MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 627e46e4ca56bf4609adde5bc7649889d2eb4f8e678589428b976f885e3fc922. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 627e46e4ca56bf4609adde5bc7649889d2eb4f8e678589428b976f885e3fc922
SHA3-384 hash: 9063370f0a4d9b023e8ba02da0e9b80f705fc458ea46f151690568b84f4016386326b9859b166d0f01000ad063fcbac8
SHA1 hash: ae5883c30e44fd12e2171b999d883daa42bad07d
MD5 hash: 00932b9632f5974d443534bede90eee0
humanhash: tennessee-moon-speaker-kilo
File name:00932b9632f5974d443534bede90eee0.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'287'680 bytes
First seen:2023-10-30 05:40:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:MySwf0WQDu2FLeDsDgwGFw+lDqWRI+pIsFihhDQx3a6Vz8T:7RYj06vGbdIsFWNQx3pVz8
Threatray 2'466 similar samples on MalwareBazaar
TLSH T183552383BBD95573DCF92BB459F703EB0672BCE1AC7483A763556E4A4821160A93033B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
194.49.94.11:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457004/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Downloader.Crifi-10009289-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Launching a service
Сreating synchronization primitives
Creating a file
Sending a custom TCP request
Creating a window
Launching cmd.exe command interpreter
Searching for synchronization primitives
Adding an access-denied ACE
Blocking the Windows Defender launch
Disabling the operating system update service
Forced shutdown of a system process
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer greyware installer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/653f41eeb38131f117aa930d/reports/d0b77065-b2bc-4059-ba17-5f325ae5eb94/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/627e46e4ca56bf4609adde5bc7649889d2eb4f8e678589428b976f885e3fc922
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2512f7fc-a65c-43b9-bb54-ad8f33551f1a
Result
Threat name:
Amadey, Babadeda, Mystic Stealer, Raccoo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1334034
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected Mystic Stealer
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1334034 Sample: 5qvQN0vib2.exe Startdate: 30/10/2023 Architecture: WINDOWS Score: 100 174 youtube-ui.l.google.com 2->174 176 www3.l.google.com 2->176 178 38 other IPs or domains 2->178 228 Snort IDS alert for network traffic 2->228 230 Found malware configuration 2->230 232 Malicious sample detected (through community Yara rule) 2->232 234 21 other signatures 2->234 15 5qvQN0vib2.exe 1 4 2->15         started        18 svchost.exe 2->18         started        21 svchost.exe 2->21         started        23 explothe.exe 2->23         started        signatures3 process4 dnsIp5 158 C:\Users\user\AppData\Local\...\tN4Nh71.exe, PE32 15->158 dropped 160 C:\Users\user\AppData\Local\...\5yI7hD9.exe, PE32 15->160 dropped 25 tN4Nh71.exe 1 4 15->25         started        180 127.0.0.1 unknown unknown 18->180 29 WerFault.exe 21->29         started        file6 process7 file8 146 C:\Users\user\AppData\Local\...\jA5zX51.exe, PE32 25->146 dropped 148 C:\Users\user\AppData\Local\...\4wv104Fa.exe, PE32 25->148 dropped 274 Antivirus detection for dropped file 25->274 276 Multi AV Scanner detection for dropped file 25->276 278 Machine Learning detection for dropped file 25->278 31 jA5zX51.exe 1 4 25->31         started        35 4wv104Fa.exe 25->35         started        signatures9 process10 file11 162 C:\Users\user\AppData\Local\...\ik8Gz06.exe, PE32 31->162 dropped 164 C:\Users\user\AppData\Local\...\3nD88WB.exe, PE32 31->164 dropped 204 Multi AV Scanner detection for dropped file 31->204 37 3nD88WB.exe 31->37         started        40 ik8Gz06.exe 1 4 31->40         started        206 Antivirus detection for dropped file 35->206 208 Machine Learning detection for dropped file 35->208 210 Writes to foreign memory regions 35->210 212 2 other signatures 35->212 43 AppLaunch.exe 35->43         started        signatures12 process13 dnsIp14 236 Multi AV Scanner detection for dropped file 37->236 238 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->238 240 Maps a DLL or memory area into another process 37->240 242 2 other signatures 37->242 46 explorer.exe 31 30 37->46 injected 134 C:\Users\user\AppData\Local\...\2mI2248.exe, PE32 40->134 dropped 136 C:\Users\user\AppData\Local\...\1uo95Rr0.exe, PE32 40->136 dropped 51 1uo95Rr0.exe 40->51         started        53 2mI2248.exe 40->53         started        184 77.91.124.86 ECOTEL-ASRU Russian Federation 43->184 file15 signatures16 process17 dnsIp18 192 5.42.65.80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 46->192 194 77.91.68.249 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 46->194 196 3 other IPs or domains 46->196 166 C:\Users\user\AppData\Local\Temp\C206.exe, PE32 46->166 dropped 168 C:\Users\user\AppData\Local\Temp\BB00.exe, PE32 46->168 dropped 170 C:\Users\user\AppData\Local\Temp\9324.exe, PE32 46->170 dropped 172 10 other malicious files 46->172 dropped 214 System process connects to network (likely due to code injection or exploit) 46->214 216 Benign windows process drops PE files 46->216 55 744C.exe 46->55         started        59 820C.exe 46->59         started        61 7C3E.exe 46->61         started        70 6 other processes 46->70 218 Multi AV Scanner detection for dropped file 51->218 220 Contains functionality to inject code into remote processes 51->220 222 Writes to foreign memory regions 51->222 63 AppLaunch.exe 9 1 51->63         started        65 AppLaunch.exe 51->65         started        224 Allocates memory in foreign processes 53->224 226 Injects a PE file into a foreign processes 53->226 67 AppLaunch.exe 12 53->67         started        file19 signatures20 process21 dnsIp22 124 C:\Users\user\AppData\Local\...\WX9BE4Tv.exe, PE32 55->124 dropped 126 C:\Users\user\AppData\Local\...\6ou43CO.exe, PE32 55->126 dropped 244 Antivirus detection for dropped file 55->244 246 Machine Learning detection for dropped file 55->246 72 WX9BE4Tv.exe 55->72         started        128 C:\Users\user\AppData\Local\...\explothe.exe, PE32 59->128 dropped 248 Multi AV Scanner detection for dropped file 59->248 76 explothe.exe 59->76         started        250 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 61->250 252 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 61->252 254 Modifies windows update settings 63->254 256 Disable Windows Defender notifications (registry) 63->256 258 Disable Windows Defender real time protection (registry) 63->258 182 193.233.255.73 FREE-NET-ASFREEnetEU Russian Federation 67->182 79 chrome.exe 70->79         started        81 chrome.exe 70->81         started        83 chrome.exe 70->83         started        85 7 other processes 70->85 file23 signatures24 process25 dnsIp26 138 C:\Users\user\AppData\Local\...\iA1Wd3KB.exe, PE32 72->138 dropped 140 C:\Users\user\AppData\Local\...\5eC77SK.exe, PE32 72->140 dropped 264 Antivirus detection for dropped file 72->264 266 Machine Learning detection for dropped file 72->266 87 iA1Wd3KB.exe 72->87         started        186 77.91.124.1 ECOTEL-ASRU Russian Federation 76->186 188 t.co 76->188 142 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 76->142 dropped 144 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 76->144 dropped 268 Multi AV Scanner detection for dropped file 76->268 270 Creates an undocumented autostart registry key 76->270 272 Uses schtasks.exe or at.exe to add and modify task schedules 76->272 91 cmd.exe 76->91         started        93 schtasks.exe 76->93         started        190 239.255.255.250 unknown Reserved 79->190 95 chrome.exe 79->95         started        98 chrome.exe 81->98         started        100 chrome.exe 83->100         started        102 chrome.exe 85->102         started        104 chrome.exe 85->104         started        106 2 other processes 85->106 file27 signatures28 process29 dnsIp30 130 C:\Users\user\AppData\Local\...130Q9fH6dg.exe, PE32 87->130 dropped 132 C:\Users\user\AppData\Local\...\4oL570VR.exe, PE32 87->132 dropped 260 Antivirus detection for dropped file 87->260 262 Machine Learning detection for dropped file 87->262 108 NQ9fH6dg.exe 87->108         started        111 conhost.exe 91->111         started        113 cmd.exe 91->113         started        115 cacls.exe 91->115         started        119 2 other processes 91->119 117 conhost.exe 93->117         started        198 static.ads-twitter.com 95->198 200 twitter.com 104.244.42.129 TWITTERUS United States 95->200 202 53 other IPs or domains 95->202 file31 signatures32 process33 file34 154 C:\Users\user\AppData\Local\...\DM8Yb4WO.exe, PE32 108->154 dropped 156 C:\Users\user\AppData\Local\...\3JY4oq54.exe, PE32 108->156 dropped 121 DM8Yb4WO.exe 108->121         started        process35 file36 150 C:\Users\user\AppData\Local\...\2Tt377fk.exe, PE32 121->150 dropped 152 C:\Users\user\AppData\Local\...\1yI52yu6.exe, PE32 121->152 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/627e46e4ca56bf4609adde5bc7649889d2eb4f8e678589428b976f885e3fc922
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/627e46e4ca56bf4609adde5bc7649889d2eb4f8e678589428b976f885e3fc922/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-27 12:30:23 UTC
File Type:
PE (Exe)
Extracted files:
149
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mj7enzgkk27umcnn3zn4ozeyrhjowt4om6cysquls5xyqxr7zera._file
Verdict:
malicious
Similar samples:
2434a9706c210bbda5c8bc42d5245f307d288625722889a79e784a4af11c6723
RecordBreaker
274602f22d15c9edfaa9170361b6fae8593699ed5d37efd259e2363a66bd666b
RecordBreaker
68c52b5d06a02d8382c159de27eceb800d1c5f8ca21c03b00f17a9af11ee250d
RecordBreaker
6e3da629f58585ed8b4a732516294693db5158c8e5c551b1c35d93e46e009a23
RecordBreaker
6ecf835556c666d9c17c11473060876684c92536382867c591c66110ff225f7c
RecordBreaker
af426fc7c31256dc7fd7c1e20007be058da6e4f0cac128eec0a1156099a4c565
RecordBreaker
d1ef9cd10ac3659aa976acefef29b35ed97840f4eb0ce5d3c48292013322ac0d
RecordBreaker
ef084f589ca9e0e3395495e211edf5903e986b77307ae0e515dc51886dfbffc5
RecordBreaker
f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7
RecordBreaker
fbf0821c1b5da3803ab8085d4ba7fe821c0ea5543b5dbfa5e43e39c86d3ccc68
RecordBreaker
+ 2'456 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:raccoon family:redline family:smokeloader family:zgrat botnet:6a6a005b9aa778f606280c5fa24ae595 botnet:grome botnet:kinza botnet:up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan
Link:
https://tria.ge/reports/231030-gdeshach93/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Amadey
DcRat
Detect ZGRat V1
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
Raccoon
Raccoon Stealer payload
RedLine
RedLine payload
SmokeLoader
ZGRat
Malware Config
C2 Extraction:
http://77.91.68.29/fks/
77.91.124.86:19084
http://77.91.124.1/theme/index.php
http://195.123.218.98:80
http://31.192.23
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
MD5 hash:
22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 hash:
db8326c4fad0064ce3020226e8556e7cce8ce04e
Link:
https://www.unpac.me/results/97ee6742-c2a4-4631-bdd8-e138eb542ae6/
Parent samples :
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
SH256 hash:
59e63ec25a561ac1c2a643999c9acb3fdad03049b6b3bad6280b7f19f1970f90
MD5 hash:
e2e23a3063a70cb463c28cd26d3bbf59
SHA1 hash:
cf60b348fd5a198f1bb230c3af29ff70bed9eb29
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/97ee6742-c2a4-4631-bdd8-e138eb542ae6/
Parent samples :
a86d6cd6cba4a3dce4ad3fa2948f623831b181714dd945bbdde831f39229412d
16c4f6a6e4e30678ddabdaef1aa41bd268867cefabaf6ced9d97ec1a5faee2e6
627e46e4ca56bf4609adde5bc7649889d2eb4f8e678589428b976f885e3fc922
SH256 hash:
a1019d745f1c30e0605cc9b7cbb2b19af097d3c71013bc2c0ccc21ff2b9c48ad
MD5 hash:
8fc4ea39313bbfa70ab091a39d293160
SHA1 hash:
fa3b2a00855b05283876f7331fbd8fa7f2ee34a6
Link:
https://www.unpac.me/results/97ee6742-c2a4-4631-bdd8-e138eb542ae6/
SH256 hash:
588a7c4fab3003aa63ebead31e7241fe9e88c2acaec693fdc40982e355546230
MD5 hash:
bbf7f5ef100344e91e7854c9d032b649
SHA1 hash:
27f1af590958200c811dc18929ddb346b434e9bb
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/97ee6742-c2a4-4631-bdd8-e138eb542ae6/
Parent samples :
a86d6cd6cba4a3dce4ad3fa2948f623831b181714dd945bbdde831f39229412d
16c4f6a6e4e30678ddabdaef1aa41bd268867cefabaf6ced9d97ec1a5faee2e6
92c824e81461ae24e514c4fee0d34a187cde7037d2ecddcbfa6bc89e8fdc5c4c
627e46e4ca56bf4609adde5bc7649889d2eb4f8e678589428b976f885e3fc922
SH256 hash:
627e46e4ca56bf4609adde5bc7649889d2eb4f8e678589428b976f885e3fc922
MD5 hash:
00932b9632f5974d443534bede90eee0
SHA1 hash:
ae5883c30e44fd12e2171b999d883daa42bad07d
Link:
https://www.unpac.me/results/97ee6742-c2a4-4631-bdd8-e138eb542ae6/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/627e46e4ca56/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/627e46e4ca56bf4609adde5bc7649889d2eb4f8e678589428b976f885e3fc922

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/457004/

Comments