MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2
SHA3-384 hash: d7a31b6ae42c7834ea46de01274215ed63b63bb3e8a9bb460e36415ca348becfb27359460a558a95fe25082a054ee6f2
SHA1 hash: b213226ad9ca5660735a5df6d6f73e814d1defeb
MD5 hash: fcbeec6987d0ea994400e26f1a4b9f66
humanhash: comet-cold-foxtrot-hydrogen
File name:3F95733711B8F39FF7BC3458FF49EF57CD4411F3A813D.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:6'279'171 bytes
First seen:2022-08-08 11:00:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JpofzBe9eXnbvfQwHs2iS7pG/hg6P9+UNRfFetJ20XukyqU+oxY1yBU6dxsp9:JpCzBxXbvfy21V2P8UNpY79yqAxF66be
TLSH T114563332DBA9F0B1D2EC8D35257499275C6252F1040DC8FF68C417B7B6BBD92AC01AB6
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://89.185.85.53/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://89.185.85.53/ https://threatfox.abuse.ch/ioc/841794/

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3F95733711B8F39FF7BC3458FF49EF57CD4411F3A813D.exe
Verdict:
No threats detected
Analysis date:
2022-08-08 11:02:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/769a7d1b-dbcf-42af-ac40-aaa370069ef4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/297127/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28366/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
60%
Tags:
arkeistealer barys overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62f0ecf6a3c97e3a896d699f/reports/5856d228-96c0-4b0f-be24-3bee520eebc7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43a8da45-cabd-49c4-9b5f-9b172f50fb80
Result
Threat name:
MedusaHTTP, Nymaim, RedLine, Socelars, o
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1047863
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found C&C like URL pattern
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected MedusaHTTP
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680354 Sample: 3F95733711B8F39FF7BC3458FF4... Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 98 buy-fantasy-football.com.sg 2->98 126 Snort IDS alert for network traffic 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 Antivirus detection for URL or domain 2->130 132 22 other signatures 2->132 11 3F95733711B8F39FF7BC3458FF49EF57CD4411F3A813D.exe 10 2->11         started        14 WmiPrvSE.exe 2->14         started        signatures3 process4 file5 82 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->82 dropped 16 setup_installer.exe 23 11->16         started        process6 file7 58 C:\Users\user\AppData\...\setup_install.exe, PE32 16->58 dropped 60 C:\Users\user\...\Wed18e6324bbde126d.exe, PE32 16->60 dropped 62 C:\Users\user\...\Wed18d947df9c44e3.exe, PE32 16->62 dropped 64 18 other files (13 malicious) 16->64 dropped 19 setup_install.exe 1 16->19         started        process8 dnsIp9 100 127.0.0.1 unknown unknown 19->100 102 marianu.xyz 19->102 134 Performs DNS queries to domains with low reputation 19->134 136 Adds a directory exclusion to Windows Defender 19->136 138 Disables Windows Defender (via service or powershell) 19->138 23 cmd.exe 1 19->23         started        25 cmd.exe 19->25         started        27 cmd.exe 19->27         started        29 16 other processes 19->29 signatures10 process11 signatures12 32 Wed188c3010d35.exe 23->32         started        37 Wed180cd523402090.exe 25->37         started        39 Wed18d947df9c44e3.exe 27->39         started        140 Adds a directory exclusion to Windows Defender 29->140 142 Disables Windows Defender (via service or powershell) 29->142 41 Wed18b39e5016b09c0.exe 29->41         started        43 Wed18bc651a8ec.exe 29->43         started        45 Wed186a2b91bd4e9.exe 29->45         started        47 11 other processes 29->47 process13 dnsIp14 84 212.193.30.115, 49752, 49774, 49789 SPD-NETTR Russian Federation 32->84 88 11 other IPs or domains 32->88 66 C:\Users\user\AppData\...\newfile[1].exe, PE32 32->66 dropped 68 C:\Users\user\AppData\...\Service[1].exe, PE32 32->68 dropped 70 d6cc75213b4f19cbc07bb687f4b12dcc[1].exe, PE32 32->70 dropped 74 12 other files (1 malicious) 32->74 dropped 104 Antivirus detection for dropped file 32->104 106 May check the online IP address of the machine 32->106 108 Found stalling execution ending in API Sleep call 32->108 110 Disable Windows Defender real time protection (registry) 32->110 90 7 other IPs or domains 37->90 112 Multi AV Scanner detection for dropped file 37->112 114 Detected unpacking (changes PE section rights) 37->114 116 Machine Learning detection for dropped file 37->116 118 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 39->118 120 Checks if the current machine is a virtual machine (disk enumeration) 39->120 49 explorer.exe 39->49 injected 92 2 other IPs or domains 41->92 122 Tries to harvest and steal browser information (history, passwords, etc) 41->122 94 5 other IPs or domains 43->94 86 www.listincode.com 103.224.212.220, 443, 49773 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 45->86 96 2 other IPs or domains 47->96 72 C:\Users\user\AppData\...\Wed18b44c8630.tmp, PE32 47->72 dropped 124 Obfuscated command line found 47->124 51 Wed18b44c8630.tmp 47->51         started        54 mshta.exe 47->54         started        56 mshta.exe 47->56         started        file15 signatures16 process17 file18 76 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 51->76 dropped 78 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 51->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 51->80 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2/
Threat name:
Win32.Spyware.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 13:11:49 UTC
File Type:
PE (Exe)
Extracted files:
107
AV detection:
22 of 26 (84.62%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h6kxgnyrxdzz7554grmp6sppk7guieptvaj5msdfjz3mdlt6r2ra._file
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:privateloader family:raccoon family:redline family:socelars botnet:839b5f035af17fe32dbee0ca113be5fc botnet:media26 botnet:sert23 aspackv2 discovery evasion infostealer loader main spyware stealer trojan
Link:
https://tria.ge/reports/220808-m4jf9scab8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger payload
Modifies Windows Defender Real-time Protection settings
OnlyLogger
PrivateLoader
Process spawned unexpected child process
Raccoon
Raccoon Stealer payload
RedLine
RedLine payload
Socelars
Socelars payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
135.181.129.119:4805
91.121.67.60:23325
http://89.185.85.53/
Unpacked files
SH256 hash:
ce7e030f2bb5f0f236c130f48b2c98db580b26c86aac00b0d568b39c5e0fd3a8
MD5 hash:
47e29ee3fb7e8d10c2703e1992c55330
SHA1 hash:
9ffa449c95eee01a4cc96010f6f7992e3f3f572b
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
ea788a6785b36f87f7214922e32445990af0aa7ad14152f849353b52096a52b5
MD5 hash:
fbab7f0afd2d15481e1efbda54aa5ead
SHA1 hash:
18bdb59577d400786a27090d1e8b52a2fffd6f3b
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
a3983548efea55c9e699a0935d37c8c58075089dd73e60c37924e5e08eb9ac43
MD5 hash:
744c7516101138f81aa85a46f2884d47
SHA1 hash:
f89189b13714ca06215f757e883e377bd551d5fe
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
5ab86c4f17831e32d8198d67d9329a2e72530e8f5314559eedac7f7678ee481f
MD5 hash:
11a2cc4009f87246bb78c63bc5acbc86
SHA1 hash:
d505d71a8f4698d4be9741f2db0e86bc3420e263
Detections:
win_privateloader_a0
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
edbfa4ebed42d4c1571200d2e5fd416dfbd0d4dfaa77e7bef4446e3f3f9b5eef
MD5 hash:
12c42e079f7c2d547b47274466fed83c
SHA1 hash:
a4645bf26d8b089849dc366394ce07ff60197e6c
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
0432fc17dd38092a4abe0acdca899d7bcc732ec52a892f9fe6019ebe15ce8cfa
MD5 hash:
4e7f46d9d3d57f808e6eb01031e17f02
SHA1 hash:
9f8ed79fa90fabb8e1b6d66c51009bbe3b22a76f
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
f36f70c0030014f3667eb6a033531d71c01d10512dccbb3c4920ee21c99fdcd3
MD5 hash:
678d7df5ccc1c931040375dc910805da
SHA1 hash:
747afd95e1abfca4e6a68e7bf0cbd2dbcc69f914
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
d9b724320104e3ff399e73c2d4f7573d77f915455263a079e5dd48040b924ab5
MD5 hash:
a11223c26b660226e725136e325b149f
SHA1 hash:
6d5b9a4c8eba7fb4e10427d175157d2e4f59e724
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
931699f6358ef0439eefb7419833014fe2b638c6ab9cac464f2d9cf90c89028b
MD5 hash:
fad75f4af9510a296a1b64caec996f48
SHA1 hash:
32d73193cd0e34a54174632fc68cbfff6a6d6c1f
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
bfe32d661ec7c066636e746e5d7feb0c43eb2bd2948cd0afc6137e9b92b64101
MD5 hash:
c77c7dfff654d4c1ae3a259b4f3af4aa
SHA1 hash:
2a7f3adb653e4cee3542042ec532c910bc42b8b1
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
e8727c5e9114f3234d77075effca68c32072c6cb18377762da8c7c5c4bc7b650
MD5 hash:
769483334615f2ad86cbc8d4490fe1bf
SHA1 hash:
24153cc67f9ee102e63caa1877cc9ef3075b5363
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
415355aba3b3f4a5149f983a45698c2a94a223360a3d5659e90fb8861a8f72b1
MD5 hash:
1f38e3cc77b4b92b02a80d59e270ef02
SHA1 hash:
1dd620ee23dc336abb16399d6615d321a96987c9
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
2e6f3c76b847edfb452e86f14c5a7cf4287e36f47bd23eb5ef0e49c822880680
MD5 hash:
9e8e67729d0a6b99ffd978ffb66f73e6
SHA1 hash:
0c29252a211ef0fb985b11b325385f3d894d5a51
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
1de5648c1ec1bac5324922ab25fb6d005f6ca59ac6e4b17d9406562d58498b86
MD5 hash:
4a6b03be70eedbb12bda7af73a68c651
SHA1 hash:
4df9556c3275c05681dd3ad1a95c5ce3d8d3ac24
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
4887918b59cd66475a12a9c512ec570e6f900c23ef69ff7513e2b5cd63fd2ef2
MD5 hash:
4d3446a7e14d3250e1030b67e202c8dd
SHA1 hash:
cd8fdfdfed34fcd05700293658bfcf8528e68802
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
Parent samples :
fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a
3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2
c3133fa0480d9bf0beff04059da58bbeae895196edba830ed00cae3c20391d10
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
7ad9edd79f03fb782d1a8490f9b56ea25f8e9cd33f10ca5017f8ff5aac6b5eda
MD5 hash:
1ee5fb8981ebc7fb9ddacb9d8607d35c
SHA1 hash:
eefc86ed0839384d351d7229fea251714a5cae1e
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
b36a685d2f5dbbf8f16468ebb2b4678730df2d0167fc6d59b80b6cd95df9b73b
MD5 hash:
5bc89e29e0057fc710b8324b27e5c85f
SHA1 hash:
359a475e05b81960ee49f96958fc9623aaf4c846
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
c1c6462d37282503d1c4e73466595fbd0bb6a2bf723e7268bc422eb60fd345ad
MD5 hash:
44d3549b0ab99f26e43f51fe59875f2a
SHA1 hash:
e922c0b7499b41b43843c73a5ce1ca7a2996943d
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
e5524e8fe5af000fded2119ea33b787173f2aec329aa0620f844253250bc0b4d
MD5 hash:
1bb74af0aef778f453140ce3f319cb8f
SHA1 hash:
39c641b7ce9dc118484af56e00b573fc2c7ec978
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
4d9f9dc44f2536f7595a1969dc9bbfc3891164710a94d3b08d10377c4d347d00
MD5 hash:
25c4ef4fdfab35e43004267a080ca2dd
SHA1 hash:
90c1fc0d30dcb8f2cc5e188f22df6cd4796ffa9a
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
76612f4babba3ae995f83bc9c9535f628f474844f4dec9356db7bdd400e65899
MD5 hash:
e203f9c090d42b05c27fa5a19603f6ea
SHA1 hash:
4dd71946c7eaf031f964dadf498964619fca7103
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
SH256 hash:
3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2
MD5 hash:
fcbeec6987d0ea994400e26f1a4b9f66
SHA1 hash:
b213226ad9ca5660735a5df6d6f73e814d1defeb
Link:
https://www.unpac.me/results/31567f21-e02a-4985-9898-71bf9fa76e9d/
Malware family:
RedLine.C
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f95733711b8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/297127/

Comments