MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5
SHA3-384 hash: 4f058b868293130d5be9cfac466b7f67a866488971fb4e9841284ba65fac8e04cbd05eb7c3c6fe3abc202ce27a4f4869
SHA1 hash: 820a4a14d0b44385487f485db63f958350b321f8
MD5 hash: e96b1e0d437234bd80e12828fb79766c
humanhash: pip-quiet-paris-idaho
File name:e96b1e0d437234bd80e12828fb79766c
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:417'184 bytes
First seen:2022-07-23 03:12:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 67 x LummaStealer, 61 x Rhadamanthys)
ssdeep 3072:ZvGyYiSDnt1W5+oFKoyRu3TN6jDkVPqT7reVUYvSUncmkwP7vJrCGEZDHs:74r+PTN6PksXxY6Ocl8J+TM
Threatray 7'949 similar samples on MalwareBazaar
TLSH T18F945BC137948467D8679A304FA3839A6B29FCC1BE70758B2360F35F0B79AC66D29315
TrID 83.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
7.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 41b8e0f6d4ee7cb0 (1 x RecordBreaker)
Reporter zbetcheckin
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293552/
Detection(s):
Win.Dropper.Detected-9956852-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27104/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll overlay packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/62db6784ef2b0e63a833e42d/reports/5e61cf36-44b5-4fa8-80dc-ac99986fbd5d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc1510dc-9ddc-4651-bc4e-59d4a5c44cea
Result
Threat name:
Raccoon Stealer v2, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1039579
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Yara detected Raccoon Stealer v2
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 672072 Sample: AxiFo8RILM Startdate: 23/07/2022 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic 2->78 80 Multi AV Scanner detection for domain / URL 2->80 82 Antivirus detection for URL or domain 2->82 84 10 other signatures 2->84 10 AxiFo8RILM.exe 1 3 2->10         started        13 awrsihj 2->13         started        16 rundll32.exe 2->16         started        process3 file4 56 C:\Users\user\AppData\Local\...\SETUP_~2.EXE, PE32 10->56 dropped 18 SETUP_~2.EXE 15 5 10->18         started        124 Antivirus detection for dropped file 13->124 126 Machine Learning detection for dropped file 13->126 128 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->128 130 3 other signatures 13->130 signatures5 process6 dnsIp7 70 cdn.discordapp.com 162.159.129.233, 443, 49767 CLOUDFLARENETUS United States 18->70 72 4hmn.short.gy 18.184.197.212, 443, 49765 AMAZON-02US United States 18->72 54 C:\Users\user\...\Rnuheifztvjaapenot.exe, PE32 18->54 dropped 94 Multi AV Scanner detection for dropped file 18->94 96 Machine Learning detection for dropped file 18->96 98 Encrypted powershell cmdline option found 18->98 100 Injects a PE file into a foreign processes 18->100 23 Rnuheifztvjaapenot.exe 18->23         started        26 SETUP_~2.EXE 25 18->26         started        30 powershell.exe 15 18->30         started        file8 signatures9 process10 dnsIp11 102 Antivirus detection for dropped file 23->102 104 Machine Learning detection for dropped file 23->104 106 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 23->106 112 3 other signatures 23->112 32 explorer.exe 4 23->32 injected 76 45.142.214.247, 49864, 80 ALEXHOSTMD Russian Federation 26->76 58 C:\Users\user\AppData\...\vcruntime140.dll, PE32 26->58 dropped 60 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 26->60 dropped 62 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 26->62 dropped 64 4 other files (none is malicious) 26->64 dropped 108 Tries to harvest and steal browser information (history, passwords, etc) 26->108 110 Tries to steal Crypto Currency Wallets 26->110 37 conhost.exe 30->37         started        file12 signatures13 process14 dnsIp15 68 ghahantellorb.com 94.140.114.84, 49874, 49917, 80 NANO-ASLV Latvia 32->68 50 C:\Users\user\AppData\Roaming\awrsihj, PE32 32->50 dropped 52 C:\Users\user\AppData\Local\Temp\7964.exe, PE32+ 32->52 dropped 86 Benign windows process drops PE files 32->86 88 Injects code into the Windows Explorer (explorer.exe) 32->88 90 Writes to foreign memory regions 32->90 92 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->92 39 explorer.exe 8 32->39         started        43 7964.exe 1 3 32->43         started        46 explorer.exe 32->46         started        file16 signatures17 process18 dnsIp19 74 ghahantellorb.com 39->74 114 System process connects to network (likely due to code injection or exploit) 39->114 116 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->116 118 Tries to steal Mail credentials (via file / registry access) 39->118 120 Tries to harvest and steal browser information (history, passwords, etc) 39->120 66 C:\Users\user\AppData\Local\...\Setup_ovl.exe, PE32+ 43->66 dropped 122 Multi AV Scanner detection for dropped file 43->122 48 Setup_ovl.exe 43->48         started        file20 signatures21 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2022-07-22 08:29:01 UTC
File Type:
PE+ (Exe)
Extracted files:
39
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h2c3gh7rpaadd6kfod6jqanwvcdfmssmvivmynqnfrs7fgzc3o2q._file
Verdict:
malicious
Similar samples:
1894ee1e31d02ce95f3fb5bfaaeade0718232866702e70bd19a70a0a15a3343c
RecordBreaker
5c8aba016e4e7ead4912b35fdc8a05964a56cda420c7a0427810633d9fd448dc
RecordBreaker
68feb6c25b2ce057bdc2c97119f10b980a864b7c3306e785bbbff1ab8ca4197f
RecordBreaker
6df1711427805cf33f297bd481fb8fdf3f04e92d25553b15060161bf972b334a
RecordBreaker
78ef012bfc38086561885872a68ec92227efa9c233265e68cdd13960a1a46e1d
RecordBreaker
900081ec8ae916aa0823f579ed08ec02b5d9677c23932287db2be8117ebd238a
RecordBreaker
b206c2d164d66dcd9fad4cffdcb28d73eb64d2f663f1de6fb90cc10b47665c41
RecordBreaker
bcca18fef46e71ff82ff342dbd50f09b9ea768edc5e328fbf85241fcf615507d
RecordBreaker
dd9194cf20f72e8f2f0b2fd08c9a4175e222b18de4738b43aa9274f5111cb01b
RecordBreaker
+ 7'939 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220723-dqq5hsbfd9/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5
MD5 hash:
e96b1e0d437234bd80e12828fb79766c
SHA1 hash:
820a4a14d0b44385487f485db63f958350b321f8
Link:
https://www.unpac.me/results/2b65f64a-27f4-472a-9fb6-3d9e67c5780c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3e85b31ff178/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_KB_CERT_01803bc7537a1818c4ab135469963c10
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/293552/
  
URLhaus
https://urlhaus.abuse.ch/url/2260318/

Comments


Avatar
zbet commented on 2022-07-23 03:13:02 UTC

url : hxxp://45.142.214.247:8000/cryptor.exe