MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fd0c18e417e77f1b4019024738211632265864ea3acf9f985eea6c0c75ba3ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RecordBreaker


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash: 7fd0c18e417e77f1b4019024738211632265864ea3acf9f985eea6c0c75ba3ba
SHA3-384 hash: eccb656a24a0467fff59a9483874494737d889165250d0f099847e4c9252ad3febacdb13796fccfc3de4f019769c61f3
SHA1 hash: c15cccf1ba94a7e67e615bf4f94d1266fc9d3c7b
MD5 hash: ffba715730cdb446fa832c8fcaa4f783
humanhash: happy-mango-magnesium-mexico
File name:ffba715730cdb446fa832c8fcaa4f783.exe
Download: download sample
Signature RecordBreaker
File size:1'271'765 bytes
First seen:2022-08-05 12:30:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (79 x ArkeiStealer, 53 x RecordBreaker, 40 x RedLineStealer)
ssdeep 24576:pAT8QE+kEKkUsAqQwN7yweEOFeN5Wy7lfeSqB+HkfnC2sH2BcUSnH6NW6u0thZ:pAI+pKkkq3N7pOFE5Wy7lWSqBwgC2sHY
TLSH T1EE45233AF14245BFD0210A394D1FD37AB53AAA041B3D55DF77CE1A1C8C3321A6E7A25A
TrID 86.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
5.6% (.EXE) InstallShield setup (43053/19/16)
1.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.7% (.SCR) Windows screen saver (13101/52/3)
1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (53 x RecordBreaker, 35 x RedLineStealer, 12 x ArkeiStealer)
Reporter @abuse_ch
Tags:exe recordbreaker


Twitter
@abuse_ch
RecordBreaker C2:
http://45.95.11.158/

Intelligence


File Origin
# of uploads :
1
# of downloads :
344
Origin country :
NL NL
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ffba715730cdb446fa832c8fcaa4f783.exe
Verdict:
No threats detected
Analysis date:
2022-08-05 12:33:35 UTC
Tags:
installer

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
–°reating synchronization primitives
Creating a file in the Program Files subdirectories
Modifying a system file
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Searching for the window
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint greyware overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Verdict:
Malicious
Result
Threat name:
RedLine, Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Generic Downloader
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 679285 Sample: 60MLnq8Uma.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 76 38 iplogger.org 2->38 56 Snort IDS alert for network traffic 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 11 other signatures 2->62 8 60MLnq8Uma.exe 16 25 2->8         started        signatures3 process4 file5 30 C:\Program Files (x86)\Company\...\tag.exe, PE32 8->30 dropped 32 C:\Program Files (x86)\...\safert44.exe, PE32 8->32 dropped 34 C:\Program Files (x86)\Company\...\real.exe, PE32 8->34 dropped 36 4 other files (3 malicious) 8->36 dropped 11 real.exe 18 8->11         started        15 namdoitntn.exe 4 8->15         started        17 safert44.exe 2 8->17         started        19 10 other processes 8->19 process6 dnsIp7 46 45.159.248.53, 49794, 80 VMAGE-ASRU Russian Federation 11->46 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->64 66 Tries to harvest and steal browser information (history, passwords, etc) 11->66 68 Tries to steal Crypto Currency Wallets 11->68 48 103.89.90.61, 18728, 49846 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 15->48 50 31.41.244.134, 11643, 49916 AEROEXPRESS-ASRU Russian Federation 17->50 52 192.168.2.1 unknown unknown 19->52 54 239.255.255.250 unknown Reserved 19->54 21 chrome.exe 14 19->21         started        24 chrome.exe 19->24         started        26 chrome.exe 19->26         started        28 3 other processes 19->28 signatures8 process9 dnsIp10 40 iplogger.org 148.251.234.83, 443, 49751, 49752 HETZNER-ASDE Germany 21->40 42 accounts.google.com 142.250.185.205, 443, 49754 GOOGLEUS United States 21->42 44 3 other IPs or domains 21->44
Threat name:
Win32.Infostealer.RedLine
Status:
Malicious
First seen:
2022-08-05 12:31:10 UTC
File Type:
PE (Exe)
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
redline
Score:
  10/10
Tags:
family:raccoon family:redline botnet:4 botnet:@tag12312341 botnet:f0c8034c83808635df0d9d8726d1bfd6 botnet:nam3 discovery infostealer persistence spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Raccoon
Raccoon Stealer payload
RedLine
RedLine payload
Malware Config
C2 Extraction:
103.89.90.61:18728
31.41.244.134:11643
62.204.41.144:14096
http://45.95.11.158/
Unpacked files
SH256 hash:
97968ed3ebfeb194496029269723f30e109087373f91ba42e9f0b20ba821a5d6
MD5 hash:
4c0f10cdc23ed08a3c97889274bdaa77
SHA1 hash:
a5fee7013a5c0c1593a93e4809a52a50315d7881
SH256 hash:
88061fc99b8d011006de3f808f8b1c8d239268ef76585eacf2cbb29d7926c800
MD5 hash:
3ec84227a46b0cddb9ddf31a2168e66d
SHA1 hash:
6f8861a0cd91ea97b1f2125319b55cbee689627f
SH256 hash:
228edf139bd9ecc269943af6a04d29ef25e3fb0bd04f3590d49105e536188339
MD5 hash:
39a0e25190044817cc709ccaa17cd405
SHA1 hash:
5a58974f436caf5623d77370f03e269fb806fe99
SH256 hash:
f092d9ddfc547c7d752ba5435b47bf5d9c8ec06e5d93f483434abd9a9661d143
MD5 hash:
afbac7aee51bb007e7afac70ee13d40a
SHA1 hash:
d7a5503fad7d8328d108c0736158940ef2a85165
SH256 hash:
7fd0c18e417e77f1b4019024738211632265864ea3acf9f985eea6c0c75ba3ba
MD5 hash:
ffba715730cdb446fa832c8fcaa4f783
SHA1 hash:
c15cccf1ba94a7e67e615bf4f94d1266fc9d3c7b

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.95.11.158/ https://threatfox.abuse.ch/ioc/841512

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe 7fd0c18e417e77f1b4019024738211632265864ea3acf9f985eea6c0c75ba3ba

(this sample)

  
Delivery method
Distributed via web download

Comments