MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26cf3a7e5c1cda03282d249613c58cf3f924f714b2c2b8eff975067965e6f632. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	26cf3a7e5c1cda03282d249613c58cf3f924f714b2c2b8eff975067965e6f632
SHA3-384 hash:	c1599b4c550decc926d4f7f1e677f08df1ba74458de7d1c05f82a4475cb92983b92210a0daf0df754e56154f298ac040
SHA1 hash:	a75c048cb54eb803d2f9c697aa516ffb42e126cc
MD5 hash:	8768d2b704210362a9a64fb7a747c622
humanhash:	don-california-bluebird-purple
File name:	8768d2b704210362a9a64fb7a747c622.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	2'091'242 bytes
First seen:	2022-07-20 18:47:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep	49152:pAI+UKkhmq5x5LWheY1JZFcq1lSiBxad9mP4svapRzyreY:pAI+98Y/xcqq8ajmv2zyt
TLSH	T101A52335E503C1BAE1A119319D43E676B13AFA400A6C14DFB7DD5D18BC333AA1A6839F
TrID	86.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 5.6% (.EXE) InstallShield setup (43053/19/16) 1.8% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.7% (.SCR) Windows screen saver (13101/52/3) 1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe recordbreaker

Intelligence

File Origin

# of uploads :

# of downloads :

338

Origin country :

n/a

Vendor Threat Intelligence

Detection:

generic

Link:

https://www.capesandbox.com/analysis/292983/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader45.4877.6364.31479.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Delayed reading of the file

Creating a file in the %temp% subdirectories

Сreating synchronization primitives

Creating a file in the Program Files subdirectories

Modifying a system file

Creating a process from a recently created file

Launching a process

Creating a process with a hidden window

Searching for the window

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Reading critical registry keys

Searching for the browser window

Running batch commands

Launching the default Windows debugger (dwwin.exe)

Launching the process to change network settings

Unauthorized injection to a recently created process

Stealing user critical data

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/26868/overview

Behaviour

MalwareBazaar

CPUID_Instruction

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

fingerprint greyware overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/62d84e26ef2b0e63a82a9b2e/reports/aec62ce3-7c5c-4881-85f2-ccc1ea712259/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Tandem Espionage

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/66dd6b2c-9d1d-4c9f-9fab-5675dc11562a

Result

Threat name:

AgentTesla, Eternity Stealer, RedLine, V

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1037843

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/26cf3a7e5c1cda03282d249613c58cf3f924f714b2c2b8eff975067965e6f632/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-07-20 10:12:20 UTC

File Type:

PE (Exe)

AV detection:

24 of 40 (60.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=e3htu7s4dtnagkbneslbhrmm6p4sj5yuwlblr37zoudhszpg6yza._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:eternity family:redline family:vidar botnet:1513 botnet:1521 botnet:4 botnet:@hashcats botnet:@hctrzzz botnet:@tag12312341 botnet:nam3 collection discovery infostealer persistence spyware stealer

Link:

https://tria.ge/reports/220720-xfsedafcd8/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Kills process with taskkill

Modifies Internet Explorer settings

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Detects Eternity stealer

Eternity

RedLine

RedLine payload

Vidar

Malware Config

C2 Extraction:

103.89.90.61:18728
31.41.244.134:11643
62.204.41.144:14096
https://t.me/korstonsales
https://climatejustice.social/@ffoleg94
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion
194.36.177.32:40788
23.88.106.138:33522

Unpacked files

SH256 hash:

e029278d3c05dd3be9b5e8a31a2bf127736bebb0091fb72851828055a2788c1f

MD5 hash:

94d4d04ce4f11c82312e8cad15534f74

SHA1 hash:

f8ea010e27658e348bf5c160f8040567abb1afca

Link:

https://www.unpac.me/results/ddf107f3-f091-4c44-b534-d012c9a68ec0/

SH256 hash:

ae821495b07f0e11b7d35fca4ae10ca75858e763ec3110a4018e6850c16b3ba6

MD5 hash:

97398f81a3f8bc1247090e9d0350e66b

SHA1 hash:

b4a1f2d59305f93dbefbf5b388dacaca1bef15b9

Link:

https://www.unpac.me/results/ddf107f3-f091-4c44-b534-d012c9a68ec0/

SH256 hash:

88061fc99b8d011006de3f808f8b1c8d239268ef76585eacf2cbb29d7926c800

MD5 hash:

3ec84227a46b0cddb9ddf31a2168e66d

SHA1 hash:

6f8861a0cd91ea97b1f2125319b55cbee689627f

Link:

https://www.unpac.me/results/ddf107f3-f091-4c44-b534-d012c9a68ec0/

SH256 hash:

228edf139bd9ecc269943af6a04d29ef25e3fb0bd04f3590d49105e536188339

MD5 hash:

39a0e25190044817cc709ccaa17cd405

SHA1 hash:

5a58974f436caf5623d77370f03e269fb806fe99

Link:

https://www.unpac.me/results/ddf107f3-f091-4c44-b534-d012c9a68ec0/

SH256 hash:

0f3d91aafba7c273ca641b3040445812aa2308b530c6827e917175027e2f0ace

MD5 hash:

ee7e1e81d02dfa1959c7edf6fdf8ab3a

SHA1 hash:

67baf3a887c5ca11362f6459d77ff73e664cf1bf

Link:

https://www.unpac.me/results/ddf107f3-f091-4c44-b534-d012c9a68ec0/

SH256 hash:

26cf3a7e5c1cda03282d249613c58cf3f924f714b2c2b8eff975067965e6f632

MD5 hash:

8768d2b704210362a9a64fb7a747c622

SHA1 hash:

a75c048cb54eb803d2f9c697aa516ffb42e126cc

Link:

https://www.unpac.me/results/ddf107f3-f091-4c44-b534-d012c9a68ec0/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/26cf3a7e5c1c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/26cf3a7e5c1cda03282d249613c58cf3f924f714b2c2b8eff975067965e6f632

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

exe 26cf3a7e5c1cda03282d249613c58cf3f924f714b2c2b8eff975067965e6f632

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2258195/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/292983/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample