MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115
SHA3-384 hash: 4557e3677352ec92964eb6f0f846fac49527a221f2a26814cd62076c38f14f43dac180b2f5b4eed8ae3fe64fec2a23c3
SHA1 hash: c80a27155317c3d08308cf8a55e4790f429bb2dd
MD5 hash: e0118ad4299455683d5d0708772742ef
humanhash: failed-december-fish-dakota
File name:e0118ad4299455683d5d0708772742ef.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:2'772'338 bytes
First seen:2022-08-23 01:40:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 49152:pAI+1NpJc7YrEa2u2hq3PGh0p4EyqaeFEqLh09fqNZesF+AxnMtQSOanD9:pAI+vc8rHJ283PGi4EyduRLh0MNZesFS
TLSH T196D5333A62C1403BD6921AB24D9BC7FAF936F5041B3CB0DEBDDD0D1C84176485ABA16E
TrID 86.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
5.6% (.EXE) InstallShield setup (43053/19/16)
1.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.7% (.SCR) Windows screen saver (13101/52/3)
1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://135.181.104.248/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://135.181.104.248/ https://threatfox.abuse.ch/ioc/844709/
http://88.119.169.27/ https://threatfox.abuse.ch/ioc/844803/

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e0118ad4299455683d5d0708772742ef.exe
Verdict:
No threats detected
Analysis date:
2022-08-23 01:41:11 UTC
Tags:
installer
Link:
https://app.any.run/tasks/30764ac1-fa52-4cdf-84dd-62ee6f1382e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RaccoonV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/300369/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Modifying a system file
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Searching for the browser window
DNS request
Sending a custom TCP request
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29727/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63043046393b1c8c470666aa/reports/2575b2c2-bf92-495c-a7ca-9f8942fa860f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c7e23db-28be-4ba8-88dc-ec90f87e9323
Result
Threat name:
AsyncRAT, CryptOne, Raccoon Stealer v2,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1055963
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AsyncRAT
Yara detected CryptOne packer
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 688476 Sample: WSkT8d093C.exe Startdate: 23/08/2022 Architecture: WINDOWS Score: 100 66 iplogger.org 2->66 68 dns.google 2->68 70 2 other IPs or domains 2->70 100 Snort IDS alert for network traffic 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 Antivirus detection for URL or domain 2->104 106 19 other signatures 2->106 10 WSkT8d093C.exe 16 29 2->10         started        13 rundll32.exe 2->13         started        signatures3 process4 file5 58 C:\Program Files (x86)\...\safert44.exe, PE32 10->58 dropped 60 C:\Program Files (x86)\Company\...\real.exe, PE32 10->60 dropped 62 C:\Program Files (x86)\...\ordo_sec666.exe, PE32 10->62 dropped 64 8 other files (7 malicious) 10->64 dropped 15 F0geI.exe 25 10->15         started        20 real.exe 10->20         started        22 captain09876.exe 10->22         started        24 17 other processes 10->24 process6 dnsIp7 82 45.95.11.158, 49774, 80 ULTRA-PACKETUS Italy 15->82 42 C:\Users\user\AppData\...\vcruntime140.dll, PE32 15->42 dropped 44 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 15->44 dropped 46 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 15->46 dropped 56 4 other files (none is malicious) 15->56 dropped 94 Tries to harvest and steal browser information (history, passwords, etc) 15->94 96 Tries to steal Crypto Currency Wallets 15->96 84 t.me 149.154.167.99, 443, 49810 TELEGRAMRU United Kingdom 20->84 86 135.181.104.248, 49812, 80 HETZNER-ASDE Germany 20->86 98 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->98 48 C:\Users\user\AppData\Local\...\SETUP_~1.EXE, PE32 22->48 dropped 26 SETUP_~1.EXE 22->26         started        88 103.89.90.61, 34589, 49914 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 24->88 90 195.54.170.157, 16525, 49960 VALICOM-ASPT unknown 24->90 92 6 other IPs or domains 24->92 50 C:\Users\user\TypeRes\DllResource.exe, PE32 24->50 dropped 52 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 24->52 dropped 54 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 24->54 dropped 30 chrome.exe 13 24->30         started        32 chrome.exe 24->32         started        34 chrome.exe 24->34         started        36 11 other processes 24->36 file8 signatures9 process10 dnsIp11 72 cutt.ly 104.22.1.232, 443, 49875, 50072 CLOUDFLARENETUS United States 26->72 74 cdn.discordapp.com 162.159.133.233, 443, 49884, 50076 CLOUDFLARENETUS United States 26->74 108 Encrypted powershell cmdline option found 26->108 38 powershell.exe 26->38         started        76 iplogger.org 148.251.234.83, 443, 49728, 49729 HETZNER-ASDE Germany 30->76 78 accounts.google.com 142.250.180.141, 443, 49727 GOOGLEUS United States 30->78 80 8 other IPs or domains 30->80 signatures12 process13 process14 40 conhost.exe 38->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-08-22 22:35:15 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nlhmgr2kfxfmzgp6p5sjlvhe5efnxnan4kbqksvnvuxi7eo32ekq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:redline botnet:5 botnet:5076357887 botnet:molecule jk botnet:nam3 discovery infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/220823-b34j9safh8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
DcRat
RedLine
RedLine payload
Malware Config
C2 Extraction:
103.89.90.61:34589
176.113.115.146:9582
195.54.170.157:16525
insttaller.com:40915
Unpacked files
SH256 hash:
78bf7657f124dce3bfa65c53538018fa20b4d1252a1b57d19f8ea5dfe76d3cba
MD5 hash:
89723e55cd4d3eb46427101f337aec6f
SHA1 hash:
177fd6505e9f881b1166602e7f207aa98f5fb3a7
Link:
https://www.unpac.me/results/bf9ab682-2a55-4902-a75e-c28bfb585699/
SH256 hash:
494ab44bb96537fc8a3e832e3cf032b0599501f96a682205bc46d9b7744d52ab
MD5 hash:
7a2bee524416775d2d9fe309502a1cc3
SHA1 hash:
7fcfc20753c394a6d0cdf65463462581cf4cbde5
Detections:
win_recordbreaker_auto
Create hunting rule
Link:
https://www.unpac.me/results/bf9ab682-2a55-4902-a75e-c28bfb585699/
Parent samples :
9ceb1e76aecc689b44fa7c4e8068ec28c3b185d1619be34586167cf662887503
494ab44bb96537fc8a3e832e3cf032b0599501f96a682205bc46d9b7744d52ab
0aae4f734962cba43eda599dbff153929a18ce45e814176b5e37998858c70515
0fa60d79f881f8616d2b92c02874f6f2a5c16b216b1e256fc31c176355b5c076
79ff85f42095cb721a36127f3e837a5e45a53645398215da960e15308879a58f
f3d62ca6b2dfd77bd362dc1f4ec6e99bb43302e82583e6e8dce38df9ea1f6fe5
9f6b69057e19a7fd08aab0b2df861a65337207dcfac2d6fbd0d1c0a2b75670e7
9a62e6ee0e71139a8e68a6092c27deb32077a27980c767a44cd5138ffcdca837
463e7bb6693b947b343cd1ba77247bc8e6504a1fe80f36cdf2a3d7d345e15fd3
cd846ec4ec9c0f6e6078d73b1e32b2488179f597307bcdf1777388192e916d54
1f79aa9ab7e50e55cfe06f5b664ba294bf0817883cebce3f3e40854d10f3e1fd
7211d3bb001d5f3c7d8ed55a060654b5709ae910dc453bfb5f364f9ba596ec6f
f83ae75024d271081643464b5429c11911f92fffa744c4023ba65fa35eafd304
d7df519b026cb5fa1706f96d0c6fe548b6099d09b2a7c70c4fb8672009c94fa0
de35d079d23fe6050502c88b2b40633f4518132df910c7100e000c4b7bcee167
7f9507e2305941a7263daeba121ce8a83c91bdbe5ad7df94a9dfc0ab4158271f
4dea58b34e8a877055eb0b1dddd4748de1764ae9540312a479a0d631853b08e3
f6209e164201390a6e2336de76bc71895df803269a36eb045e64a9aee06b6f20
802fd11db464f889f4d17c37c9f023486ec48967df5880628ecfd239f6f7fdfb
295feaaf0a90a4df1f8643cb800ffe05dff51c87727c93898643d500259606a4
800669c02f5914ebfae285f810179c5a68c98a680dd8b97fd700f86f048faca4
1dd402d450c484140663b57c516ca68b10f31976f324f268ac6e564c6ca177af
252b3ba4160da0cf2275f04387d99315af1b336c66b012f450f97ec5ff1b74bd
4779dc9604edf78283c8678f2ce449705b85d1bc3975db3b02ab9075726b46e9
4c60aa3ed60829ddc6f9b9f078c2e9bd8ae7df3dfcb746f8490aab0815b0852c
ee1946273f2fe267a5f780f37a81c32eb557496da6c5c1b75963a578d5d737b6
c1b694fc1a8292381f26293bd47a8093c49d48874937be131fa2e8f35e847b58
4c8662f187b984c7ad509d766d9514542f26ec38e8961097dd17282f0e7c6a1d
e477c654725e056128fd3e6fe47075a3df2251aa45250b97d6d5cfbcb8552cb4
981089760bad47a4ba4546eddf7055e44592ec68be1cc184e1aee10556ec15fc
db0d7b2975ad69353f3bb5b20c8c13c8ca8ab0ab9ae601b350c676a445871a1f
860bd44b97b4dd0bdf34a0f9fef5dd5b42c29bfb700a27ad0855017f4ea60252
99177850baae88bf8d45b0237ba630db6c4dc038ff10677648cee5bc553b0f9d
dfd41e5d98b8e1593cfe0e057deeaef7ff104f9e4698bfde909f1e72e36820fc
13f8728b95a9ca527c725c440726814ffbc88eeaf9323e50958fa3a8df969372
2df90fe6cea8c31e8c59ae207f8fef3aba216956dabfd0f703ec43fb43dc8e4b
ec16bf461e6e9b1e838755954d893e34f79260be2885e5a3aaf171b2886b8706
1800a59347a0968cadae0d92bb90c8b0ea3ece7d29b519ef950c5e3c483b85b8
6c01787028eb296e0197ca946880c6b1a561861d849ef800f9a7f43d9747099d
5b2ab4ffea1cff5682bda68c57ea34aaa0e24f1ec56ad1113289c7673f3ea306
b1092962ac50c7f6d137c97ee1a1b3ca04ae80a05732d2852b91c75496b6427b
86360aa8ab41f3de1ba20cad54f2567c0d5994a20d5b58d0b71aa42c545bb9f8
6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115
bdbd5a0fb6a3ab99f0cfa3cee7e3f7f8f7ec078eeb628aadfb8a32a5df2be3b9
dd0145067f81bf5aff9a7ee7eb56c11a98a5f69a9bdbc36744919ee49890de5a
0afcea05106a649eae4e8bd387f73f6e54f126afc2b89f47d8f43bcf8732bfc7
76211baaff253bcbad2cfd8be73a7c79e1994161c81b344465f32426b7e81081
d2f5c2cb867f4bac760a3ecb44e02b309ea9627a239ac2f99c1013df34d3c667
163b3084ff6608e6b565e9d4b22489a2ff2d9216cd5e08333477ca966a3456d0
8c8ec3293d0d2e2f3fbb863b371083b6cccaba457ba164aa47ed3a35ff2dc51e
07934cba01c76edfad9112b736a866c486ccfd635b4e77285f9d8dceb7c5f2dd
fa179d9f959aa3c1973ffdf6660cfe5cff0bf2f1c91b38d6f05702a2290c9509
dd189281ff76fef82189e4db73599520105fcddcecaa1ca772461c55960228db
4e343d0b39e50e11b2bb9750f305733c40a4ae122a767528a027a2bc969d68fc
2e838279cd0411e4ce8af6e7ee0dd8ea22d54a049fc7e0a77e64952ba8788d1a
d159eb33e1b993f0c9556f0993f1d1747957540b25fd342667efb6a99a515ddf
ff2ba7a304d3bc20641fbcd1dccf30e1e56de316af53df36f64fd85b8396d145
SH256 hash:
1c82111425cc6945f06b05050e3038aa1769e0f2d3e4a87a641a06e50042266c
MD5 hash:
c38b083ef5eb35d770919c20dc72771f
SHA1 hash:
7bd53fcb84ec85a222eb7264b1f6942c2ddc2b88
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/bf9ab682-2a55-4902-a75e-c28bfb585699/
SH256 hash:
6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115
MD5 hash:
e0118ad4299455683d5d0708772742ef
SHA1 hash:
c80a27155317c3d08308cf8a55e4790f429bb2dd
Link:
https://www.unpac.me/results/bf9ab682-2a55-4902-a75e-c28bfb585699/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6acec3474a2d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 6acec3474a2dcacc99fe7f6495d4e4e90adbb40de283054aadad2e8f91dbd115

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2272263/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/300369/

Comments