MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95fd6dbd5b34b84d5f126ec006fd2578eb32189cbe679314e83110057f7625c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95fd6dbd5b34b84d5f126ec006fd2578eb32189cbe679314e83110057f7625c5
SHA3-384 hash: 860266ac8893c4d2cfc37f2f4b184d592e3887a25631fe31a9731396c37f91177f528354978c40626e2047d201c9be8a
SHA1 hash: 2065f4c045d013cb93a3c32d78acc87bc590baa4
MD5 hash: 046fdd84bba15a4de5a43f004a6004ad
humanhash: carpet-finch-alaska-charlie
File name:95FD6DBD5B34B84D5F126EC006FD2578EB32189CBE679.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:338'944 bytes
First seen:2022-08-13 19:30:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 16c6db61a45b1cc9e03eb41acced74bb (9 x RedLineStealer, 1 x Smoke Loader, 1 x RecordBreaker)
ssdeep 6144:oW/Yt977ekkhPKp0/GdCMkeiOxjsIkwxkb4Y:DY/7e5hiW/G7keicXM
TLSH T143748D10BBA0D435F1F712F449768368B93D3EA1A72850CF62D52AEE5634AE4EC3135B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2dac1378399b9b91 (35 x Smoke Loader, 34 x RedLineStealer, 18 x Amadey)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://65.21.186.115/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://65.21.186.115/ https://threatfox.abuse.ch/ioc/842882/

Intelligence

File Origin
# of uploads :
1
# of downloads :
513
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
95FD6DBD5B34B84D5F126EC006FD2578EB32189CBE679.exe
Verdict:
No threats detected
Analysis date:
2022-08-13 19:31:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1e6ea0b6-b21e-49cd-acad-4d8ac27a507f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298449/
Detection(s):
Win.Packed.Crypterx-9954995-0
Create hunting rule

Win.Packed.Pwsx-9956851-0
Create hunting rule

Win.Packed.Bandook-9958944-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62f7fc6f080024921b734aa3/reports/662d2373-05ec-4e95-b84a-f269dc1810ec/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b7bfa0d-50a8-41bc-b25e-a304de7b5724
Result
Threat name:
DanaBot, Raccoon Stealer v2, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1051060
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected DanaBot stealer dll
Yara detected Raccoon Stealer v2
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 683570 Sample: 95FD6DBD5B34B84D5F126EC006F... Startdate: 13/08/2022 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 10 other signatures 2->65 9 95FD6DBD5B34B84D5F126EC006FD2578EB32189CBE679.exe 2->9         started        12 cufigaw 2->12         started        14 cufigaw 2->14         started        process3 signatures4 83 Detected unpacking (changes PE section rights) 9->83 85 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->85 87 Maps a DLL or memory area into another process 9->87 16 explorer.exe 4 9->16 injected 89 Antivirus detection for dropped file 12->89 91 Multi AV Scanner detection for dropped file 12->91 93 Machine Learning detection for dropped file 12->93 95 Checks if the current machine is a virtual machine (disk enumeration) 14->95 97 Creates a thread in another existing process (thread injection) 14->97 process5 dnsIp6 51 187.156.114.224, 49717, 49721, 49723 UninetSAdeCVMX Mexico 16->51 53 187.170.251.250, 49728, 49734, 80 UninetSAdeCVMX Mexico 16->53 55 6 other IPs or domains 16->55 33 C:\Users\user\AppData\Roaming\cufigaw, PE32 16->33 dropped 35 C:\Users\user\AppData\Local\Temp44F.exe, PE32 16->35 dropped 37 C:\Users\user\AppData\Local\Temp\618E.exe, PE32 16->37 dropped 39 C:\Users\user\...\cufigaw:Zone.Identifier, ASCII 16->39 dropped 67 System process connects to network (likely due to code injection or exploit) 16->67 69 Benign windows process drops PE files 16->69 71 Deletes itself after installation 16->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->73 21 618E.exe 45 16->21         started        26 E44F.exe 1 16->26         started        file7 signatures8 process9 dnsIp10 57 65.21.186.115, 49749, 80 CP-ASDE United States 21->57 41 C:\Users\user\AppData\...\vcruntime140.dll, PE32 21->41 dropped 43 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 21->43 dropped 45 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 21->45 dropped 49 4 other files (none is malicious) 21->49 dropped 75 Detected unpacking (changes PE section rights) 21->75 77 Detected unpacking (overwrites its own PE header) 21->77 79 Machine Learning detection for dropped file 21->79 81 2 other signatures 21->81 47 C:\Users\user\AppData\Local\Temp\Dtsfas.dll, PE32 26->47 dropped 28 rundll32.exe 26->28         started        file11 signatures12 process13 signatures14 99 Tries to detect virtualization through RDTSC time measurements 28->99 31 WerFault.exe 20 9 28->31         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95fd6dbd5b34b84d5f126ec006fd2578eb32189cbe679314e83110057f7625c5/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-07-11 02:37:43 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sx6w3pk3gs4e2xysn3aan7jfpdvtege4xztzgfhigeiak73wexcq._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:danabot family:redline botnet:123 banker collection discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/220813-x8cvdsgac8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Danabot
RedLine
RedLine payload
Malware Config
C2 Extraction:
185.62.57.122:443
104.168.247.161:443
192.236.155.159:443
184.95.48.11:443
52.14.249.40:42474
Unpacked files
SH256 hash:
0442f8e67b80c4efeadfe24184603cdc41ea8ef30ae8b640ab976c9dbae161d5
MD5 hash:
1476f725ec451ca8fa22aad9bbf91ad2
SHA1 hash:
215ea11c76392ec300dc05bc749124563ef4d2ef
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/6c61c6f4-a815-4e8a-a0a6-9df1d092c728/
Parent samples :
f0ec9da984c79f4fdd540d22d157d1944129f18e79b0439cc028048812207970
95fd6dbd5b34b84d5f126ec006fd2578eb32189cbe679314e83110057f7625c5
SH256 hash:
95fd6dbd5b34b84d5f126ec006fd2578eb32189cbe679314e83110057f7625c5
MD5 hash:
046fdd84bba15a4de5a43f004a6004ad
SHA1 hash:
2065f4c045d013cb93a3c32d78acc87bc590baa4
Link:
https://www.unpac.me/results/6c61c6f4-a815-4e8a-a0a6-9df1d092c728/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/95fd6dbd5b34/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95fd6dbd5b34b84d5f126ec006fd2578eb32189cbe679314e83110057f7625c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298449/

Comments