MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c68021a0cfd53b56a90a6e956750b4554d25c184d2e12239a8c47b4363cd50d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c68021a0cfd53b56a90a6e956750b4554d25c184d2e12239a8c47b4363cd50d
SHA3-384 hash: 497c904e8d3af68fe693a3f14b1cb2a9204bc3ad00db56f44d8721b92e95ccd8d863e114c584caaf029e43ba78da109e
SHA1 hash: aaf1474789a5eff944174d880da31087dfdaf505
MD5 hash: c0575e5c98308e1234b085d41249f8e1
humanhash: hawaii-table-mockingbird-earth
File name:C0575E5C98308E1234B085D41249F8E1.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'671'998 bytes
First seen:2024-01-18 21:30:09 UTC
Last seen:2024-01-18 23:38:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/YqcKic6QL3E2vVsjECUAQT45deRV9Ra:sBuZrEUNcKIy029s4C1eH9Q
Threatray 434 similar samples on MalwareBazaar
TLSH T15E75BF3FF268A13EC56A1B3245B38320997BBA51B81A8C1E47FC344DCF765601E3B656
TrID 39.3% (.EXE) Inno Setup installer (107240/4/30)
21.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.7% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://94.228.169.161/

Intelligence

File Origin
# of uploads :
2
# of downloads :
371
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471575/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.11510.25526.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/65a9989759502c0e7b3a12d5/reports/42618d31-c541-4c78-afd2-ed23e13b4928/overview
Verdict:
Malicious
Labled as:
TR/Downloader.Generic
Link:
https://www.hybrid-analysis.com/sample/3c68021a0cfd53b56a90a6e956750b4554d25c184d2e12239a8c47b4363cd50d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34845a25-5e55-454a-a918-ec4dccc759c3
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
50 / 100
Link:
https://www.joesandbox.com/analysis/1377067
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1377067 Sample: sq5W8v3VZV.exe Startdate: 18/01/2024 Architecture: WINDOWS Score: 50 147 antsmemory.xyz 2->147 149 kapetownlink.com 2->149 151 17 other IPs or domains 2->151 173 Snort IDS alert for network traffic 2->173 175 Antivirus detection for URL or domain 2->175 177 Antivirus detection for dropped file 2->177 181 5 other signatures 2->181 10 sq5W8v3VZV.exe 2 2->10         started        13 msiexec.exe 297 248 2->13         started        15 Windows Updater.exe 2->15         started        18 11 other processes 2->18 signatures3 179 Performs DNS queries to domains with low reputation 147->179 process4 dnsIp5 101 C:\Users\user\AppData\...\sq5W8v3VZV.tmp, PE32 10->101 dropped 20 sq5W8v3VZV.tmp 26 18 10->20         started        103 C:\Windows\Installer\MSIFBED.tmp, PE32 13->103 dropped 105 C:\Windows\Installer\MSIFBAD.tmp, PE32 13->105 dropped 107 C:\Windows\Installer\MSIFB4F.tmp, PE32 13->107 dropped 111 109 other malicious files 13->111 dropped 24 msiexec.exe 13->24         started        27 msiexec.exe 13->27         started        29 msiexec.exe 13->29         started        37 4 other processes 13->37 171 allroadslimit.com 104.21.74.109, 443, 49742 CLOUDFLARENETUS United States 15->171 109 C:\Windows\Temp\...\Windows Updater.exe, PE32 15->109 dropped 31 Windows Updater.exe 15->31         started        33 conhost.exe 18->33         started        35 conhost.exe 18->35         started        39 3 other processes 18->39 file6 process7 dnsIp8 153 antsmemory.xyz 172.67.210.35, 49730, 80 CLOUDFLARENETUS United States 20->153 155 theoryconnection.website 104.21.15.227, 49729, 80 CLOUDFLARENETUS United States 20->155 83 C:\Windows\unins000.exe (copy), PE32 20->83 dropped 85 C:\Windows\is-9232K.tmp, PE32 20->85 dropped 87 C:\Users\user\AppData\...\setup.exe (copy), PE32 20->87 dropped 89 3 other files (2 malicious) 20->89 dropped 41 setup.exe 44 20->41         started        91 4 other files (none is malicious) 24->91 dropped 183 Query firmware table information (likely to detect VMs) 24->183 45 taskkill.exe 24->45         started        47 taskkill.exe 24->47         started        49 taskkill.exe 24->49         started        93 4 other files (none is malicious) 27->93 dropped 51 taskkill.exe 27->51         started        157 pstbbk.com 157.230.96.32, 49740, 80 DIGITALOCEAN-ASNUS United States 29->157 159 collect.installeranalytics.com 54.158.107.210, 443, 49741, 49743 AMAZON-AESUS United States 29->159 95 2 other files (none is malicious) 29->95 dropped 53 taskkill.exe 29->53         started        161 dl.likeasurfer.com 172.67.150.192, 443, 49745, 49746 CLOUDFLARENETUS United States 31->161 97 4 other malicious files 31->97 dropped 55 v113.exe 31->55         started        57 v114.exe 31->57         started        99 6 other files (none is malicious) 37->99 dropped file9 signatures10 process11 dnsIp12 163 cemeterypaper.website 104.21.21.253, 49731, 80 CLOUDFLARENETUS United States 41->163 165 kapetownlink.com 159.223.29.40, 49734, 80 CELANESE-US United States 41->165 167 3 other IPs or domains 41->167 113 C:\winrar-x64-623.exe, PE32+ 41->113 dropped 125 7 other malicious files 41->125 dropped 59 setup_3.exe 41->59         started        63 setup_1.exe 58 41->63         started        65 conhost.exe 45->65         started        67 conhost.exe 47->67         started        69 conhost.exe 49->69         started        71 conhost.exe 51->71         started        73 conhost.exe 53->73         started        115 C:\Windows\Temp\MSID53D.tmp, PE32 55->115 dropped 117 C:\Windows\Temp\MSID4BF.tmp, PE32 55->117 dropped 119 C:\Windows\Temp\INAD3B3.tmp, PE32 55->119 dropped 127 4 other files (3 malicious) 55->127 dropped 75 msiexec.exe 55->75         started        121 C:\Windows\Temp\MSI22E0.tmp, PE32 57->121 dropped 123 C:\Windows\Temp\MSI2187.tmp, PE32 57->123 dropped 129 5 other files (4 malicious) 57->129 dropped 77 msiexec.exe 57->77         started        file13 process14 dnsIp15 169 d2kjg47inuhtr5.cloudfront.net 18.65.229.93, 443, 49748, 49749 MIT-GATEWAYSUS United States 59->169 131 C:\Users\user\AppData\...\wpfgfx_cor3.dll, PE32 59->131 dropped 133 C:\Users\user\...\vcruntime140_cor3.dll, PE32 59->133 dropped 135 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 59->135 dropped 143 283 other malicious files 59->143 dropped 79 MaintenanceHelper.exe 59->79         started        137 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 63->137 dropped 139 C:\Users\user\AppData\...\Windows Updater.exe, PE32 63->139 dropped 141 C:\Users\user\AppData\Local\...\MSI8AC6.tmp, PE32 63->141 dropped 145 3 other files (2 malicious) 63->145 dropped 81 msiexec.exe 63->81         started        file16 process17
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3c68021a0cfd53b56a90a6e956750b4554d25c184d2e12239a8c47b4363cd50d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c68021a0cfd53b56a90a6e956750b4554d25c184d2e12239a8c47b4363cd50d/
Threat name:
Win32.Trojan.Offloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-13 05:07:00 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hruaegqm7vj3k2uqu3uvm5ilivknexayjuxbei42rrd3inr42ugq._file
Verdict:
unknown
Similar samples:
07999a5e3c1019be2d430d0b2fef1c7e2b1b38a96c3bfd9886506bc4f1bf2df7
RecordBreaker
2646fef76ae933018ff8a48e7c46c4ae6a82176107f7d133987e0d50ce272ab5
RecordBreaker
5dc7e9979eac4e1aef7b7479431445d4397bd53757f23e11a2e1a258ef5b33af
RecordBreaker
6c3f24ff26c5d2f16ae6aa8842e97d402c2e203d0aa2798a40f4dc000554dbca
RecordBreaker
83cb5a6474ba3f6b38ea11c903da87e02122bfe7cb5b5222c8a377514d6a5651
RecordBreaker
87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d
RecordBreaker
c84e4d5d3ac98cdd585879d317c0570d2a40bfa817b3f1e0ffe78645a8b093df
RecordBreaker
f92695f29c11eed7607949e15ed40c2d6de909adbf3e04dc75b6b34f44ad07f9
RecordBreaker
fc0eaa455a3b09a26def63c96b08b5bd855576634a91778fdcef6e3f91099199
RecordBreaker
+ 424 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240118-1c1s5ahfal/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
e042cad4a6bcc16dbff0aced337f250509fe5547b73a85f2872abed13610920a
MD5 hash:
9f262ad13e765f5965bec106ccbad629
SHA1 hash:
786f9ede24ae3311acdc0dfbd6b93541a6eba897
Link:
https://www.unpac.me/results/519520a9-36c8-45f5-afa1-5dc5b158fce1/
SH256 hash:
3c68021a0cfd53b56a90a6e956750b4554d25c184d2e12239a8c47b4363cd50d
MD5 hash:
c0575e5c98308e1234b085d41249f8e1
SHA1 hash:
aaf1474789a5eff944174d880da31087dfdaf505
Link:
https://www.unpac.me/results/519520a9-36c8-45f5-afa1-5dc5b158fce1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c68021a0cfd53b56a90a6e956750b4554d25c184d2e12239a8c47b4363cd50d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471575/

Comments