MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61297c33ef1218ba0c2f1a01f0739c862c43e520163dc3c1d5a4e1d574c94f6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61297c33ef1218ba0c2f1a01f0739c862c43e520163dc3c1d5a4e1d574c94f6f
SHA3-384 hash: cc485c0394987ac651b678543d37d18b24206eed8e1ad3a4b39f9307a45d9283580997b449b90a0673307c5d922ab6a2
SHA1 hash: 9db30e9cd660b8478e0152f4cae4a402cb1191f8
MD5 hash: f35437764a84eb1008f884c9a975abf3
humanhash: hamper-october-march-table
File name:61297c33ef1218ba0c2f1a01f0739c862c43e520163dc.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'754'544 bytes
First seen:2022-10-07 21:20:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (434 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 24576:mk70TrcxWql4GRxFQzu74aXcm6bKvaKeozruZD2+OeL7xH7PpiFNzU2J:mkQTAxWDGRr//tuZDfHhYNo2J
Threatray 3'728 similar samples on MalwareBazaar
TLSH T109854DA1750AB6CFD49F26B8952BCE47696C0BB943214843EC9DF4BE7D93CC13646C28
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d292b0b2da36bcbe (11 x AsyncRAT, 7 x Metasploit, 6 x CoinMiner)
Reporter abuse_ch
Tags:exe recordbreaker signed

Code Signing Certificate

Organisation:www.pleasing.com
Issuer:www.pleasing.com
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-04T12:35:43Z
Valid to:2023-10-04T12:55:43Z
Serial number: 4fb6c5e3bd1a84a4429f0cc67bfb4719
Thumbprint Algorithm:SHA256
Thumbprint: a7dfab12042e89f698623a6cc7bf9c459a3b4fe797842f6080380d83cff9dcc2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RecordBreaker C2:
http://5.2.70.65/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.2.70.65/ https://threatfox.abuse.ch/ioc/872024/

Intelligence

File Origin
# of uploads :
1
# of downloads :
379
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317759/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Creating a file
Forced shutdown of a system process
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6340983f49c58ce767c69182/reports/a93f5c79-af08-4e5d-977c-aafc5553cbd4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/416ee893-3154-44a8-9cd6-9617fbc001a0
Result
Threat name:
Allcome clipbanker, DarkTortilla, Raccoo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086061
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Allcome clipbanker
Yara detected Costura Assembly Loader
Yara detected DarkTortilla Crypter
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 718618 Sample: 61297c33ef1218ba0c2f1a01f07... Startdate: 07/10/2022 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 11 other signatures 2->60 7 61297c33ef1218ba0c2f1a01f0739c862c43e520163dc.exe 15 3 2->7         started        process3 dnsIp4 46 45.83.122.242, 49708, 80 INTERNET-ITNL Netherlands 7->46 32 61297c33ef1218ba0c...43e520163dc.exe.log, ASCII 7->32 dropped 72 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->72 74 Writes to foreign memory regions 7->74 76 Injects a PE file into a foreign processes 7->76 12 InstallUtil.exe 58 7->12         started        17 InstallUtil.exe 7->17         started        19 InstallUtil.exe 7->19         started        file5 signatures6 process7 dnsIp8 48 45.15.156.150, 49711, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 12->48 50 45.15.156.170, 49712, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 12->50 52 2 other IPs or domains 12->52 36 C:\Users\user\AppData\Roaming\LdGTHbC0.exe, PE32+ 12->36 dropped 38 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 12->38 dropped 40 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 12->40 dropped 42 8 other files (6 malicious) 12->42 dropped 78 Tries to harvest and steal browser information (history, passwords, etc) 12->78 80 DLL side loading technique detected 12->80 82 Tries to steal Crypto Currency Wallets 12->82 21 0oZgG4r5.exe 14 2 12->21         started        25 G0Mm5Dou.exe 12->25         started        27 34k4cwvI.exe 2 12->27         started        30 LdGTHbC0.exe 12->30         started        file9 signatures10 process11 dnsIp12 44 www.google.com 142.250.186.36 GOOGLEUS United States 21->44 62 Multi AV Scanner detection for dropped file 21->62 64 Detected unpacking (changes PE section rights) 21->64 66 Query firmware table information (likely to detect VMs) 21->66 70 2 other signatures 21->70 68 Machine Learning detection for dropped file 25->68 34 C:\Users\user\...\wixamap.exe, PE32 27->34 dropped file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61297c33ef1218ba0c2f1a01f0739c862c43e520163dc3c1d5a4e1d574c94f6f/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-04 17:49:00 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=meuxym7pcimludbpdia7a444qywehzjacy64hqovutq5k5gjj5xq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
1fa40eae5c0b4dcf0d26d10c879ad5e466c06c3fa85f70dd17aad03d5f5b0f6a
RecordBreaker
2e6e8729d76dc13a750db437a1677e60d579f785714e7c5bbff65085be0f08bf
RecordBreaker
60b9dfe94376364fa7c7d47ca49cfcdae1b54cfad864098c6cf260f5bf870992
RecordBreaker
81030aadc3f378dde4902c73470dc954995589ff41b956db797d64c009857aa6
RecordBreaker
83fa45619a7ffe1b391020e17a7e2a826519da482086700dd76c6967c7e7dd3b
RecordBreaker
b78d348dc8a28e80d79acd9118ea488c502a18c30b211a03edd4cfd59715090f
RecordBreaker
b8df5dd15d2bb8b3201cd4d3de86f6e8f0458a1fcc1939788ba38b99e7a219dc
RecordBreaker
ba92119725503b0b5e754a57af62b63d72db95940051489a188ddc8133f416ff
RecordBreaker
f38fa95a5c036c2193db7d9b9c28f6bb6b5173c89e61cb396f1fbe03c457988b
RecordBreaker
+ 3'718 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:allcome family:raccoon botnet:9b19cf60d9bdf65b8a2495aa965456c3 evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/221007-z7a1hsdham/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Allcome
Raccoon
Malware Config
C2 Extraction:
http://5.2.70.65/
http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=finarnw
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c7e86561-37dd-4f94-aa4c-ff7a8d834cd9
Unpacked files
SH256 hash:
59f52da0e952bb7e7544ee434786656abca05d5629ab8dcda713cf792c4e104d
MD5 hash:
63a4a7f568815b940107496a9a5ae8ff
SHA1 hash:
8e3fa4fbc73480728bed28e87a67883b7fca2ad4
Link:
https://www.unpac.me/results/38224d31-b6dc-4eba-b02d-c2d4864c65a9/
SH256 hash:
fe1dbcb370dd401b91dc06136c600a1aa5e701482ca7331c4b86c759240e02c2
MD5 hash:
01add4d10ef77b13aebf73ec3cb666ce
SHA1 hash:
77fafd35f6578df9845305cdf76a5c85d3a22d8c
Link:
https://www.unpac.me/results/38224d31-b6dc-4eba-b02d-c2d4864c65a9/
SH256 hash:
61297c33ef1218ba0c2f1a01f0739c862c43e520163dc3c1d5a4e1d574c94f6f
MD5 hash:
f35437764a84eb1008f884c9a975abf3
SHA1 hash:
9db30e9cd660b8478e0152f4cae4a402cb1191f8
Link:
https://www.unpac.me/results/38224d31-b6dc-4eba-b02d-c2d4864c65a9/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/61297c33ef12/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61297c33ef1218ba0c2f1a01f0739c862c43e520163dc3c1d5a4e1d574c94f6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317759/

Comments