MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d2faa0580721927557823d1c965fb34483a3744a6d1d7418e976f0e35322c79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs 2 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d2faa0580721927557823d1c965fb34483a3744a6d1d7418e976f0e35322c79
SHA3-384 hash: e35ff8c5ff432e86e6a1a8f5264ad8af956ab215b85090705807658edb25db7a687d3a870130ad2f32a9f09458362a8b
SHA1 hash: 8df8deb0bdee4757a7575b1f5c40bac4c6f2bef1
MD5 hash: 0f34e0aff1123d82835d60f41c02cfc3
humanhash: speaker-romeo-timing-colorado
File name:0f34e0aff1123d82835d60f41c02cfc3.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:404'688 bytes
First seen:2022-08-01 09:45:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 504d97a665c5990d2e90f1479886157c (6 x RedLineStealer, 1 x Stop, 1 x RecordBreaker)
ssdeep 6144:04YHjsCtXfAVWm9dgqpdxWOAhNGrnEFG/BT/JbKhXjD1A:0vdXYb9NpdxGhNQEFQBT/hKRD1A
TLSH T17A84CF40BBA0D03DF5B312F47976C3A8B829BEA19B6050CB22D57ADE57346D1ECB5207
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://116.202.178.170/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://116.202.178.170/ https://threatfox.abuse.ch/ioc/840574/
185.198.57.19:80 https://threatfox.abuse.ch/ioc/840684/

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295532/
Detection(s):
Win.Malware.Pwsx-9958590-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Creating a file
Reading critical registry keys
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27969/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed redline smokeloader
Link:
https://www.filescan.io/uploads/62e7a155bcf76fcb6cd7c2b7/reports/d56fd130-c723-40d7-8829-45f8cbd9b12e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c6cf2eb-688e-4752-824f-4c4857ca2315
Result
Threat name:
Djvu, Nymaim, PrivateLoader, Raccoon Ste
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1044083
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Djvu Ransomware
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 676577 Sample: Nm0KQ1zXSJ.exe Startdate: 01/08/2022 Architecture: WINDOWS Score: 100 98 Multi AV Scanner detection for domain / URL 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 Antivirus detection for URL or domain 2->102 104 24 other signatures 2->104 8 Nm0KQ1zXSJ.exe 4 56 2->8         started        13 svchost.exe 1 2->13         started        15 svchost.exe 3 2->15         started        17 12 other processes 2->17 process3 dnsIp4 86 62.204.41.178 TNNET-ASTNNetOyMainnetworkFI United Kingdom 8->86 88 41.41.255.235 TE-ASTE-ASEG Egypt 8->88 96 12 other IPs or domains 8->96 64 C:\Users\...\tvn6zd858TDtfwaOGtYO84oE.exe, PE32 8->64 dropped 66 C:\Users\...\o9QqNc_XyGgsPfyOFkVIRoFj.exe, PE32+ 8->66 dropped 68 C:\Users\...\fc5YcAbdDVBhOhl19Um8j3Lc.exe, PE32+ 8->68 dropped 70 22 other files (7 malicious) 8->70 dropped 124 Disable Windows Defender real time protection (registry) 8->124 19 _wB6EBcZAjAApZIuxMN71BlT.exe 8->19         started        22 WOS6Qm_PNv4fm_zo1ZQzYbL5.exe 25 8->22         started        26 1ib008PdA6jIxa8hcJp_qT75.exe 8->26         started        30 14 other processes 8->30 126 Contains functionality to inject threads in other processes 13->126 128 Contains functionality to inject code into remote processes 13->128 130 Contains functionality to compare user and computer (likely to detect sandboxes) 13->130 132 Contains functionality to detect sleep reduction / modifications 13->132 134 Query firmware table information (likely to detect VMs) 15->134 90 23.35.236.56 ZAYO-6461US United States 17->90 92 127.0.0.1 unknown unknown 17->92 94 192.168.2.1 unknown unknown 17->94 136 Changes security center settings (notifications, updates, antivirus, firewall) 17->136 28 WerFault.exe 17->28         started        file5 signatures6 process7 dnsIp8 106 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->106 108 Maps a DLL or memory area into another process 19->108 110 Checks if the current machine is a virtual machine (disk enumeration) 19->110 112 Creates a thread in another existing process (thread injection) 19->112 78 77.73.132.84 AS43260TR Kazakhstan 22->78 46 C:\Users\user\AppData\...\vcruntime140.dll, PE32 22->46 dropped 48 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 22->48 dropped 60 5 other files (none is malicious) 22->60 dropped 114 Tries to harvest and steal browser information (history, passwords, etc) 22->114 116 Tries to steal Crypto Currency Wallets 22->116 80 104.21.27.180 CLOUDFLARENETUS United States 26->80 50 C:\Users\user\AppData\...\Secure Preferences, UTF-8 26->50 dropped 52 C:\Users\user\AppData\Local\...\Preferences, ASCII 26->52 dropped 82 149.154.167.99 TELEGRAMRU United Kingdom 30->82 84 162.159.130.233 CLOUDFLARENETUS United States 30->84 54 C:\Users\...\cHjVvx7Qn4AcFMQpJJgM80qQ.exe, PE32 30->54 dropped 56 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 30->56 dropped 58 C:\Users\user\AppData\Local\...\WW14[1].exe, PE32 30->58 dropped 62 4 other files (1 malicious) 30->62 dropped 118 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->118 120 Creates multiple autostart registry keys 30->120 122 Injects a PE file into a foreign processes 30->122 32 7NOuDn5qCzAhJK8xElXP38GY.exe 30->32         started        36 SETUP_~2.EXE 30->36         started        38 tvn6zd858TDtfwaOGtYO84oE.exe 30->38         started        40 2 other processes 30->40 file9 signatures10 process11 dnsIp12 72 104.21.40.196 CLOUDFLARENETUS United States 32->72 44 C:\Users\user\AppData\Local\Temp\db.dll, PE32 32->44 dropped 42 conhost.exe 32->42         started        74 50.87.142.220 UNIFIEDLAYER-AS-1US United States 36->74 76 162.0.217.254 ACPCA Canada 38->76 file13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d2faa0580721927557823d1c965fb34483a3744a6d1d7418e976f0e35322c79/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-07-29 01:20:37 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tux2ubmaoimsovlyepi4szp3gredun2eu3i5oqmos5xq4njsfr4q._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:nymaim family:privateloader family:redline botnet:lyla01.08 botnet:mixbasic discovery evasion infostealer loader main persistence ransomware spyware stealer trojan upx
Link:
https://tria.ge/reports/220801-lrmgqagbem/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
NyMaim
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine payload
Malware Config
C2 Extraction:
http://163.123.143.4/proxies.txt
http://193.233.177.215/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
http://107.182.129.251/server.txt
185.215.113.70:21508
http://acacaca.org/test3/get.php
208.67.104.9
212.192.241.16
185.215.113.216:21921
Unpacked files
SH256 hash:
9013c3c56a93054b6129459edd6483dee16de784a81ae733ecbe9ba3732e11de
MD5 hash:
5eb903f37de9ee72d21b591a6d9e5db3
SHA1 hash:
780d85d3a1a1c168e3721da44a0057d838457bef
Detections:
win_privateloader_a0
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/e7405e1c-fdb5-4672-8660-661c1e2c6c1f/
Parent samples :
d294a8bc0b704479728f1db750e69503c7d9623690b5b3fbfd7802c4e0be10b1
e2baec713e48b74764d044346e7170179b4b99f8e0d8692ccfda231002239b2f
be999ae161fe785ae48c92bb141597bef0aa748f4180b8c67134efe512454bc0
7f1c5982e0464f4569d8764b9c8353b6d3afd414575fe569c1b8d381a6a4bfa8
9d2faa0580721927557823d1c965fb34483a3744a6d1d7418e976f0e35322c79
a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e677e003d3adf74f4e9ec
e733cbcaee33c4e99d99f2a3b82e2530e10dac7106edfaea681a98abb04f92b6
01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4
d2952be5c81f4135c0953b7b36677704f24f4d780de268ce6b67a44a6f15419a
1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996
SH256 hash:
9d2faa0580721927557823d1c965fb34483a3744a6d1d7418e976f0e35322c79
MD5 hash:
0f34e0aff1123d82835d60f41c02cfc3
SHA1 hash:
8df8deb0bdee4757a7575b1f5c40bac4c6f2bef1
Link:
https://www.unpac.me/results/e7405e1c-fdb5-4672-8660-661c1e2c6c1f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9d2faa0580721927557823d1c965fb34483a3744a6d1d7418e976f0e35322c79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/295532/

Comments