MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs 2 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
SHA3-384 hash: 950327dc73e97c36e01f8cf32f346f1ce9a36be9f2b0bc8accacec0fe8255773ef0c2316fb4e2011eb7adc94489eb20a
SHA1 hash: dce8526b014dd03bbae2e5667d0425d62708cfc2
MD5 hash: ea6c0dc55a85f91dccc18042f563a33d
humanhash: ten-robert-equal-oven
File name:CFCAB36F73560B2D15B6C266FEAAF0195A6E0D18C22AA.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:4'396'083 bytes
First seen:2022-07-31 21:50:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:J/324ECY6bKb7t7kgRM0iQwR/p0P6HJBSab2MDYR+jzHzI:J+4E16bKbZ4p3EP6rS4w+jfI
TLSH T16B16339436568B7FC937B33300E92342BB6FF61650EAAB4389B1396ACB771135C05276
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
185.198.57.19:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.198.57.19:80 https://threatfox.abuse.ch/ioc/840684/
194.113.106.21:41676 https://threatfox.abuse.ch/ioc/840685/

Intelligence

File Origin
# of uploads :
1
# of downloads :
362
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295427/
Detection(s):
Win.Dropper.Pswtool-9857487-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Dropper.Generickdz-9890303-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901388-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Sending a custom TCP request
Running batch commands
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27938/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
overlay packed shell32.dll wacatac
Link:
https://www.filescan.io/uploads/62e6f94a5c07b66577e2cf49/reports/d5d795ef-fe10-4ac0-a9a8-469c7ed685e9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8853586b-3233-48d3-acff-1025ddae56d3
Result
Threat name:
Nymaim, RedLine, Socelars, Vidar, onlyLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043874
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 676368 Sample: CFCAB36F73560B2D15B6C266FEA... Startdate: 31/07/2022 Architecture: WINDOWS Score: 100 103 niemannbest.me 2->103 133 Snort IDS alert for network traffic 2->133 135 Multi AV Scanner detection for domain / URL 2->135 137 Malicious sample detected (through community Yara rule) 2->137 139 21 other signatures 2->139 14 CFCAB36F73560B2D15B6C266FEAAF0195A6E0D18C22AA.exe 10 2->14         started        17 WmiPrvSE.exe 2->17         started        signatures3 process4 file5 99 C:\Users\user\AppData\...\setup_installer.exe, PE32 14->99 dropped 19 setup_installer.exe 19 14->19         started        process6 file7 79 C:\Users\user\AppData\...\setup_install.exe, PE32 19->79 dropped 81 C:\Users\user\AppData\...\Fri23f0a537e68.exe, PE32 19->81 dropped 83 C:\Users\user\...\Fri23d875716180b.exe, PE32 19->83 dropped 85 14 other files (9 malicious) 19->85 dropped 22 setup_install.exe 1 19->22         started        process8 dnsIp9 119 hsiens.xyz 22->119 121 127.0.0.1 unknown unknown 22->121 165 Performs DNS queries to domains with low reputation 22->165 167 Adds a directory exclusion to Windows Defender 22->167 26 cmd.exe 1 22->26         started        28 cmd.exe 22->28         started        30 cmd.exe 22->30         started        32 11 other processes 22->32 signatures10 process11 dnsIp12 36 Fri2343494710c5f4d.exe 4 56 26->36         started        41 Fri23d875716180b.exe 28->41         started        43 Fri234c153c4eb.exe 30->43         started        101 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->101 125 Adds a directory exclusion to Windows Defender 32->125 45 Fri2384a5c492c0c2a.exe 32->45         started        47 Fri2332594ef5e0db66.exe 32->47         started        49 Fri23f0a537e68.exe 32->49         started        51 6 other processes 32->51 signatures13 process14 dnsIp15 105 212.193.30.115 SPD-NETTR Russian Federation 36->105 109 14 other IPs or domains 36->109 89 C:\Users\user\AppData\...\setup331[1].exe, PE32 36->89 dropped 91 C:\Users\user\AppData\Local\...\a02[1].exe, PE32 36->91 dropped 93 C:\Users\user\AppData\...\TrdngAnr6339[1].exe, PE32 36->93 dropped 97 22 other files (5 malicious) 36->97 dropped 141 Antivirus detection for dropped file 36->141 143 Disable Windows Defender real time protection (registry) 36->143 53 rundll32.exe 36->53         started        145 Machine Learning detection for dropped file 41->145 147 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->147 149 Maps a DLL or memory area into another process 41->149 151 Checks if the current machine is a virtual machine (disk enumeration) 41->151 55 explorer.exe 41->55 injected 111 4 other IPs or domains 43->111 153 May check the online IP address of the machine 43->153 57 WerFault.exe 43->57         started        113 3 other IPs or domains 45->113 155 Tries to harvest and steal browser information (history, passwords, etc) 45->155 107 niemannbest.me 172.67.221.103, 443, 49764, 49768 CLOUDFLARENETUS United States 47->107 115 3 other IPs or domains 47->115 157 Injects a PE file into a foreign processes 49->157 60 Fri23f0a537e68.exe 49->60         started        117 5 other IPs or domains 51->117 95 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 51->95 dropped 159 Creates processes via WMI 51->159 161 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 51->161 62 mshta.exe 51->62         started        file16 signatures17 process18 dnsIp19 64 rundll32.exe 53->64         started        123 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 57->123 67 cmd.exe 62->67         started        process20 file21 127 Writes to foreign memory regions 64->127 129 Allocates memory in foreign processes 64->129 131 Creates a thread in another existing process (thread injection) 64->131 87 C:\Users\user\AppData\Local\Temp\09xU.exE, PE32 67->87 dropped 70 09xU.exE 67->70         started        73 conhost.exe 67->73         started        75 taskkill.exe 67->75         started        signatures22 process23 signatures24 163 Antivirus detection for dropped file 70->163 77 mshta.exe 70->77         started        process25
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-07-29 23:11:00 UTC
File Type:
PE (Exe)
Extracted files:
122
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z7flg33tkyfs2fnwyjtp5kxqdfng4diyyivkek3hfz7lf6lzsi7a._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:privateloader family:redline family:smokeloader family:socelars family:vidar botnet:916 botnet:media8 aspackv2 backdoor discovery evasion infostealer loader main spyware stealer trojan upx
Link:
https://tria.ge/reports/220731-1qgbmshgf2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
OnlyLogger payload
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
OnlyLogger
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine payload
SmokeLoader
Socelars
Socelars payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
91.121.67.60:2151
https://mas.to/@serg4325
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
Unpacked files
SH256 hash:
b3ebe2d73a6d2b289eb9076a94e1080d095cd3dfa0eb28d000ff9ea495ec286d
MD5 hash:
0bf74c3c12256fbe7ddc9ef82550c5ec
SHA1 hash:
9125023250645cbe4aaa5237b2ee2690bdb6167d
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
SH256 hash:
b0907562ec1ac4ff1abc08598c77804ea6a4434b6955ef1d8ea7cfa99a6cb849
MD5 hash:
2aa74bffcea929cdd73b163a1dfabbcf
SHA1 hash:
74a2007532e312d234fbadcc0fb7d081a1932bc0
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
Parent samples :
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
SH256 hash:
8e39804f909ddfb3acb1f5765256ff6c7f73506eec614201aaaabffa823ef555
MD5 hash:
7c38cf2a3df9af2267e4d3dee4ab9fb6
SHA1 hash:
ec80c30832a550b59aa86a77e64c3fd852dab288
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
SH256 hash:
b1792b96ee1599053169c723ef3847f150fb3a6cbd7f6e49f0c7980e56f17ec0
MD5 hash:
782464a630ee6593821219958720db3e
SHA1 hash:
c46ee1af2bd512533f1cd26337e73e0ccb18f57f
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
SH256 hash:
e156bb6b1cbbe7d0d04b1a5980746f7470b9bfc20030340ed636961ca40c8fea
MD5 hash:
109c8838fcf370d39ce6bd631a3aca06
SHA1 hash:
a0d409a04855bf788213dd4acda4d2a3d7e222f6
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
SH256 hash:
277a19c1bc713365eb03794411cd58bd67f11ff4f2724dc198a2a7e577c613ac
MD5 hash:
f8c8ec24c352771f393ced172d9b7b0d
SHA1 hash:
9cbfc7537ef3334a55ada0ac7453392f6a0f7e63
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
SH256 hash:
6bab7cf6991c38fc9fcc7f85825edce20b0ff8fe8e1cd6090647ccc04e325d60
MD5 hash:
c37c2573360d8ab618f16dd8899fe097
SHA1 hash:
7641393edb6b08517aa9b04d95ccf14fadb97351
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
SH256 hash:
2119865699ab1134a1a16074693ac1612ed55d6260a7652e138877fe5de97d4b
MD5 hash:
3e08f8532371007229e2ad22829bf279
SHA1 hash:
745ea1deba85e3c55489ac7c52e70ec674512a3b
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
4635d8f33dcb647bf974081a8e0e5aa81a61f2f8d58286c0fb37077935650049
MD5 hash:
c64974ae3a19bce10704bc4748fd9063
SHA1 hash:
dadcfe79b0e79c41278549a71aa3a19abbc883cf
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
f8964a2d496ac76b273a6aef735abe4b393a706ba6cda481c7d33e65239a7edf
MD5 hash:
b847ba1afcd7933f10fb600f19c10b68
SHA1 hash:
2b92edda25182639996b3c9376c91e1141d6d0fb
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
SH256 hash:
45ea9e5d3e65d06b75a836f464f09d11420133cc036652d9ba2bb9ac03aadb37
MD5 hash:
083fbc6899fdef5466d206f285a36d04
SHA1 hash:
491da5dc6293af5fbeab4a90b3cfbcf2b4e8a5cf
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
SH256 hash:
9639e3eca7672878a55cbb9e11c9228b17e7ad6fbf0968214b1fe21bbc21c8a5
MD5 hash:
0d6fd0bc737df7bbf1ce5e04f077ee95
SHA1 hash:
59e850eda59db413a74421c09c8be160b21f9ead
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
SH256 hash:
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
MD5 hash:
ea6c0dc55a85f91dccc18042f563a33d
SHA1 hash:
dce8526b014dd03bbae2e5667d0425d62708cfc2
Link:
https://www.unpac.me/results/443bea01-4203-47d1-9c0d-d41b9212f135/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cfcab36f7356/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/295427/

Comments