MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a
SHA3-384 hash: 49533f729ff284059510c9366ea57ec4f007b5c76c4c03ce3c0639630462d69ae446a809837331e87ebab5014af58b20
SHA1 hash: 056713d15dfa8032597aac2e3f61e6a5794a53e8
MD5 hash: 14c45fa75b1f8644c5fe37ca234a456b
humanhash: mango-fanta-nevada-berlin
File name:14c45fa75b1f8644c5fe37ca234a456b.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:253'952 bytes
First seen:2023-11-04 05:30:28 UTC
Last seen:2023-11-04 07:14:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a4ae589821c5dc6d5b727f8ebbd62dc2 (1 x RecordBreaker)
ssdeep 3072:A9orP+stnvfG4+zxvGz/QUVcRe/1nkJuTby/cT2cARxVC09++zu:SoCshG4qx1UVco/1aYySAR+
Threatray 242 similar samples on MalwareBazaar
TLSH T1EA445C5362A07C60F5239BB28EEEC6E4E61EF9914F153B9E13546E2F09B11F1C272742
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0001111101011101 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://176.113.115.213/

Intelligence

File Origin
# of uploads :
2
# of downloads :
382
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
14c45fa75b1f8644c5fe37ca234a456b.exe
Verdict:
Malicious activity
Analysis date:
2023-11-04 05:49:03 UTC
Tags:
loader smoke stealer raccoon recordbreaker
Link:
https://app.any.run/tasks/ba124ea0-bfe9-4c59-88bf-6bd0d1f2d9dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.14280.17204.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP GET request
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin packed
Link:
https://www.filescan.io/uploads/6545d716946b6ab22457d6a0/reports/4f1a1a79-44c4-4e7c-b17d-2cc62d1bbb9b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8027ed9c-c58d-4c89-a0a7-1712c6b53ad2
Result
Threat name:
DanaBot, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1337054
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May use the Tor software to hide its network traffic
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected DanaBot stealer dll
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1337054 Sample: PHQoJ3QygH.exe Startdate: 04/11/2023 Architecture: WINDOWS Score: 100 35 dpav.cc 2->35 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 7 other signatures 2->63 9 PHQoJ3QygH.exe 2->9         started        12 dgrwtrf 2->12         started        signatures3 process4 signatures5 73 Detected unpacking (changes PE section rights) 9->73 75 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->75 77 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->77 85 3 other signatures 9->85 14 explorer.exe 8 5 9->14 injected 79 Antivirus detection for dropped file 12->79 81 Multi AV Scanner detection for dropped file 12->81 83 Machine Learning detection for dropped file 12->83 process6 dnsIp7 43 189.245.85.187, 49921, 49939, 49955 UninetSAdeCVMX Mexico 14->43 45 dpav.cc 186.147.159.149, 49735, 49736, 49737 TelmexColombiaSACO Colombia 14->45 47 45.120.177.165, 49753, 80 CTCXChubuTelecommunicationsCompanyIncJP Japan 14->47 29 C:\Users\user\AppData\Roaming\dgrwtrf, PE32 14->29 dropped 31 C:\Users\user\AppData\Local\Temp\7AB2.exe, PE32 14->31 dropped 33 C:\Users\user\...\dgrwtrf:Zone.Identifier, ASCII 14->33 dropped 49 System process connects to network (likely due to code injection or exploit) 14->49 51 Benign windows process drops PE files 14->51 53 Deletes itself after installation 14->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->55 19 7AB2.exe 6 14->19         started        file8 signatures9 process10 file11 27 C:\ProgramData\Iuweawuawwd.tmp, DOS 19->27 dropped 65 Found evasive API chain (may stop execution after checking mutex) 19->65 67 Machine Learning detection for dropped file 19->67 69 May use the Tor software to hide its network traffic 19->69 23 rundll32.exe 1 4 19->23         started        signatures12 process13 dnsIp14 37 95.164.68.9, 443, 49760, 49765 NASSIST-ASGI Gibraltar 23->37 39 95.164.69.29, 443, 49759, 49762 NASSIST-ASGI Gibraltar 23->39 41 45.144.28.125, 443, 49761, 49766 HQservCommunicationSolutionsIL United Kingdom 23->41 71 System process connects to network (likely due to code injection or exploit) 23->71 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-04 05:31:05 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zimb6v7nwpmz7pp5djisu6b5ezwuphbp2oh75ikhij3r3552fqna._file
Verdict:
malicious
Similar samples:
0004d851f92bfea425f064b898e7668d84a26e12954785ce0ec3b62ff2e34d46
RecordBreaker
0ef76ecabac1c81d4e2ed32c6fd30d846214f385a51523b4b78f105d9eb406a3
RecordBreaker
247eb6cc11d0a92ac985fb99c19dcfe4779878f4989764b8ced06727820ff57c
RecordBreaker
3b73c4da6f2bda6ebc26552afccbfd8c097a5a3195fd2593840d9ea7712b7120
RecordBreaker
5c88a340b3b0502c9777fe6159f01d66875341dc739e23a56a21ee18479890f2
RecordBreaker
6a302e65ae3cd7ceb6a94b2753f1a3223b189355eecbe443b0fd45722a495f48
RecordBreaker
a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271
RecordBreaker
e629fcf41de2187cafd4c8c38b1e9408a5c521d29459971bb96fae5da26fa9d5
RecordBreaker
ecacf78ad957224fcc0afbd65118f2b5e8e2eda5daef0e072eef35e5f12a43b3
RecordBreaker
+ 232 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:danabot family:smokeloader botnet:pub4 backdoor banker trojan
Link:
https://tria.ge/reports/231104-f7pzwseg44/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Danabot
SmokeLoader
Malware Config
C2 Extraction:
http://dpav.cc/tmp/
http://lrproduct.ru/tmp/
http://kggcp.com/tmp/
http://talesofpirates.net/tmp/
http://pirateking.online/tmp/
http://piratia.pw/tmp/
http://go-piratia.ru/tmp/
Unpacked files
SH256 hash:
9b9d5cf0cbdcbf67a3d1f42509985228a4a62cacfd79ee095beb512c75ae4998
MD5 hash:
c6ba5e70e5a630f884f3c7cec5746363
SHA1 hash:
6b457f6f2abb8e4e1e3f49385ac8588acd2c7f29
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/a9613e4b-a154-45ed-af6e-164b9d0de717/
Parent samples :
af63001bfd4ed850fb3bf50862ef7265a6822ffc20f6b24ed741975918c56f2c
d0d97c70ea6e26b3708dc101a310f056d690bbc17306c493ccba4a6f00fad541
ce015e5940a83246f5f69f4548281a05783e4a664be65b93422bab2d1ed9dc41
3b8e8d855e714ca23dbdb2f30665dd6d3e810c7aa6fa43e1d2dcb0b0bd6a3ed7
e2b5145997ea023b6a21e305f46d725c8686f152d5666bd452b8adcd5af92d82
51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0
44fa511765693f9d912b3dce34be85c13be4fcc241d8ddc82fbab23852a6d174
1c42bdf6438c73d6f16d7bad5e9601e21dd92a7222e3c42761dc0f6d942b1a3a
ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a
dc13f91ceeb3c8c0959a9eb30ef56f5d23684be90bc459cdc80d1f105da3e58c
9b0d858bbb5099297f17cd5c7b6c9414143fb4b99afeee581107a50493161bd5
7c6dc6ae1caf94cd6f0cbcb075a81698bf496408e9553f63cd5c5742523b6bc8
2c08dae77574be67ecbd1d57d5ea8ea80042c7ee15f0ad5da405f574bf82b529
a6189864b80a674de976bc67a13f42fc6e601f2ea11c446047c84e2d12e120ae
22f1911d81e0e2feaf26b7b28208b5cbb68be45c39d5a6630c40047de2446f4e
d2a5bffc667647e9ba8a0d1733f9a27df01af72b9dbc7193031aad4c8853c6e4
ea226ab509f8001582cace500f1890df678371771cf7ee1cf1d61f949f201c5e
a31e66233b55244dea9219f5b5a4df56732ea52b4d2c7dac246851fcb9b9c318
c28c4cec1d98e3f612108826f92aef8d25da93ec22ac1b91523e944126ad0dbb
03c4bbba0969018b4e4e048b8f3c52ce0d99a3e37da9ed11a18997e8a836f28f
ba87c237b03a3a5a54273ccded35d16559f33678a76f05ce856389e207b68046
c5c00a192d1427f8d60b64e3e769c7f16b2fee7133dee7c63c042faaea4919fb
5086698d16ad4032c245ab11ce33925a03b372fd4ce5b687b450361ec1ceb841
787c7572ea0492bdb433eb344fbc7f52e4ebdc62be69a2a3f1fa6180d4b22646
29da085a372470916f440dd7d72d7f6b2f4d634fc39880159786537bbf753efb
bbd761200738143705543689c13919065c19468a060b7cc63366ec414fcad107
e52e7b7b19091fbed821e1cfea10d78f6b20cda9e6119da26be4e77798b14907
d11cb28aa2618e76429ee7ebefb5c86c71374d2f8fdd58af946aee926c34615b
6bdfb620003859b5a5318fda333a8950d7d0edf266f297b8e3ae62b6018a07d5
c99d3d0a3d0d2ba99b089e1d71c8909a00e5876178c04db399afe57330bf615d
6503300b2dd8c4f441918d168a423dea5e342798eb112e0296757fe14e649d75
407c8e4e1a4fcba52d051e64eb52e67ad3ed5b1e1b41d41f21f7f6d32fd549f0
6a98e02fb015b78790f1c3b1f46ef61427e52a5a73d31fea518d9bd72a78dfa1
93bfa6ea57e67dae492fdaad02bdf1d0570deca1ac04e3665961e55f820c5320
7c6e6b4aaa210da5a69c5b12328158d54486e6d31bfe4938ab82097f2babc9f5
32d4bae99e3e24b7be91e342b78c84fb590146c0d5bc902f3c98b7673f6f7732
4afaefd1e04ef31fb1642e0b516c554e21de8340b84545641e7c29d028510afb
cd4942c9bb87b2b1d0c3511c23a2f7d8f1af35527a628aed2ea82f38e1d6a2d8
fdccf4ea45fd8aea2759fdb0c1b301ed989a6784a15778666db9b8e0e98403ca
8ca5fb996e43a8257aeead6230584228e1de3f34ac57ecf044cfb5135718a942
28a3132ff1dae5dda972e6d3910639c81d51bd593f065998df1e8efac0b64a9e
4fc7a527cd92275e3b8ae2cfb2e67d3f77760d29315755f02ce23dc455af27ed
b8cb255809d4f5e9475af6c541604c26021aaf8933a078143c6eef71dbfa77c1
b150b158d7dc445c348fffdb721f7c1a10f096482d2826ee455608f2061f6b63
9ccbd2020485782799f188fcde1c1015d4cef7a288b982afec7c94632ce292e9
e2056f95078e4e2d7df2819de53365fcc71bea3c022c4943bde8192039ef40d1
4c689166fc1682e14e6cf3cdb67a8cc62271334cdadf4410de99d3ba2b9d3a37
263a808889e25375c4e77085e7985d81c2f43150a4323e839619d0816d861c7e
4053798eb00caf7de7b00c2115db30dc8a1567d02035c23c79a279d1d3671177
e7ceec24f33171ed8426076f3c2011f20183fae40da62e379ab80333c3c48024
796bf8bc705cdc346f8c28dbe67ae39f0a384758dfb32f70ec7670ae7912fbe3
e1a8a8dad424eaca7496c436df74ced1215d42d7ac86f26a2d8108caf7a89940
4e2c32e76bec4ad95d0ca1a130e5b2a29bc624a1d348ce36fbd95027113c498b
fe2b3415794cd8ccb9ee4b28925f88c6815af95ccb14f58ac756210e9ad2d205
748c26e1f5c15693e97403c0e228b60433d4f051970fe13704174a90f824f5d7
26194c26b5412d22a2d59b50efc917df3e05102a5b1d0895e5c199c58c377211
fd787202cfb815a07775e5a12a87a8cec0736207ad3b27aadadb3c7eac245070
bd3c9be0544276fffc4b23029f7073661e859bbb41047292c4c0555ede12b1e5
65283a60a4a81ceaad94179b9555c1420abdc9ca49843c765098e5fa1e039efb
f6095eb7c5759c19ddc15879bb68bcad8ea5a1c30a7767d7b2b45ad837567a1f
43349b2181b49be96a57e0ac4da5ead230cbc6c048cd1c8089dd4e7428ca44e0
415bf1a2b1e00420502e3ac845170724004aaac7512b96440e2eb2965846bf51
fd01181f0a584579a652ad899163477ff55dcf48a8f1017e07805c69306b9731
5628951705135b7582a7913c52cc3c547b50a6a9badc656351b8b7945b1d8d38
36c2741465b9cf44c246ab5139421edce8b94483e63d5fe8e6eb18dade8ac263
17bd90ec1ab9fdfc235404d2a8705d20713b7c44f330097806e312dcbedbb2c4
8317ec6b484bb93b94883e8b9b354121716184ccbfcce47a3f732bed0c8d0a83
5aef45398566aece608ab79365c4c968438ee3c4de238865a266663be2ed849f
bbf35930603e2c79b466e38f249939ec19d6e8b8875868a03a607a92f39c62fb
91387a4e75e7e17acd8ffc08d87bb037a2217e967630c16c7681d006c1c0206f
d031dba06e6f21c4a0deaee93b9fa0ed8849f0d401ff26ca239e9da547030d77
f3a13cc76e0912f23dfdf11cf1a9f6b8015b540d1eae809d2a359c9a278ade1d
4d80f93923e0ff63d3dab7126446f4b33924d1306ae7524dacf36470689fdc28
SH256 hash:
ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a
MD5 hash:
14c45fa75b1f8644c5fe37ca234a456b
SHA1 hash:
056713d15dfa8032597aac2e3f61e6a5794a53e8
Link:
https://www.unpac.me/results/a9613e4b-a154-45ed-af6e-164b9d0de717/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ca181f57edb3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe ca181f57edb3d99fbdfd1a512a783d266d479c2fd38ffea14742771df7ba2c1a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2712503/
  
Delivery method
Distributed via web download

Comments