MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs 2 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e
SHA3-384 hash: c8cb83e80292b193e744fd1a0e74e2f69da0d22addf548ddd8eb7cf92ce31eae1312c97b56840f4250a68811a428a213
SHA1 hash: bf202d7bf1b73cb6a022b67557a5b83168059b8d
MD5 hash: 07d6b4373f270ffefd756cf6ae19a486
humanhash: quebec-princess-finch-beryllium
File name:07d6b4373f270ffefd756cf6ae19a486.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:794'624 bytes
First seen:2022-10-06 06:36:02 UTC
Last seen:2022-10-06 08:19:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b5c1415758fc323cb8763399ecfc275b (8 x AgentTesla, 1 x RecordBreaker)
ssdeep 6144:yBZFk0sdr9W7bSwMJlj9Ntm6Q2mCC//////////////////////////////////g:yBQ0sF9WPMJhfkjOy8n9a8n99
Threatray 17'492 similar samples on MalwareBazaar
TLSH T168F45B26BFE48221D4F90BF014B92DD9E622FA712A02550F32CCBB4E173B6615E5653F
TrID 49.3% (.OCX) Windows ActiveX control (116521/4/18)
34.7% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
5.5% (.SCR) Windows screen saver (13101/52/3)
2.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://193.106.191.150/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://193.106.191.150/ https://threatfox.abuse.ch/ioc/871831/
http://maripos.ac.ug/index.php https://threatfox.abuse.ch/ioc/871832/

Intelligence

File Origin
# of uploads :
2
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317126/
Detection(s):
SecuriteInfo.com.Variant.Barys.319254.8555.18792.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug evasive greyware hacktool obfuscated
Link:
https://www.filescan.io/uploads/633e7771c9e2f3435432e68e/reports/8e865f07-ff93-4787-b3e9-3cfdc3b9c098/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AZORult
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c209b851-1c61-46a0-b89f-6c143da899fd
Result
Threat name:
Azorult, Clipboard Hijacker, Raccoon Ste
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1084676
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Clipboard Hijacker
Yara detected Costura Assembly Loader
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 717234 Sample: HV3VQbBT1R.exe Startdate: 06/10/2022 Architecture: WINDOWS Score: 100 33 tuekisaa.ac.ug 2->33 35 parthaha.ac.ug 2->35 37 4 other IPs or domains 2->37 49 Snort IDS alert for network traffic 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 10 other signatures 2->55 8 HV3VQbBT1R.exe 13 2->8         started        signatures3 process4 signatures5 57 Maps a DLL or memory area into another process 8->57 59 Contains functionality to detect sleep reduction / modifications 8->59 11 HV3VQbBT1R.exe 29 8->11         started        process6 dnsIp7 39 193.106.191.150, 49700, 80 BOSPOR-ASRU Russian Federation 11->39 41 maripos.ac.ug 193.106.191.169, 49701, 49702, 80 BOSPOR-ASRU Russian Federation 11->41 43 2 other IPs or domains 11->43 25 C:\Users\user\AppData\Roaming\hWd1610w.exe, PE32 11->25 dropped 27 C:\Users\user\AppData\Roaming\SQWF4N25.exe, PE32+ 11->27 dropped 29 C:\Users\user\AppData\Roaming\QlpKkGcU.exe, PE32 11->29 dropped 31 8 other files (6 malicious) 11->31 dropped 61 Tries to harvest and steal browser information (history, passwords, etc) 11->61 63 Tries to steal Crypto Currency Wallets 11->63 16 QlpKkGcU.exe 11->16         started        19 hWd1610w.exe 11->19         started        21 SQWF4N25.exe 11->21         started        23 30VKMx0a.exe 4 11->23         started        file8 signatures9 process10 signatures11 45 Multi AV Scanner detection for dropped file 16->45 47 Machine Learning detection for dropped file 16->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e/
Threat name:
Win32.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2022-10-06 01:05:20 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
16 of 40 (40.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgp2p7ahwg4cmxvjg3hgifzt7twah2yp5dgeqixfu5jlmyu6efxa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
raccoon
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
25c62b72f0555d7ebf9397ec0c8d124942be1b4cedd6848c0c0a8f4a63dc7741
RecordBreaker
3852b464e5ee957cb10980de453b0813036c06c0fb6157ba236b895870d67e82
RecordBreaker
3e85b31ff1780031f94570fc9801b6a886564a4caa2acc360d2c65f29b22dbb5
RecordBreaker
81f87505081c9fae48db9fc5098b1799c95b92ce2f0094fc69885a176651775b
RecordBreaker
8520356646a9f8421e70e5c49a30630e9fc7db344adbd8f9e66ff9746273ce73
RecordBreaker
8a63134b33062c4634272b96c12d130f3abe74270f958ac03049eaae8bb66de4
RecordBreaker
a6823279ea0c05efb99c8387952c75c1a976b96d0474a1459f700ca61250ab88
RecordBreaker
abf32362b9d9351332107be717d6673ff298e6f66e536838f59dc0ca0e22942a
RecordBreaker
ef5e11914dc0593327b1696d65668e32d8ef278310fb6913a74a54f992ef2b77
RecordBreaker
+ 17'482 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:raccoon family:remcos botnet:0ec468673cadb705e7aab6a7b0bb3906 botnet:10052022 discovery infostealer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221006-hcxscsgec9/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Azorult
Raccoon
Remcos
Malware Config
C2 Extraction:
http://193.106.191.150/
http://195.245.112.115/index.php
nikahuve.ac.ug:6969
kalskala.ac.ug:6969
tuekisaa.ac.ug:6969
parthaha.ac.ug:6969
37.0.14.204:6969
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/24c8168f-a20b-42eb-b231-4dcdb03e2823
Unpacked files
SH256 hash:
5992c86fb8f0267770a4277cc1650bb6c00fb665005902748588837ec7ab52f4
MD5 hash:
cda94c636b518e0d2ff61db8e5861693
SHA1 hash:
110031f4854e65f35a4fabc8f88dc5f550210eb9
Detections:
raccoonstealer
Create hunting rule
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/c8afce73-04c2-4a45-8893-1941347a3880/
SH256 hash:
fa7f33c8eae426bb89e63941a9ac1c4ce92377b4bb87138b3306f0c127c4ac5e
MD5 hash:
220ba70232863cb899505b84270505bb
SHA1 hash:
9b2633ca624c765212e7a4bfbbbd9c52f7209969
Detections:
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/c8afce73-04c2-4a45-8893-1941347a3880/
SH256 hash:
599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e
MD5 hash:
07d6b4373f270ffefd756cf6ae19a486
SHA1 hash:
bf202d7bf1b73cb6a022b67557a5b83168059b8d
Link:
https://www.unpac.me/results/c8afce73-04c2-4a45-8893-1941347a3880/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/599fa7fc07b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:recordbreaker_win_generic
Create hunting rule
Author:_kphi
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1514315/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2271066/
  
URLhaus
https://urlhaus.abuse.ch/url/2202207/
  
URLhaus
https://urlhaus.abuse.ch/url/2254175/
  
URLhaus
https://urlhaus.abuse.ch/url/1514297/
  
URLhaus
https://urlhaus.abuse.ch/url/2264641/
  
URLhaus
https://urlhaus.abuse.ch/url/2257580/
  
URLhaus
https://urlhaus.abuse.ch/url/1746809/
  
URLhaus
https://urlhaus.abuse.ch/url/1746813/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/437013/
Cape
Cape
https://www.capesandbox.com/analysis/317126/

Comments