MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d59d088de40abcfd78f88d45009dbfdd14d9df76b718bc1c27241ec2807ef8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d59d088de40abcfd78f88d45009dbfdd14d9df76b718bc1c27241ec2807ef8d
SHA3-384 hash: 42c8666819831429145950c8ea445fba383fdf60975cd31ae1a25b918e4631a0f854633413d3657c9e23dc62cca33adc
SHA1 hash: abc81a9f13f2d1272ff43b7e706de66c22a812f8
MD5 hash: 34d5e3b2e5a29d4eab3a93b3bd27038e
humanhash: queen-lithium-oranges-friend
File name:4d59d088de40abcfd78f88d45009dbfdd14d9df76b718.dll
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'747'920 bytes
First seen:2023-01-17 16:50:32 UTC
Last seen:2023-01-17 18:37:18 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a2833106949ae6e20c40ed0128f9df4b (5 x RecordBreaker, 4 x SystemBC, 3 x RedLineStealer)
ssdeep 49152:cfDaW+OMrKvUZisFq4lqqJky9jEvBGjYM5m5:cfWWrM2vkisFq4lqqSy9jEv+m5
TLSH T1B385D0550B8CB394B10B626D9DD38B1608727E19013BFA94DF7C2C77BE12B18127E99E
TrID 28.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.5% (.EXE) Win32 Executable (generic) (4505/5/1)
11.6% (.ICL) Windows Icons Library (generic) (2059/9)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:dll recordbreaker signed

Code Signing Certificate

Organisation:www.phrase.com
Issuer:www.phrase.com
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-16T21:40:18Z
Valid to:2024-01-16T22:00:18Z
Serial number: 38b78feefcdae3bc4302b09324f1a8b2
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 5b77e25b692dcdc1827a131d26f6447460002a569427a819f4b534a0000afef7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RecordBreaker C2:
http://5.78.53.188/

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353896/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.2046.11218.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63c6d1f6e40648ad3ece44e6/reports/8a3def9a-2648-4dae-9228-8afc3e42776f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e72301fa-11b9-4b79-9c74-a1e5107df88f
Result
Threat name:
Raccoon Stealer v2, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1153295
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 786025 Sample: 4d59d088de40abcfd78f88d4500... Startdate: 17/01/2023 Architecture: WINDOWS Score: 100 99 eth0.me 2->99 119 Snort IDS alert for network traffic 2->119 121 Malicious sample detected (through community Yara rule) 2->121 123 Antivirus detection for URL or domain 2->123 125 5 other signatures 2->125 11 loaddll32.exe 1 2->11         started        13 kernel32.exe 2->13         started        16 kernel32.exe 2->16         started        signatures3 process4 signatures5 18 cmd.exe 1 11->18         started        21 rundll32.exe 69 11->21         started        24 rundll32.exe 70 11->24         started        27 conhost.exe 11->27         started        159 Writes to foreign memory regions 13->159 161 Allocates memory in foreign processes 13->161 163 Injects a PE file into a foreign processes 13->163 29 InstallUtil.exe 13->29         started        31 InstallUtil.exe 13->31         started        33 InstallUtil.exe 16->33         started        process6 dnsIp7 111 Uses ping.exe to check the status of other devices and networks 18->111 35 rundll32.exe 75 18->35         started        85 C:\Users\user\AppData\Roaming\36aL0wP9.exe, PE32 21->85 dropped 87 C:\Users\user\AppData\Local\...\9Q6l03E2.exe, PE32+ 21->87 dropped 89 C:\Users\user\AppData\Local\...\0bRI2192.exe, PE32 21->89 dropped 113 System process connects to network (likely due to code injection or exploit) 21->113 115 Tries to harvest and steal browser information (history, passwords, etc) 21->115 117 Tries to steal Crypto Currency Wallets 21->117 40 9Q6l03E2.exe 21->40         started        42 36aL0wP9.exe 21->42         started        44 0bRI2192.exe 21->44         started        105 5.78.53.188, 49705, 49706, 49707 PARSONLINETehran-IRANIR Iran (ISLAMIC Republic Of) 24->105 91 C:\Users\user\AppData\Roaming\KAVg3x7t.exe, PE32 24->91 dropped 93 C:\Users\user\AppData\Local\...\g368QcFx.exe, PE32 24->93 dropped 95 C:\Users\user\AppData\Local\...\4ZiHjC3q.exe, PE32+ 24->95 dropped 97 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 24->97 dropped 46 4ZiHjC3q.exe 24->46         started        48 KAVg3x7t.exe 24->48         started        50 g368QcFx.exe 24->50         started        file8 signatures9 process10 dnsIp11 101 162.55.209.0 ACPCA United States 35->101 75 C:\Users\user\AppData\Roaming\uzBssGQ6.exe, PE32 35->75 dropped 77 C:\Users\user\AppData\Local\...\UOpB6qif.exe, PE32+ 35->77 dropped 79 C:\Users\user\AppData\Local\...\1heskjx9.exe, PE32 35->79 dropped 81 6 other files (4 malicious) 35->81 dropped 127 Tries to steal Crypto Currency Wallets 35->127 52 1heskjx9.exe 35->52         started        56 uzBssGQ6.exe 35->56         started        59 UOpB6qif.exe 35->59         started        129 Query firmware table information (likely to detect VMs) 40->129 131 Tries to detect sandboxes and other dynamic analysis tools (window names) 40->131 133 Tries to evade debugger and weak emulator (self modifying code) 40->133 135 Hides threads from debuggers 46->135 137 Tries to detect sandboxes / dynamic malware analysis system (registry check) 46->137 139 Multi AV Scanner detection for dropped file 48->139 141 Machine Learning detection for dropped file 48->141 file12 signatures13 process14 dnsIp15 83 C:\Users\user\Baskov\kernel32.exe, PE32 52->83 dropped 143 Multi AV Scanner detection for dropped file 52->143 61 kernel32.exe 52->61         started        64 cmd.exe 52->64         started        107 193.168.49.8 BEGET-ASRU Russian Federation 56->107 109 62.217.181.4 AZERONLINEAZ Russian Federation 56->109 145 Detected unpacking (creates a PE file in dynamic memory) 56->145 147 Creates HTML files with .exe extension (expired dropper behavior) 56->147 149 Machine Learning detection for dropped file 56->149 151 Query firmware table information (likely to detect VMs) 59->151 153 Tries to evade debugger and weak emulator (self modifying code) 59->153 155 Hides threads from debuggers 59->155 157 Tries to detect sandboxes / dynamic malware analysis system (registry check) 59->157 file16 signatures17 process18 signatures19 165 Writes to foreign memory regions 61->165 167 Allocates memory in foreign processes 61->167 169 Injects a PE file into a foreign processes 61->169 66 InstallUtil.exe 61->66         started        68 PING.EXE 64->68         started        71 conhost.exe 64->71         started        73 chcp.com 64->73         started        process20 dnsIp21 103 127.0.0.1 unknown unknown 68->103
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d59d088de40abcfd78f88d45009dbfdd14d9df76b718bc1c27241ec2807ef8d/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2023-01-17 15:28:19 UTC
File Type:
PE (Dll)
Extracted files:
8
AV detection:
15 of 26 (57.69%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jvm5bcg6icv47v4prdkfaco37xiu3hpxnnyyxqocoja6ykah56gq._file
Verdict:
malicious
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon stealer
Link:
https://tria.ge/reports/230117-vcs6dsbc33/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Raccoon
Unpacked files
SH256 hash:
4d59d088de40abcfd78f88d45009dbfdd14d9df76b718bc1c27241ec2807ef8d
MD5 hash:
34d5e3b2e5a29d4eab3a93b3bd27038e
SHA1 hash:
abc81a9f13f2d1272ff43b7e706de66c22a812f8
Link:
https://www.unpac.me/results/3affff87-1457-4e19-a9c2-222c9406bb4a/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4d59d088de40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d59d088de40abcfd78f88d45009dbfdd14d9df76b718bc1c27241ec2807ef8d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/353896/

Comments