MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a027d527bf8e2d3682ee39f12379d113bc7d28193d36b2c448712e5c8009ff52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a027d527bf8e2d3682ee39f12379d113bc7d28193d36b2c448712e5c8009ff52
SHA3-384 hash: b9c1e3092630f3bcfcc52bd4c55c31e9f9331919096567bbbef2823171f8eb57c3c3c261eee8ed9c71741556d111940a
SHA1 hash: 98575e24bfe6a11c678de4f9ebc55453710fcc75
MD5 hash: 0b1c78db1d6debc91c59c0d7dfe9dd31
humanhash: hotel-eighteen-mississippi-kansas
File name:0b1c78db1d6debc91c59c0d7dfe9dd31.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:31'521'984 bytes
First seen:2022-10-14 22:05:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 786432:TZ2NuqrYwxyy8BXmRAw/5Vi5U21eNJvkH:TANua5xd89mmwQHoU
Threatray 115 similar samples on MalwareBazaar
TLSH T15C67336A73A4653EFB7E4AF144329328487FE67954168C9B03F444CCCF62B602F2A6D5
TrID 61.8% (.EXE) Inno Setup installer (109740/4/30)
23.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.EXE) Win32 Executable (generic) (4505/5/1)
1.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon f08e336969338ef0 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker signed

Code Signing Certificate

Organisation:www.cultivated.com
Issuer:www.cultivated.com
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-09T07:42:12Z
Valid to:2023-10-09T08:02:12Z
Serial number: 569f2c1e2cdccd92433a028f9ee9ad72
Thumbprint Algorithm:SHA256
Thumbprint: 572a5797df1773ba262febef9a32d4e268f5ea695a158e4ed7e2090539125b7c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RecordBreaker C2:
http://77.91.123.97/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://77.91.123.97/ https://threatfox.abuse.ch/ioc/890265/

Intelligence

File Origin
# of uploads :
1
# of downloads :
500
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bazaar.abuse.ch/download/a027d527bf8e2d3682ee39f12379d113bc7d28193d36b2c448712e5c8009ff52/
Verdict:
Malicious activity
Analysis date:
2022-10-15 08:52:07 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/0609f73c-0b94-40f1-a4d1-2c862cbfc300

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Moving a file to the %temp% subdirectory
Creating a file
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Enabling the 'hidden' option for files in the %temp% directory
Sending an HTTP GET request
Launching a process
Replacing files
Downloading the file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43205/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed raccoon setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6349dd4d66721ebd9b2e5792/reports/55a0aabc-1d3f-42b9-9e65-d0066177c6a8/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1091051
Signature
Encrypted powershell cmdline option found
Hides threads from debuggers
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
PE file has nameless sections
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses 7zip to decompress a password protected archive
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 723661 Sample: cdPUKIldlM.exe Startdate: 15/10/2022 Architecture: WINDOWS Score: 64 119 Snort IDS alert for network traffic 2->119 121 Multi AV Scanner detection for dropped file 2->121 123 Multi AV Scanner detection for submitted file 2->123 125 4 other signatures 2->125 12 cdPUKIldlM.exe 2 2->12         started        process3 file4 111 C:\Users\user\AppData\...\cdPUKIldlM.tmp, PE32 12->111 dropped 155 Obfuscated command line found 12->155 16 cdPUKIldlM.tmp 5 18 12->16         started        signatures5 process6 file7 85 C:\Users\user\AppData\Local\...\is-1DU31.tmp, PE32 16->85 dropped 87 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 16->87 dropped 89 C:\...\Driver.Booster.10.0.0.31.exe (copy), PE32 16->89 dropped 91 3 other files (none is malicious) 16->91 dropped 19 Driver.Booster.10.0.0.31.exe 16->19         started        23 cmd.exe 1 16->23         started        process8 file9 93 C:\Users\...\Driver.Booster.10.0.0.31.tmp, PE32 19->93 dropped 127 Obfuscated command line found 19->127 25 Driver.Booster.10.0.0.31.tmp 31 239 19->25         started        129 Wscript starts Powershell (via cmd or directly) 23->129 131 Uses ping.exe to sleep 23->131 133 Uses cmd line tools excessively to alter registry or file data 23->133 135 3 other signatures 23->135 29 wscript.exe 23->29         started        31 7za.exe 23->31         started        33 powershell.exe 15 17 23->33         started        36 conhost.exe 23->36         started        signatures10 process11 dnsIp12 95 C:\Users\user\AppData\...\iswin7logo.dll, PE32 25->95 dropped 97 C:\Users\user\AppData\Local\...\botva2.dll, PE32 25->97 dropped 99 C:\Users\user\AppData\Local\Temp\...\b2p.dll, PE32 25->99 dropped 107 114 other files (41 malicious) 25->107 dropped 147 Uses netsh to modify the Windows network and firewall settings 25->147 149 Modifies the windows firewall 25->149 38 DriverBooster.exe 25->38         started        41 HWiNFO.exe 1 25->41         started        44 DriverBooster.exe 25->44         started        52 8 other processes 25->52 151 Wscript starts Powershell (via cmd or directly) 29->151 46 cmd.exe 29->46         started        48 cmd.exe 29->48         started        50 cmd.exe 29->50         started        101 C:\ProgramData\...\compil23_obf.bat, Unicode 31->101 dropped 103 C:\ProgramData\...\CurrentControlSet002.bat, Unicode 31->103 dropped 105 C:\...\CurrentControlSet001_obf.bat, Unicode 31->105 dropped 113 31.42.177.171, 49699, 80 YANINA-ASUA Ukraine 33->113 115 192.168.2.1 unknown unknown 33->115 file13 signatures14 process15 file16 137 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 38->137 139 Hides threads from debuggers 38->139 54 Manta.exe 38->54         started        57 AutoUpdate.exe 38->57         started        59 RttHlp.exe 38->59         started        65 4 other processes 38->65 109 C:\Users\user\AppData\...\HWiNFO64A_151.SYS, PE32+ 41->109 dropped 141 Sample is not signed and drops a device driver 41->141 61 mshta.exe 46->61         started        63 conhost.exe 46->63         started        67 3 other processes 48->67 70 3 other processes 50->70 72 8 other processes 52->72 signatures17 process18 dnsIp19 143 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 54->143 145 Hides threads from debuggers 54->145 74 cmd.exe 61->74         started        117 127.0.0.1 unknown unknown 67->117 signatures20 process21 signatures22 153 Uses cmd line tools excessively to alter registry or file data 74->153 77 conhost.exe 74->77         started        79 reg.exe 74->79         started        81 reg.exe 74->81         started        83 6 other processes 74->83 process23
Gathering data
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-10-09 22:26:16 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uat5kj57rywtnaxohhysg6orco6h2kazhu3lfrcioexfzaaj75ja._file
Verdict:
suspicious
Similar samples:
06b795cf4007dfabb39adc54728d7bc4dabde17ff340ebac4e870856a1741fb7
RecordBreaker
2eeae1c74dff19b7538522acd75a4c9e0d369cec323d4837bdfbc00b8fc81799
RecordBreaker
3dff7ec382a12eb1b4765c5e0927bcb9d7f34461dfd113cbc51fbb1aa0a33761
RecordBreaker
7130f3050718b8dc5bcf760bf129dc68da5285d058d59d27ae3f2c667c7a8809
RecordBreaker
bc92ac427770e9d3e2e12ed5f25d1a8d92c43f6342b675f6e1d2ec70b86601fe
RecordBreaker
e2b9859fcfaed0a7d7a857646cf37b042df26f13a4c455a5fcffed0f6bb74d12
RecordBreaker
+ 105 additional samples on MalwareBazaar
Result
Malware family:
raccoon
Create hunting rule
Score:
  10/10
Tags:
family:raccoon botnet:9b19cf60d9bdf65b8a2495aa965456c3 discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/221014-1z3agaegal/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender notification settings
Raccoon
Malware Config
C2 Extraction:
http://77.91.123.97/
Dropper Extraction:
http://31.42.177.171/hfile.bin
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/49e1b7f4-0366-40f6-964b-4dc560f97a7a
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a027d527bf8e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a027d527bf8e2d3682ee39f12379d113bc7d28193d36b2c448712e5c8009ff52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments