MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 435f78485834e4137984372900acb85e4b1ccc277cfd45fbc87476364f546fbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 435f78485834e4137984372900acb85e4b1ccc277cfd45fbc87476364f546fbb
SHA3-384 hash: dfb096b942eaf0109ffe20ed8be68a181a85023eedf7df60f1f440f73a27510c354f2f96c60b5f669ccbc78310f32bc8
SHA1 hash: 0aea47676b308e79f2ac4cfb3ad816fae07e8609
MD5 hash: ba66326c85986d43651d5ace913845f6
humanhash: quiet-oven-march-diet
File name:435f78485834e4137984372900acb85e4b1ccc277cfd4.dll
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'284'048 bytes
First seen:2023-01-18 08:20:22 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash a2833106949ae6e20c40ed0128f9df4b (5 x RecordBreaker, 4 x SystemBC, 3 x RedLineStealer)
ssdeep 24576:yXU/ArGhDwwT0/3jktbSPJNqS8UbPC1ISffs97yF0UsXtcz9il3Ar:yXU4rIK3SbSPMUbPC/fG7O0UsXQ
Threatray 6 similar samples on MalwareBazaar
TLSH T1CF552383E7DC0D90D102DD70E97AA01762FA35779D6E425F30FAA909BEAB1C0670B947
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d8a6d8d8d2e48e8c (1 x RecordBreaker)
Reporter abuse_ch
Tags:dll recordbreaker signed

Code Signing Certificate

Organisation:www.behold.com
Issuer:www.behold.com
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-17T17:49:15Z
Valid to:2024-01-17T18:09:15Z
Serial number: 6666ec0ed998579647f0ebdc06ad13d3
Thumbprint Algorithm:SHA256
Thumbprint: 77a0fc27c7742d7898fc5d029b37d0d65e46032514c2c26e1be77f60f19073af
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RecordBreaker C2:
http://5.78.66.126/

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354067/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65041779.26015.11251.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed virut
Link:
https://www.filescan.io/uploads/63c7abeebda854045c1917c3/reports/a99d1650-aa9b-41ae-8cc6-7d6183dacf9f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a16fe5e7-ef98-4fce-9cf5-59644066db7f
Result
Threat name:
Raccoon Stealer v2, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1153697
Signature
Antivirus detection for dropped file
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786429 Sample: 435f78485834e4137984372900a... Startdate: 18/01/2023 Architecture: WINDOWS Score: 100 121 Snort IDS alert for network traffic 2->121 123 Antivirus detection for dropped file 2->123 125 Multi AV Scanner detection for dropped file 2->125 127 6 other signatures 2->127 10 loaddll32.exe 1 2->10         started        12 redit.exe 2->12         started        14 redit.exe 2->14         started        process3 process4 16 cmd.exe 1 10->16         started        19 rundll32.exe 44 10->19         started        23 rundll32.exe 43 10->23         started        25 conhost.exe 10->25         started        dnsIp5 111 Uses cmd line tools excessively to alter registry or file data 16->111 27 rundll32.exe 49 16->27         started        101 5.78.66.126, 49701, 49702, 49703 PARSONLINETehran-IRANIR Iran (ISLAMIC Republic Of) 19->101 69 C:\Users\user\AppData\Local\...\F08llXBd.exe, PE32 19->69 dropped 71 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 19->71 dropped 113 Tries to steal Crypto Currency Wallets 19->113 32 F08llXBd.exe 19->32         started        73 C:\Users\user\AppData\Local\...\457c5v6q.exe, PE32 23->73 dropped 115 System process connects to network (likely due to code injection or exploit) 23->115 117 Tries to harvest and steal browser information (history, passwords, etc) 23->117 34 457c5v6q.exe 23->34         started        file6 signatures7 process8 dnsIp9 109 91.107.175.254 HETZNER-ASDE Germany 27->109 85 C:\Users\user\AppData\Local\...\0Q8j8Cr8.exe, PE32 27->85 dropped 87 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 27->87 dropped 89 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 27->89 dropped 99 4 other files (2 malicious) 27->99 dropped 143 Tries to steal Crypto Currency Wallets 27->143 36 0Q8j8Cr8.exe 16 27->36         started        91 C:\Users\user\AppData\...\avicapn32[2].exe, PE32 32->91 dropped 93 C:\Users\user\AppData\...\umciavi32[2].exe, PE32 32->93 dropped 95 C:\Users\user\AppData\...\payload[2].dat, PE32 32->95 dropped 145 Multi AV Scanner detection for dropped file 32->145 147 Detected unpacking (creates a PE file in dynamic memory) 32->147 149 Machine Learning detection for dropped file 32->149 41 redit.exe 32->41         started        43 umciavi32.exe 32->43         started        45 cmd.exe 32->45         started        97 C:\Users\user\AppData\...\avicapn32[3].exe, PE32 34->97 dropped 47 cmd.exe 34->47         started        49 umciavi32.exe 34->49         started        51 redit.exe 34->51         started        file10 signatures11 process12 dnsIp13 103 193.168.49.8 BEGET-ASRU Russian Federation 36->103 105 62.217.181.4 AZERONLINEAZ Russian Federation 36->105 75 C:\Users\user\AppData\...\avicapn32[1].exe, PE32 36->75 dropped 77 C:\Users\user\AppData\...\umciavi32[1].exe, PE32 36->77 dropped 79 C:\Users\user\AppData\...\payload[1].dat, PE32 36->79 dropped 83 3 other malicious files 36->83 dropped 131 Multi AV Scanner detection for dropped file 36->131 133 Detected unpacking (creates a PE file in dynamic memory) 36->133 135 Creates HTML files with .exe extension (expired dropper behavior) 36->135 53 cmd.exe 36->53         started        107 212.118.36.165 CITYLAN-ASRU Russian Federation 41->107 137 Machine Learning detection for dropped file 41->137 81 C:\Users\user\Baskov\kernel32.exe, PE32 43->81 dropped 139 Creates multiple autostart registry keys 43->139 141 Uses cmd line tools excessively to alter registry or file data 45->141 56 conhost.exe 45->56         started        58 reg.exe 45->58         started        60 conhost.exe 47->60         started        62 reg.exe 47->62         started        file14 signatures15 process16 signatures17 129 Uses cmd line tools excessively to alter registry or file data 53->129 64 reg.exe 53->64         started        67 conhost.exe 53->67         started        process18 signatures19 119 Creates multiple autostart registry keys 64->119
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/435f78485834e4137984372900acb85e4b1ccc277cfd45fbc87476364f546fbb/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-01-17 23:39:35 UTC
File Type:
PE (Dll)
Extracted files:
28
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=inpxqscygtsbg6meg4uqblfylzfrztbhpt6ul66ior3dmt2un65q._file
Verdict:
malicious
Similar samples:
1a7075ca044dd3be84270c4e3a281e3708e5bd6e3499d6bf664160b73c0bd1a5
RecordBreaker
30f683a84cf78783dc15027459b40ed332aa7586a11f8c4fed83d924a3568080
RecordBreaker
4f7f83557bbf4e9eb1edac445033bc77543c1d3dbb4eb72b331bcf4ebbf11b79
RecordBreaker
bfb6f5d5b0ce02091b60a21fb8fdde4dfb1ef824293c85d05caadbeb9b08746e
RecordBreaker
c6f0ce007358fb971aca483791286fec657a8be5034ea9bf0dcdea1fa4344a97
RecordBreaker
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon stealer
Link:
https://tria.ge/reports/230118-j8z32ada52/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Raccoon
Unpacked files
SH256 hash:
435f78485834e4137984372900acb85e4b1ccc277cfd45fbc87476364f546fbb
MD5 hash:
ba66326c85986d43651d5ace913845f6
SHA1 hash:
0aea47676b308e79f2ac4cfb3ad816fae07e8609
Link:
https://www.unpac.me/results/cdd1246e-e7a8-42e3-95ec-68346753a87e/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/435f78485834/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/435f78485834e4137984372900acb85e4b1ccc277cfd45fbc87476364f546fbb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/354067/

Comments