MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f322ccd5f31968a168f37aab62f4d772dd485343994ac43e171f8e1deea08c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	2f322ccd5f31968a168f37aab62f4d772dd485343994ac43e171f8e1deea08c1
SHA3-384 hash:	7d2e79358c32991566bfc7c1847f90ad14e1bb2c6682494e5d5f013adafad5169ef130d37a24fac1da74b35f2f8d224d
SHA1 hash:	ebfb142a3cf7dc4ec0e97ac8e37377cbe4ab49b5
MD5 hash:	a58fb3bf9470b24251cb4862d6fff917
humanhash:	missouri-oregon-artist-lactose
File name:	a58fb3bf9470b24251cb4862d6fff917.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	325'632 bytes
First seen:	2022-12-22 17:25:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e2fbd52fa7b02ff00c94c82776d491b3 (4 x Smoke Loader, 3 x RecordBreaker, 2 x Tofsee)
ssdeep	6144:PiILx1+bkLrAdO3+HRS8uQyM0ZdwYRR0cSpQTtyzsduHNIv:6IdQbkg2+HN3BIeYRR0TCtyYduHNI
Threatray	14'958 similar samples on MalwareBazaar
TLSH	T1BD64BE217391E862CB120678CD75EAE01AEDB8714921D79A27076BDF3F703D1A5332E9
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	fcfc94b4a4949dc0 (1 x RecordBreaker)
Reporter	abuse_ch
Tags:	exe recordbreaker

abuse_ch

RecordBreaker C2:
http://195.133.75.104/

Intelligence

File Origin

# of uploads :

# of downloads :

205

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

a58fb3bf9470b24251cb4862d6fff917.exe

Verdict:

Malicious activity

Analysis date:

2022-12-22 17:26:08 UTC

Tags:

trojan loader smoke

Link:

https://app.any.run/tasks/41f2ffe0-97c2-478f-bed0-8d66fc393a4c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/349105/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Sending an HTTP GET request

DNS request

Sending an HTTP POST request

Creating a process from a recently created file

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Gathering data

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/41b4ec24-1674-4315-bd64-1847957cb512

Result

Threat name:

Raccoon Stealer v2, SmokeLoader

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1139499

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected AntiVM3

Yara detected Raccoon Stealer v2

Yara detected SmokeLoader

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2f322ccd5f31968a168f37aab62f4d772dd485343994ac43e171f8e1deea08c1/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2022-12-22 17:26:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=f4zcztk7ggliufupg6vlml2no4w5jbjuhgkkyq7boh4odxxkbdaq._file

Verdict:

malicious

RecordBreaker

09ed41266242f1d86d54ea3902344cdc9b5852a57a918f0d01e178fcd92a66fa

RecordBreaker

37397d4daba951caf74ad3438dfaf81709fbb8e37df7f441ae38c515418ff0c9

RecordBreaker

93809ca37ec6d91dba9e24f470bc7f371d325a0d152ce5510c61de8e5e6af52c

RecordBreaker

954b1a90207518bb9faafc264af50c6a15a91daffd37ad96a654aa70b039a727

RecordBreaker

a14395c211f6dbd42601c0a2498bde457c5b4bc183c16a7c3d188daf79727377

RecordBreaker

af2edb431e026575bf1b73f79bb4145af87586a594635075a470636a7e78b1dd

RecordBreaker

c1e243c1e46bca4b8472c39fa7f249513e3838ce0557ca66a41fe43d0b41e139

RecordBreaker

d230702120a6969a59d75b5256c99cf71d332882366a39638ef74f2a1b1de4b5

RecordBreaker

f0ce2c1583c167928b758759176f3de1149fb32bb84f3f978163b136b18ce537

RecordBreaker

+ 14'948 additional samples on MalwareBazaar

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader backdoor collection discovery spyware stealer trojan

Link:

https://tria.ge/reports/221222-vzvbzaeh34/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Detects Smokeloader packer

SmokeLoader

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b2dd6faf-0445-483f-9e60-96437f276f00

Unpacked files

SH256 hash:

cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383

MD5 hash:

cb4573fa9acae5c637fced7e7cb8192c

SHA1 hash:

d2145f53a192e768b8bfbf9b633941790424ff7f

Detections:

win_smokeloader_a2

SmokeLoaderStage2

Link:

https://www.unpac.me/results/ea53ee3a-1438-41ac-bec5-6ef50bb3dd3c/

Parent samples :

3b73e1cb5c1c3d233475e948a28edfbd7c464a7b7d550229955863d037a5f80c
de558a99c1d4f7035d717797fd54546bd8a563ea308856d6c776da4ac40e447c
e114b82dbb273f622092d7d379134f861879aea5c30855a9056d4b12299a4d0e
7cfa689eff77cd7a4162aa23bc8ee895cde76e042192eea618f3fb8f49ff4a30
ae95ce71367c487132095a7eb1dd2a93c7137cc596a390be560a6afa656754ff
d57ed914bd4e2ce9a741f527cdc6424ed00442ae82e99c81168b78ef7409ab37
a729b1edad51cceeac9a61f69e17f984d48983a9ca72a4bef36a6f48bae3611b
230a95dac1fdef00e1904669c4dfba51e077ccaabf663d0a1da9ef33f7ab5edb
e97eee4a59c1b94dfa4b759b89c68d213a2e585496b76b4233aa25079e6793e6
49453ac2bac7c816c02746c300aa90d8c645ac0d21d317bf6c1774f02508f718
2215fbfce2b9d29e5cf5da500b6e3e9a8b073c70165d3e21f6339133653aae87
4dc0de570728f75f844c7afb84ac6c809ef4620dac3b12a884ff9916f5b5b0ee
a1262ba069d6bf2d8569a43a4387f8423547f6f704f873ff08a3ee49f9e026cc
5f85758bb282680a9e3fcaa5676eaa25eb33703ae01954becfa883f6b47640da
cea5368149853373e7b3bc8c9f0ad2e3eb6c668b5a43af5bce1e2cf52366289a
bdef8b9c80a18a245d62ee4454dcc910912b589d9cc774a97049b47465820a30
61a252f24dadeb189da7930fc6807cdaa5c7c64d9d7bac1f6191aa71461a32b3
96499061f3cc12472b80926473bab2afd322b22637be12bc22cdfabcd143e149
04b0601a18d27105b71c35d5623d9f93b1860b07cc262fcdebe54ec99f9a05ce
65c66c06b934ddfa0e90df3fa57097fd85a8381edb43a75b320f88452b1b047f
73a9cb67da90dae4ee505f8dd558b0285d12e7f439a3a1b6859607c4c16031ff
ead7dd6f405550ced3745cfc15320bfd5fc5dedd1bcac65bf63833679365c353
88084fb90df134bad9d49e08773094b07b7ad521e33204ca32472792ccd2d972
38e999b667e1396ec4793fd9bd4f5abfde6f5ef3c5faaebfcd29d345350cf76f
881c03c857c94709c03fcfbd8cf9bfc11b3d1f3579f0198a88e646d62575ee58
af15f13244a94810f88fb859feffdcdd6793c1eb7298e71060f7181fc6f76e8b
71fa869efa924ab2112f97f4eeaee7062bddd34811ea29a8bb406047f08f9fc0
e5a0952711c2ab163c97a9b13e762724e3e9dc0fce6fe3a128900215baa45eab
c5072261b7b27698e90066a45e204fc5db137427d22133d6a34dfbce68a26e13
76e20bad590b31cd07652c1f1f7caddf4902bd344c4a2935abf3828e77a014cb
a2109e1dd33e4b0e486d0432a2a938775bfd74d14cb247ea7f91c791cc1943f5
89f601f3894c7831084af6e25ef673f67624a7afb93e8004e321af7202940997
cbbb43906ef2d45a68bfc7759bfa621a7878573c426076024f43113892fb8933
2f322ccd5f31968a168f37aab62f4d772dd485343994ac43e171f8e1deea08c1
45f886f87e8f5a34c1f5675dd91666da03065db2255cf9794c0941b730ca2d84
86fe386cc3662c6b8228b24edd8b41be9cb586b68cb33e6d2633dc79baf383ac
e07c6bdc0cde40da74a909112f3326f7a0a091517161221607e9b77032b6b990
e53a167c6e80f9392389e002cf0609f7f4b2cef439bb589459c07a8a5b9de8a1

SH256 hash:

2f322ccd5f31968a168f37aab62f4d772dd485343994ac43e171f8e1deea08c1

MD5 hash:

a58fb3bf9470b24251cb4862d6fff917

SHA1 hash:

ebfb142a3cf7dc4ec0e97ac8e37377cbe4ab49b5

Link:

https://www.unpac.me/results/ea53ee3a-1438-41ac-bec5-6ef50bb3dd3c/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2f322ccd5f31/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2f322ccd5f31968a168f37aab62f4d772dd485343994ac43e171f8e1deea08c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

exe 2f322ccd5f31968a168f37aab62f4d772dd485343994ac43e171f8e1deea08c1

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2432863/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/349105/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample