c6fa92ac8fbe82c9251553f3
Link:
https://www.unpac.me/results/941da0df-4250-432d-b6d4-9beffd2c117b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13744be5698ffddc96d55415fdeebde4921ed199b4174251d83f1fd5b5a05c66

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/398409/

Comments