MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1e33311a3e42a9c958ced92087534253817c228a36a6b73e005842367d843de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1e33311a3e42a9c958ced92087534253817c228a36a6b73e005842367d843de
SHA3-384 hash: c3bf6e39ac75d7faac5fd1e4d284a656e6cbbf17252568ee661124ec47f55a6c537ef1397df4f3e6f1e47be92484fb7f
SHA1 hash: 8501c07971b400ae8492db73ef17ad77e004ed11
MD5 hash: 5378216c0f48ce38f40ba5b87e7eb70e
humanhash: triple-artist-berlin-hydrogen
File name:D1E33311A3E42A9C958CED92087534253817C228A36A6.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'672'227 bytes
First seen:2024-01-19 23:15:24 UTC
Last seen:2024-01-20 01:30:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/RRBKic6QL3E2vVsjECUAQT45deRV9Ro:sBuZrEUXBKIy029s4C1eH9O
TLSH T1C875BF3FF268A13EC56A1B3245B39310997BBA61B81A8C1E07FC344DCF765601E3B656
TrID 39.3% (.EXE) Inno Setup installer (107240/4/30)
21.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.7% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://78.153.130.188/

Intelligence

File Origin
# of uploads :
2
# of downloads :
411
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471782/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.5852.16329.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/65ab02b3b998106083f96a59/reports/2ba6d47d-6df7-4da2-893e-4d7fb4470850/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d1e33311a3e42a9c958ced92087534253817c228a36a6b73e005842367d843de
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d7ec12c1-7a13-47ab-9c6f-04a1eda9210c
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw
Score:
42 / 100
Link:
https://www.joesandbox.com/analysis/1377816
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Installs a global event hook (focus changed)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1377816 Sample: D1E33311A3E42A9C958CED92087... Startdate: 20/01/2024 Architecture: WINDOWS Score: 42 132 Antivirus detection for URL or domain 2->132 134 Antivirus detection for dropped file 2->134 136 Multi AV Scanner detection for dropped file 2->136 138 3 other signatures 2->138 11 D1E33311A3E42A9C958CED92087534253817C228A36A6.exe 2 2->11         started        14 launcher.exe 2->14         started        process3 file4 84 D1E33311A3E42A9C95...253817C228A36A6.tmp, PE32 11->84 dropped 16 D1E33311A3E42A9C958CED92087534253817C228A36A6.tmp 26 18 11->16         started        86 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 14->86 dropped 20 installer.exe 14->20         started        process5 dnsIp6 116 104.21.61.51 CLOUDFLARENETUS United States 16->116 118 172.67.210.35 CLOUDFLARENETUS United States 16->118 56 C:\Windows\unins000.exe (copy), PE32 16->56 dropped 58 C:\Windows\is-V0JPE.tmp, PE32 16->58 dropped 60 C:\Users\user\AppData\...\setup.exe (copy), PE32 16->60 dropped 64 3 other files (2 malicious) 16->64 dropped 22 setup.exe 39 16->22         started        62 Opera_installer_2401192318173733576.dll, PE32+ 20->62 dropped file7 process8 dnsIp9 120 107.167.110.211 OPERASOFTWAREUS United States 22->120 122 172.67.152.108 CLOUDFLARENETUS United States 22->122 124 3 other IPs or domains 22->124 66 C:\winrar-x64-623.exe, PE32+ 22->66 dropped 68 C:\Users\user\AppData\Local\...\setup_3.exe, PE32 22->68 dropped 70 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 22->70 dropped 72 5 other malicious files 22->72 dropped 26 setup_0.exe 46 22->26         started        file10 process11 dnsIp12 126 107.167.110.217 OPERASOFTWAREUS United States 26->126 128 107.167.125.189 OPERASOFTWAREUS United States 26->128 130 5 other IPs or domains 26->130 88 Opera_installer_2401192317094966348.dll, PE32 26->88 dropped 90 C:\Users\user\AppData\Local\...\setup_0.exe, PE32 26->90 dropped 92 C:\Users\user\AppData\Local\...\opera_package, PE32 26->92 dropped 94 4 other malicious files 26->94 dropped 30 setup_0.exe 1 162 26->30         started        33 Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe 26->33         started        35 setup_0.exe 5 26->35         started        37 2 other processes 26->37 file13 process14 file15 96 Opera_installer_2401192317105742576.dll, PE32 30->96 dropped 98 C:\Users\user\AppData\...\win8_importing.dll, PE32+ 30->98 dropped 100 C:\Users\user\...\win10_share_handler.dll, PE32+ 30->100 dropped 112 20 other malicious files 30->112 dropped 39 installer.exe 30->39         started        43 setup_0.exe 4 30->43         started        102 C:\Users\user\AppData\Local\...\mojo_core.dll, PE32 33->102 dropped 104 C:\Users\user\...\browser_assistant.exe, PE32 33->104 dropped 106 C:\Users\user\...\assistant_installer.exe, PE32 33->106 dropped 108 Opera_installer_2401192317097644440.dll, PE32 35->108 dropped 110 Opera_installer_2401192317101725576.dll, PE32 37->110 dropped 45 assistant_installer.exe 37->45         started        process16 file17 74 C:\...\Opera_installer_240119231803974432.dll, PE32+ 39->74 dropped 76 C:\Users\user\AppData\Local\...\opera.exe, PE32+ 39->76 dropped 78 C:\Users\user\AppData\Local\...\launcher.exe, PE32+ 39->78 dropped 80 C:\...\launcher.exe.1705706284.old (copy), PE32+ 39->80 dropped 140 Installs a global event hook (focus changed) 39->140 47 installer.exe 39->47         started        50 explorer.exe 39->50 injected 52 UGRhpFBObIvmRVgLilR.exe 39->52 injected 54 18 other processes 39->54 82 Opera_installer_2401192317108782504.dll, PE32 43->82 dropped signatures18 process19 file20 114 Opera_installer_2401192318043106164.dll, PE32+ 47->114 dropped
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d1e33311a3e42a9c958ced92087534253817c228a36a6b73e005842367d843de
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1e33311a3e42a9c958ced92087534253817c228a36a6b73e005842367d843de/
Threat name:
Win32.Trojan.OffLoader
Create hunting rule
Status:
Malicious
First seen:
2024-01-19 14:47:49 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2hrtgend4qvjzfmm5wjaq5jueu4bpqriunvgw47aawccgz6yippa._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240119-284qbsfhb8/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
ca8444c05383c81948f9ccc2d36f6f7ca7a77f57e18b3515a25f79e773ccdccd
MD5 hash:
80a63172718383630c15f66440fb6479
SHA1 hash:
6ff1e6d4065bbe368b6b2148dfff6f6ca6ebba9d
Link:
https://www.unpac.me/results/ca7f8d4c-6add-4ca8-b108-771934b55e9f/
SH256 hash:
d1e33311a3e42a9c958ced92087534253817c228a36a6b73e005842367d843de
MD5 hash:
5378216c0f48ce38f40ba5b87e7eb70e
SHA1 hash:
8501c07971b400ae8492db73ef17ad77e004ed11
Link:
https://www.unpac.me/results/ca7f8d4c-6add-4ca8-b108-771934b55e9f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1e33311a3e42a9c958ced92087534253817c228a36a6b73e005842367d843de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471782/

Comments