MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7ade306aef9c2756f3c15c7220b7eb7c89606cf6b413b7218d1350f36c2f795. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RecordBreaker

Vendor detections: 18

Intelligence 18 IOCs YARA File information Comments

SHA256 hash:	e7ade306aef9c2756f3c15c7220b7eb7c89606cf6b413b7218d1350f36c2f795
SHA3-384 hash:	f922a18352dd4c3f5fed8cfbf1c7f9fbfc6bc60049faedb12b279b58e8396b7f4e4b7f93328b07f6f4b3a89bfe4ab95b
SHA1 hash:	927abade9be3fbb96addc310ac27403c59d54692
MD5 hash:	03003f5ad43e4bfdf530a943fd27faf6
humanhash:	freddie-idaho-white-ink
File name:	03003f5ad43e4bfdf530a943fd27faf6.exe
Download:	download sample
Signature	RecordBreaker Create hunting rule
File size:	1'629'184 bytes
First seen:	2023-10-26 17:25:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	24576:YyBCcqNrUSIyxljq0nVc4XTgJG+sVv78RkYBDUui00xcM7sUt/qi7n:fAjNrPvxlj3V/TgJKVvqrDU1cS75
TLSH	T118752312AAE98837DA322B7135F353D35B7ABC942CB4936F4244699D0CB2740D83B767
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	abuse_ch
Tags:	exe recordbreaker

abuse_ch

RecordBreaker C2:
http://31.192.237.75/

Intelligence

File Origin

# of uploads :

# of downloads :

363

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

bus50.bin.zip

Verdict:

Malicious activity

Analysis date:

2023-10-26 23:31:57 UTC

Tags:

stealc stealer sinkhole redline trojan amadey botnet

Link:

https://app.any.run/tasks/f2629853-cba2-4331-a4c8-6865e71778b3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/456586/

Detection(s):

Sanesecurity.Malware.28840.BadO.UNOFFICIAL

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Launching a service

Сreating synchronization primitives

Creating a file

Creating a window

Launching cmd.exe command interpreter

Searching for synchronization primitives

Running batch commands

Adding an access-denied ACE

Forced system process termination

Forced shutdown of a system process

Blocking the Windows Defender launch

Disabling the operating system update service

Sending a TCP request to an infection source

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Gathering data

Verdict:

Malicious

Threat level:

5/10

Confidence:

100%

Tags:

advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi sfx shell32

Link:

https://www.filescan.io/uploads/653aa12d798f2840e4d247a8/reports/d5af989a-bfd1-4db3-8b9a-0c84779ca238/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/e7ade306aef9c2756f3c15c7220b7eb7c89606cf6b413b7218d1350f36c2f795

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Amadey

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/406fe240-c726-4c24-b9cd-485fbcc47a94

Result

Threat name:

Amadey, Babadeda, Mystic Stealer, RedLin

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1332856

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates an undocumented autostart registry key

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies windows update settings

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Amadey bot

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Yara detected Babadeda

Yara detected Mystic Stealer

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e7ade306aef9c2756f3c15c7220b7eb7c89606cf6b413b7218d1350f36c2f795

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/e7ade306aef9c2756f3c15c7220b7eb7c89606cf6b413b7218d1350f36c2f795/

Threat name:

Win32.Trojan.Stealerc

Status:

Malicious

First seen:

2023-10-26 17:26:06 UTC

File Type:

PE (Exe)

Extracted files:

227

AV detection:

22 of 38 (57.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=46w6gbvo7hbhk3z4cxdsec36w7ejmbwpnnatw4qy2e2q6nwc66kq._file

Verdict:

malicious

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:amadey family:dcrat family:glupteba family:raccoon family:redline family:smokeloader family:zgrat botnet:6a6a005b9aa778f606280c5fa24ae595 botnet:@ytlogsbot botnet:grome botnet:kinza botnet:up3 backdoor brand:microsoft discovery dropper evasion infostealer loader persistence phishing rat stealer trojan upx

Link:

https://tria.ge/reports/231026-vzt17sfa79/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Program crash

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Detected potential entity reuse from brand microsoft.

Drops file in System32 directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Windows security modification

Blocklisted process makes network request

Downloads MZ/PE file

Drops file in Drivers directory

Modifies Windows Firewall

Stops running service(s)

Amadey

DcRat

Detect ZGRat V1

Glupteba

Glupteba payload

Modifies Windows Defender Real-time Protection settings

Raccoon

Raccoon Stealer payload

RedLine

RedLine payload

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

ZGRat

Malware Config

C2 Extraction:

http://77.91.68.29/fks/
77.91.124.86:19084
http://77.91.124.1/theme/index.php
http://host-file-host6.com/
http://host-host-file8.com/
http://195.123.218.98:80
http://31.192.23
194.169.175.235:42691