MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad1795113e302772c08f24c6c1947da43b2b9c82c77c9c906ec616fb39214f8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad1795113e302772c08f24c6c1947da43b2b9c82c77c9c906ec616fb39214f8b
SHA3-384 hash: 8b6d7826abf4acb3a8fb210277a2a6a5f91f3ca8cd39c90cad08ee2e4d55bf4a8c0217ed06e3bd9ffe7cc043bddbfa86
SHA1 hash: 0663f5d6cdee325bc0be279f7e81f150921c6a96
MD5 hash: c656855186dedce4c57f1eedb3bdf242
humanhash: ink-carolina-river-network
File name:AD1795113E302772C08F24C6C1947DA43B2B9C82C77C9.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'672'029 bytes
First seen:2024-01-18 21:55:11 UTC
Last seen:2024-01-18 23:38:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (263 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/midGKic6QL3E2vVsjECUAQT45deRV9RJ:sBuZrEUAKIy029s4C1eH9P
TLSH T17F75BF3FF268A13EC56A1B3245B38320997BBA51B81A8C1E47FC344DCF765601E3B656
TrID 39.3% (.EXE) Inno Setup installer (107240/4/30)
21.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.7% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://94.228.169.161/

Intelligence

File Origin
# of uploads :
2
# of downloads :
384
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471578/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.26678.14937.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/65a99e74fd5068bbc3d9c734/reports/052d5f52-da64-486b-9e92-9ca621e75824/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ad1795113e302772c08f24c6c1947da43b2b9c82c77c9c906ec616fb39214f8b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/83c41347-f25e-420d-9645-70e63d0132e5
Result
Threat name:
n/a
Detection:
suspicious
Classification:
troj
Score:
36 / 100
Link:
https://www.joesandbox.com/analysis/1377081
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1377081 Sample: AD1795113E302772C08F24C6C19... Startdate: 18/01/2024 Architecture: WINDOWS Score: 36 36 antsmemory.xyz 2->36 38 restfork.website 2->38 50 Snort IDS alert for network traffic 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Machine Learning detection for sample 2->56 9 AD1795113E302772C08F24C6C1947DA43B2B9C82C77C9.exe 2 2->9         started        signatures3 58 Performs DNS queries to domains with low reputation 36->58 process4 file5 22 AD1795113E302772C0...A43B2B9C82C77C9.tmp, PE32 9->22 dropped 12 AD1795113E302772C08F24C6C1947DA43B2B9C82C77C9.tmp 26 30 9->12         started        process6 dnsIp7 46 restfork.website 104.21.61.51, 49729, 80 CLOUDFLARENETUS United States 12->46 48 antsmemory.xyz 172.67.210.35, 49730, 80 CLOUDFLARENETUS United States 12->48 24 C:\Windows\unins000.exe (copy), PE32 12->24 dropped 26 C:\Windows\is-C3FP0.tmp, PE32 12->26 dropped 28 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->28 dropped 16 chrome.exe 1 12->16         started        file8 process9 dnsIp10 30 192.168.2.4, 138, 443, 49303 unknown unknown 16->30 32 192.168.2.5 unknown unknown 16->32 34 239.255.255.250 unknown Reserved 16->34 19 chrome.exe 16->19         started        process11 dnsIp12 40 www.google.com 142.250.217.100, 443, 49748, 49754 GOOGLEUS United States 19->40 42 clients.l.google.com 142.251.215.238, 443, 49734, 49755 GOOGLEUS United States 19->42 44 6 other IPs or domains 19->44
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ad1795113e302772c08f24c6c1947da43b2b9c82c77c9c906ec616fb39214f8b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad1795113e302772c08f24c6c1947da43b2b9c82c77c9c906ec616fb39214f8b/
Threat name:
Win32.Trojan.OffLoader
Create hunting rule
Status:
Malicious
First seen:
2024-01-16 00:43:00 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vulzkej6gatxfqepetdmdfd5uq5sxhecy56jzedoyylpwojbj6fq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240118-1tbwbshhhr/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
6158145460959c5bbd215c15230046c5f7a0ac10250bb7efb1538c4aba335dc2
MD5 hash:
9f2b0a7592a5085bbc343863e47966c8
SHA1 hash:
a2344b1f925221c1e1861b1a29d149c0cf2b0e4d
Link:
https://www.unpac.me/results/772ba76b-61b1-4d2c-9669-9ae59f5e7f61/
SH256 hash:
ad1795113e302772c08f24c6c1947da43b2b9c82c77c9c906ec616fb39214f8b
MD5 hash:
c656855186dedce4c57f1eedb3bdf242
SHA1 hash:
0663f5d6cdee325bc0be279f7e81f150921c6a96
Link:
https://www.unpac.me/results/772ba76b-61b1-4d2c-9669-9ae59f5e7f61/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad1795113e302772c08f24c6c1947da43b2b9c82c77c9c906ec616fb39214f8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471578/

Comments