MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cba2a99e147d807ab2d61744de51dbc8b8205d09f1ca9b2dd472d1953b274c11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cba2a99e147d807ab2d61744de51dbc8b8205d09f1ca9b2dd472d1953b274c11
SHA3-384 hash: d0df4f5d9d90091da8eb44d5c5501a226cfdd2440c91b96e031de21265c089ec4cc2f6661aac2912f8f7e2549ac81009
SHA1 hash: 3f9d68666e83e4ac614ef5377c2bf9ac25d3c1da
MD5 hash: 2522d780342912e8445b24a2591ecc8f
humanhash: sodium-papa-failed-oklahoma
File name:Installer.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:10'032'128 bytes
First seen:2023-01-04 15:45:25 UTC
Last seen:2023-01-04 17:31:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 11ea24073ee65343ee563e3160c77fde (11 x RecordBreaker, 3 x RaccoonStealer, 1 x Zyklon)
ssdeep 196608:5t6xPEBsK84B5YUOlQ2XxWi4AVKHHGpPF9MWLud6kJwvSf3A4eCbzB91D:5twyeUODxWin9/ud6kJ53AnS7
Threatray 170 similar samples on MalwareBazaar
TLSH T1D5A6023153D946F0D3F9AD744B67F9D174A0983CE082ED30638E2C963E299EC297D4A6
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e0dcccc4f4d4d4d4 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://109.107.173.210/

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Installer.exe
Verdict:
No threats detected
Analysis date:
2023-01-04 15:47:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/01ad4ac5-8755-4644-85ba-166439c9a297

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349434/
Detection(s):
SecuriteInfo.com.Variant.Lazy.275282.29844.31724.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63b59f3e0e926711fd76e05d/reports/893ed770-3c5c-4e9d-bc54-ec52a056740e/overview
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/34c0784a-2ce3-4073-97ef-821cbf6ca34a
Result
Threat name:
Raccoon Stealer v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145175
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found hidden mapped module (file has been removed from disk)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 777905 Sample: Installer.exe Startdate: 04/01/2023 Architecture: WINDOWS Score: 100 110 Snort IDS alert for network traffic 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 Antivirus detection for URL or domain 2->114 116 8 other signatures 2->116 9 Installer.exe 34 2->9         started        14 powershell.exe 2->14         started        16 NtjHIfvQ.exe 2->16         started        18 4 other processes 2->18 process3 dnsIp4 104 109.107.173.210, 49695, 80 TELEPORT-TV-ASRU Russian Federation 9->104 106 idpminic.org 66.235.200.147, 49696, 80 CLOUDFLARENETUS United States 9->106 108 www.idpminic.org 9->108 92 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 9->92 dropped 94 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 9->94 dropped 96 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 9->96 dropped 98 8 other files (6 malicious) 9->98 dropped 150 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->150 152 Query firmware table information (likely to detect VMs) 9->152 154 Tries to harvest and steal browser information (history, passwords, etc) 9->154 164 4 other signatures 9->164 20 OBH7JYJN.exe 1 9->20         started        24 1u8JL0XE.exe 2 9->24         started        26 MfU3390p.exe 9->26         started        28 NtjHIfvQ.exe 9->28         started        156 Creates files in the system32 config directory 14->156 158 Writes to foreign memory regions 14->158 160 Sample uses process hollowing technique 14->160 162 Injects a PE file into a foreign processes 14->162 30 conhost.exe 14->30         started        32 dllhost.exe 14->32         started        34 cmd.exe 16->34         started        36 schtasks.exe 18->36         started        38 conhost.exe 18->38         started        file5 signatures6 process7 file8 86 C:\WindowsbehaviorgraphoogleUpdate.exe, PE32 20->86 dropped 118 Antivirus detection for dropped file 20->118 120 Multi AV Scanner detection for dropped file 20->120 122 Machine Learning detection for dropped file 20->122 132 6 other signatures 20->132 40 GoogleUpdate.exe 20->40         started        52 4 other processes 20->52 88 C:\Users\user\AppData\Local\Temp\7321.tmp, PE32+ 24->88 dropped 90 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 24->90 dropped 124 Writes to foreign memory regions 24->124 126 Modifies the context of a thread in another process (thread injection) 24->126 128 Found hidden mapped module (file has been removed from disk) 24->128 134 2 other signatures 24->134 44 cmd.exe 1 24->44         started        46 cmd.exe 1 24->46         started        54 4 other processes 24->54 130 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 26->130 48 schtasks.exe 26->48         started        56 2 other processes 28->56 58 2 other processes 34->58 50 conhost.exe 36->50         started        signatures9 process10 dnsIp11 100 51.195.77.248 OVHFR France 40->100 102 api.peer2profit.com 172.66.40.196 CLOUDFLARENETUS United States 40->102 136 Detected unpacking (changes PE section rights) 40->136 138 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 40->138 140 Uses netsh to modify the Windows network and firewall settings 40->140 148 2 other signatures 40->148 60 netsh.exe 40->60         started        66 2 other processes 40->66 142 Uses cmd line tools excessively to alter registry or file data 44->142 144 Uses powercfg.exe to modify the power settings 44->144 146 Modifies power options to not sleep / hibernate 44->146 68 11 other processes 44->68 62 powercfg.exe 1 46->62         started        70 4 other processes 46->70 64 conhost.exe 48->64         started        72 4 other processes 52->72 74 4 other processes 54->74 76 2 other processes 56->76 signatures12 process13 process14 78 conhost.exe 60->78         started        80 conhost.exe 62->80         started        82 conhost.exe 66->82         started        84 conhost.exe 66->84         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cba2a99e147d807ab2d61744de51dbc8b8205d09f1ca9b2dd472d1953b274c11/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-12-18 03:57:24 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zorkthqupwahvmwwc5cn4uo3zc4caxij6hfjwlouolizkozhjqiq._file
Verdict:
malicious
Similar samples:
0df06f59eabff6f5446ac6ada3b033e7261adc330c9ad44489a69dc85b96642e
RecordBreaker
221bcfad93520868aec7972924ea2cc5827dbf3da3965e2599b9668033ac7ec8
RecordBreaker
6485a029e9a15283f4834f89dfbbd87b19a77629a9a7eba0fd6639562e11208b
RecordBreaker
84806d7ed59a57fce9b4bb07519d78f25edd45c5e56c5739a252f4b4b3c701e2
RecordBreaker
d0d72bb86445f46afd1cff56e317543011d1d4a4b6ba18791b63b26a7282af7c
RecordBreaker
dc0d7e5dcd6f5cc175ab3d6173220fb483570c8b1b81cc2ab68c95407368240e
RecordBreaker
ed75d66b5d971ec01613881d3e088081222411e8315428e6cb049d5699ce31bc
RecordBreaker
+ 160 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230104-s7mkzsca4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c3712d0b-8d31-46e4-8f69-10f8dca1f1e0
Unpacked files
SH256 hash:
cba2a99e147d807ab2d61744de51dbc8b8205d09f1ca9b2dd472d1953b274c11
MD5 hash:
2522d780342912e8445b24a2591ecc8f
SHA1 hash:
3f9d68666e83e4ac614ef5377c2bf9ac25d3c1da
Link:
https://www.unpac.me/results/71c41d4a-4d6c-4bd5-ac83-eaa5eafd6b8b/
Malware family:
RecordBreaker
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cba2a99e147d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cba2a99e147d807ab2d61744de51dbc8b8205d09f1ca9b2dd472d1953b274c11

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349434/

Comments