MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474
SHA3-384 hash: 8788fcbcbff29cf3998cd41af2dd3d7cf43b4a098c5181d8f6ede0bff6ce85e9b720eb1b4ee2a0f80bd5855e7c8bc862
SHA1 hash: 6f35da72f339c7101e93a7adada27d24902db598
MD5 hash: d946c183fd128b4acf88d83ee89d79d3
humanhash: twenty-music-colorado-london
File name:d946c183fd128b4acf88d83ee89d79d3.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:790'528 bytes
First seen:2022-06-19 20:45:58 UTC
Last seen:2022-06-19 21:32:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6715d450ebf6ee95bf798a46601f6874 (2 x RecordBreaker, 1 x AZORult, 1 x Formbook)
ssdeep 12288:B9uox8a9XqSYVr9N4VT0sFHOox8a9XqSYVr9N4VT9y2kLrGrEPHnHr0sFCFlXz2t:B9ws50MT0yQs50MT979oPnr01sFo2P
Threatray 12'922 similar samples on MalwareBazaar
TLSH T1DAF401246EBA4672F1564A706BE192D853BD2D73B741E81FFB4C2E1C57B2A040648FB3
TrID 63.5% (.EXE) Win32 Executable MS Visual C++ 5.0 (60687/85)
11.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://phila.ac.ug/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://phila.ac.ug/index.php https://threatfox.abuse.ch/ioc/716384/

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281362/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.62395.28575.14061.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm emotet greyware hacktool obfuscated packed sinowal wacatac
Link:
https://www.filescan.io/uploads/62af8b4939ffd552ad0a7f84/reports/79363827-ba97-4625-a18e-8a75c4992b78/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a4ca74a1-d7c8-4ebc-8d9c-27929da6426a
Result
Threat name:
Record Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1015993
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Record Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 648489 Sample: cVc3iBKzhY.exe Startdate: 19/06/2022 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 8 other signatures 2->69 9 cVc3iBKzhY.exe 15 2->9         started        process3 file4 39 C:\Users\user\AppData\Roaming\fcvtee.exe, PE32 9->39 dropped 79 Maps a DLL or memory area into another process 9->79 13 cVc3iBKzhY.exe 30 9->13         started        18 fcvtee.exe 4 9->18         started        signatures5 process6 dnsIp7 53 140.82.52.55, 49768, 80 AS-CHOOPAUS United States 13->53 55 wiwirdo.ac.ug 13->55 57 136.244.65.99, 80 AS-CHOOPAUS United States 13->57 41 C:\Users\user\AppData\Local\...\zin2a8o2.exe, PE32 13->41 dropped 43 C:\Users\user\AppData\Local\...\lNjSK8J9.exe, PE32 13->43 dropped 45 C:\Users\user\AppData\Local\...\g654KbWg.exe, PE32+ 13->45 dropped 47 8 other files (1 malicious) 13->47 dropped 81 Tries to harvest and steal browser information (history, passwords, etc) 13->81 83 Tries to steal Crypto Currency Wallets 13->83 20 g654KbWg.exe 13->20         started        23 zin2a8o2.exe 13->23         started        25 lNjSK8J9.exe 13->25         started        27 5A2m1pX6.exe 13->27         started        85 Antivirus detection for dropped file 18->85 87 Detected unpacking (creates a PE file in dynamic memory) 18->87 89 Machine Learning detection for dropped file 18->89 91 Maps a DLL or memory area into another process 18->91 29 fcvtee.exe 3 75 18->29         started        file8 signatures9 process10 dnsIp11 71 Antivirus detection for dropped file 20->71 73 Machine Learning detection for dropped file 20->73 59 werido.ug 45.143.201.4, 49754, 49762, 49766 PATENT-MEDIA-ASRU Russian Federation 29->59 61 wiwirdo.ac.ug 29->61 49 C:\Users\user\AppData\Local\...\azne[1].exe, PE32 29->49 dropped 51 C:\Users\user\AppData\Local\...\pm[1].exe, PE32+ 29->51 dropped 75 Tries to harvest and steal browser information (history, passwords, etc) 29->75 77 Tries to steal Crypto Currency Wallets 29->77 33 cmd.exe 1 29->33         started        file12 signatures13 process14 process15 35 conhost.exe 33->35         started        37 timeout.exe 1 33->37         started       
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-06-19 19:24:58 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kkkyns55qwdnp4z2h2u33vixw7vnmf5u4eqwkedoqhsl7lmfsr2a._file
Verdict:
malicious
Similar samples:
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0
RecordBreaker
39f1a98ab29664ef492b052c44f6ea76148d75baaf55b7b037cc0575eb8b25d4
RecordBreaker
a1098873c94184cf24edd24c3883f4be52224575da34f0469ad4a525c852ef28
RecordBreaker
ad8707472a147dc440da2adbc80dbcd6269ae0d345b8a85081e390fa8d842947
RecordBreaker
b0b3cf6d05e09c3e051e0a0b653f194c3cafdde345bfd85e6364b3e26a7b6f00
RecordBreaker
b7cea1f983cf8ed41120e2d4a17b7fe2ec6693d2d990172568cdbbd6b9fbd319
RecordBreaker
+ 12'912 additional samples on MalwareBazaar
Result
Malware family:
recordbreaker
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:recordbreaker botnet:default discovery spyware stealer suricata
Link:
https://tria.ge/reports/220619-zkafgaedc6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Arkei
RecordBreaker
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
Malware Config
C2 Extraction:
http://136.244.65.99/
http://140.82.52.55/
Unpacked files
SH256 hash:
0feb93b1d4eeff97274453653747486f7ea2bed3260e23e89fd076f571cb2d63
MD5 hash:
b8bc95181543d334a9efec22aeac1d5f
SHA1 hash:
96f224c94fa4cfe160640fbfe7bb3d5c7badc139
Link:
https://www.unpac.me/results/a6df3dc1-634c-4f28-ad26-6b5111650ecd/
SH256 hash:
3312bdc329fc843e18e4a76b7f3a2d7e6aeee19eddfce1349b33dae412f53eda
MD5 hash:
9a43c5f133bd369b71a50d5d5de0a390
SHA1 hash:
e514d1b7b733e1282d72c141afa4d1bacf494d6f
Link:
https://www.unpac.me/results/a6df3dc1-634c-4f28-ad26-6b5111650ecd/
SH256 hash:
c3a2792e43108f1af6f21b2f6a2c8892d0cfb3a0c2c4919ff712e2b55eb91db3
MD5 hash:
b99de2318ff04718cbeb64e71a41b7d4
SHA1 hash:
4d9d306aad1e6170db5bafe868fa6c2ca58694fc
Link:
https://www.unpac.me/results/a6df3dc1-634c-4f28-ad26-6b5111650ecd/
SH256 hash:
140868690c3f996c7b051bc57113db8b0e844e321a6f5003a16e66bb2ee2ebce
MD5 hash:
d2bac8dec1eb2951dd9c2180acb4deb7
SHA1 hash:
ffa95c81d0decb85191203d3687522f1efaaa42f
Link:
https://www.unpac.me/results/a6df3dc1-634c-4f28-ad26-6b5111650ecd/
SH256 hash:
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474
MD5 hash:
d946c183fd128b4acf88d83ee89d79d3
SHA1 hash:
6f35da72f339c7101e93a7adada27d24902db598
Link:
https://www.unpac.me/results/a6df3dc1-634c-4f28-ad26-6b5111650ecd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/529586cbbd85/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Recordbreaker
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Recordbreaker is an information stealer capable of downloading and executing secondary payloads. It has been spreading through fake software cracks and keygens since May 2022.
Reference:https://twitter.com/_FirehaK/status/1534997159937982464
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1746809/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/281362/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
  
URLhaus
https://urlhaus.abuse.ch/url/2223026/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/2202207/
  
URLhaus
https://urlhaus.abuse.ch/url/1539388/

Comments