MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97
SHA3-384 hash:	ddba2706b7a991e8494ddaf1f05785138d50f45db52ac0f07e8d4f31d4528e2c2a4d3274b51c3f29df5b82f0fadbaedc
SHA1 hash:	b52db9d39d4ceefedb5c97c2e11bef69c93850d7
MD5 hash:	e8fe5a28d052a908573b49ab0a904ca4
humanhash:	nine-texas-avocado-potato
File name:	e8fe5a28d052a908573b49ab0a904ca4.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	281'600 bytes
First seen:	2022-07-24 10:25:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8c4105a8833eb6f5aff1196f6e0fcdfb (5 x RedLineStealer, 2 x Loki, 1 x ArkeiStealer)
ssdeep	6144:/zLrC+Edn2HzOy3kA6ChxpruOXxWrf6LLheinA8K:LS+Edn2TOy3JxpruOhWb6LjA
TLSH	T1AF54DF0131D4C832D6A719368524CBB48E7BB86AAD255A8F7BD41BFA9F247D1D73030E
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d2b1e4c4ecb987f9 (17 x RedLineStealer, 10 x Smoke Loader, 4 x Amadey)
Reporter	abuse_ch
Tags:	exe recordbreaker

abuse_ch

RecordBreaker C2:
195.22.149.201:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
195.22.149.201:80	https://threatfox.abuse.ch/ioc/839323/

Intelligence

File Origin

# of uploads :

# of downloads :

417

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/293785/

Detection(s):

Win.Packed.Pwsx-9954187-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware packed

Link:

https://www.filescan.io/uploads/62dd1ec8e18d450dc686735f/reports/f1c14202-8d0c-4019-8fb9-53f8595b83fa/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Glupteba

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/676d273e-6652-43e5-ac35-e5e73a5da255

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1039942

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2022-07-01 15:31:58 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pjrig3ejm7xw2pdtp6nlufdow7xv2cgkzrle7kvcngppvr2wdolq._file

Verdict:

malicious

Result

Malware family:

privateloader

Score:

10/10

Tags:

family:privateloader evasion loader main spyware stealer trojan

Link:

https://tria.ge/reports/220724-mgh7zscfc9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Program crash

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

Modifies Windows Defender Real-time Protection settings

PrivateLoader

Malware Config

C2 Extraction:

http://212.193.30.45/proxies.txt
http://85.202.169.116/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
85.202.169.116
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php

Unpacked files

SH256 hash:

089f33384fdb104aa90f37ef279b5915fff2dfe65a4e24ebb787e53099f62198

MD5 hash:

631244ba78aa268c36d6e048cee297c2

SHA1 hash:

24b667e6c75ef56ad433aad5d8e7f4bbf07ae300

Detections:

win_privateloader_a0

Link:

https://www.unpac.me/results/29584ef9-a6d0-4659-b477-effa3824981c/

SH256 hash:

7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97

MD5 hash:

e8fe5a28d052a908573b49ab0a904ca4

SHA1 hash:

b52db9d39d4ceefedb5c97c2e11bef69c93850d7

Link:

https://www.unpac.me/results/29584ef9-a6d0-4659-b477-effa3824981c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/293785/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample