MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b06c5fb7651b8a6c683b62babcabd18da4d992f7d1e0f963c530832b18feacf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b06c5fb7651b8a6c683b62babcabd18da4d992f7d1e0f963c530832b18feacf4
SHA3-384 hash: aa7efbb05e5e152b9f33648539208bbad1f471ad767b90ec155709e4fb492d030a577b24ce0264a2725b167001354200
SHA1 hash: 7f8a235a80c0d79e2a4ac83495b7aeb9883e3795
MD5 hash: 824e45ea6e411da4b9049f035dd1ee10
humanhash: paris-saturn-princess-twenty
File name:824e45ea6e411da4b9049f035dd1ee10.dll
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'673'880 bytes
First seen:2023-02-07 07:50:36 UTC
Last seen:2023-02-07 09:37:03 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a2833106949ae6e20c40ed0128f9df4b (5 x RecordBreaker, 4 x SystemBC, 3 x RedLineStealer)
ssdeep 49152:k9RU6ElBFXa8cQAdWduTjcFlvbJDrHQmuB2:k9C6A/XSQA48/KlvbVwmuB2
Threatray 113 similar samples on MalwareBazaar
TLSH T1A775CF0089C6C071F47DF83C29AF9D18B8E0755C5710732BA9E36F273E53A4E6D16AA9
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 71f8dce8eec4e071 (1 x RaccoonStealer, 1 x RecordBreaker)
Reporter abuse_ch
Tags:dll recordbreaker signed

Code Signing Certificate

Organisation:www.drainage.com
Issuer:www.drainage.com
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-06T20:45:34Z
Valid to:2024-02-06T21:05:34Z
Serial number: 65c748c4c53a29bb43d576ccd9e936bc
Thumbprint Algorithm:SHA256
Thumbprint: c7d8db6be51ffac1257592f7180145db842c303c0a9ae808c2867ec62343fe1d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RecordBreaker C2:
http://167.235.233.181/

Intelligence

File Origin
# of uploads :
2
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361247/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65392097.18078.2677.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63e202e8696b2d97257573d9/reports/13a92bc8-8ccb-4fe9-852f-04be50493ea2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b06c5fb7651b8a6c683b62babcabd18da4d992f7d1e0f963c530832b18feacf4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8d66a46f-2935-4c41-ab6f-aa79e3f781ea
Result
Threat name:
Amadey, Raccoon Stealer v2, RedLine, Sec
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1167423
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SectopRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 800191 Sample: twaFb066dM.dll Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 126 Multi AV Scanner detection for domain / URL 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 Antivirus detection for URL or domain 2->130 132 11 other signatures 2->132 10 loaddll32.exe 1 2->10         started        12 nbveek.exe 2->12         started        15 ntlhost.exe 2->15         started        process3 signatures4 17 rundll32.exe 44 10->17         started        21 rundll32.exe 54 10->21         started        24 cmd.exe 1 10->24         started        26 conhost.exe 10->26         started        176 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->176 178 Query firmware table information (likely to detect VMs) 12->178 180 Hides threads from debuggers 12->180 process5 dnsIp6 82 C:\Users\user\AppData\LocalLow\j8A79BrD.exe, PE32 17->82 dropped 134 System process connects to network (likely due to code injection or exploit) 17->134 136 Tries to harvest and steal browser information (history, passwords, etc) 17->136 138 Tries to steal Crypto Currency Wallets 17->138 28 j8A79BrD.exe 17->28         started        32 cmd.exe 17->32         started        114 209.197.3.8 HIGHWINDS3US United States 21->114 116 167.235.233.181 ALBERTSONSUS United States 21->116 118 8.8.8.8 GOOGLEUS United States 21->118 84 C:\Users\user\AppData\LocalLow\tX21l3rO.exe, PE32 21->84 dropped 86 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 21->86 dropped 88 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 21->88 dropped 90 4 other files (3 malicious) 21->90 dropped 140 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->140 142 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->142 34 tX21l3rO.exe 21->34         started        36 cmd.exe 21->36         started        38 rundll32.exe 49 24->38         started        file7 signatures8 process9 dnsIp10 104 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 28->104 dropped 182 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->182 184 Query firmware table information (likely to detect VMs) 28->184 186 Tries to evade analysis by execution special instruction (VM detection) 28->186 41 nbveek.exe 28->41         started        46 conhost.exe 32->46         started        188 Tries to detect virtualization through RDTSC time measurements 34->188 190 Hides threads from debuggers 34->190 48 conhost.exe 36->48         started        120 167.235.69.31 ALBERTSONSUS United States 38->120 122 192.168.2.1 unknown unknown 38->122 106 C:\Users\user\AppData\LocalLow\r7X362hg.exe, PE32 38->106 dropped 108 C:\Users\user\AppData\LocalLow\msvcp140.dll, PE32 38->108 dropped 192 System process connects to network (likely due to code injection or exploit) 38->192 194 Tries to steal Crypto Currency Wallets 38->194 50 r7X362hg.exe 38->50         started        52 cmd.exe 38->52         started        file11 signatures12 process13 dnsIp14 124 5.75.139.35 HETZNER-ASDE Germany 41->124 96 C:\Users\user\AppData\Local\...\wlidfdp.exe, PE32 41->96 dropped 98 C:\Users\user\AppData\...\rlmp32waveu.exe, PE32 41->98 dropped 100 C:\Users\user\AppData\...\wlidfdp[1].exe, PE32 41->100 dropped 102 C:\Users\user\AppData\...\rlmp32waveu[1].exe, PE32 41->102 dropped 162 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 41->162 164 Query firmware table information (likely to detect VMs) 41->164 166 Creates an undocumented autostart registry key 41->166 168 Uses schtasks.exe or at.exe to add and modify task schedules 41->168 54 wlidfdp.exe 41->54         started        58 rlmp32waveu.exe 41->58         started        60 cmd.exe 41->60         started        62 schtasks.exe 41->62         started        170 Tries to evade analysis by execution special instruction (VM detection) 50->170 172 Tries to detect virtualization through RDTSC time measurements 50->172 174 Hides threads from debuggers 50->174 64 conhost.exe 52->64         started        file15 signatures16 process17 file18 92 C:\ProgramData\sedalivibog\yetoboc.exe, PE32 54->92 dropped 152 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 54->152 154 Query firmware table information (likely to detect VMs) 54->154 156 Writes to foreign memory regions 54->156 160 5 other signatures 54->160 66 InstallUtil.exe 54->66         started        94 C:\Users\user\AppData\Roaming\...\ntlhost.exe, PE32 58->94 dropped 158 Machine Learning detection for dropped file 58->158 70 ntlhost.exe 58->70         started        72 conhost.exe 60->72         started        74 cmd.exe 60->74         started        76 cacls.exe 60->76         started        80 4 other processes 60->80 78 conhost.exe 62->78         started        signatures19 process20 dnsIp21 110 5.132.162.27 INTERNEX-ASAT Austria 66->110 112 162.55.188.246 ACPCA United States 66->112 144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 66->144 146 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 66->146 148 Tries to harvest and steal browser information (history, passwords, etc) 66->148 150 Tries to steal Crypto Currency Wallets 66->150 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b06c5fb7651b8a6c683b62babcabd18da4d992f7d1e0f963c530832b18feacf4/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-07 05:25:00 UTC
File Type:
PE (Dll)
Extracted files:
5
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wbwf7n3fdofgy2b3mk5lzk6rrwsntexx2hqpsy6fgcbswgh6vt2a._file
Verdict:
malicious
Similar samples:
20ac0c20a2ef71864092cdbcdb32bb637cf76abd2ebfc5b351a6c188b9dfd05d
RecordBreaker
2a8e2ab611c7ea1a7c4e7b6fd50cef0a812ae4921a66d25106a039c90582ce29
RecordBreaker
58b415a4211b4ab0714cb45cfc92cc793c3f6ad8b1413c5f8320cfc77b5d2868
RecordBreaker
633ec6bac41a0a36d8ed5cf50392742f1490f3dcbf4c6792efc3b70fbacc2004
RecordBreaker
b34748df4525113b3dc212c943295b4c33ef7b956e89505fd5cf5fe66ee6845a
RecordBreaker
c91e0e2bdcbfabbe34e3106b1f0efce7635b6a7ec07835fca4d16677feb39ea5
RecordBreaker
dc401554533938f33c0c6cf36246e4fc21dc687d2d3f2925bfa9f7d62a2c5fbe
RecordBreaker
+ 103 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230207-jpwaqsdd6t/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
b06c5fb7651b8a6c683b62babcabd18da4d992f7d1e0f963c530832b18feacf4
MD5 hash:
824e45ea6e411da4b9049f035dd1ee10
SHA1 hash:
7f8a235a80c0d79e2a4ac83495b7aeb9883e3795
Link:
https://www.unpac.me/results/7494bd40-ebc5-4a81-8202-7aa21649a808/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b06c5fb7651b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b06c5fb7651b8a6c683b62babcabd18da4d992f7d1e0f963c530832b18feacf4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

DLL dll b06c5fb7651b8a6c683b62babcabd18da4d992f7d1e0f963c530832b18feacf4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2532082/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/361247/

Comments