MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efc8050295c035540f9bc11f7b5c5c68acd3b105d1a4df3e1de5bb68cdacf121. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs 2 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efc8050295c035540f9bc11f7b5c5c68acd3b105d1a4df3e1de5bb68cdacf121
SHA3-384 hash: b172f0055f5322cdf2a5e8dd8c047b2ce76658a54842dce568709f57f8569ef52b8631ec3e008d473bf8fa706d0bd40d
SHA1 hash: e29cd09aa81e6a6c247645fe511a405861e4715a
MD5 hash: 7308d8adf1dfaa81814c54e1a92a57cf
humanhash: berlin-happy-hotel-nevada
File name:7308d8adf1dfaa81814c54e1a92a57cf.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:973'312 bytes
First seen:2022-08-13 11:20:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc70c4fa605f17c85050b7c7b6d42e44 (15 x njrat, 12 x RedLineStealer, 10 x AgentTesla)
ssdeep 24576:7Q60HgRF8vdVwAA7fUkFDvbjl5Qf938bB6Jr9XwdJ:7Q6062d0sef3+MbB6x9XwdJ
TLSH T19E250192D6C7A513D9A3FAB434AED17316212D9F4B2086C633C4FC9BBCF66815874236
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f0c4b28e8cb200c4 (1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://45.10.20.248/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.10.20.248/ https://threatfox.abuse.ch/ioc/842728/
178.32.215.163:17189 https://threatfox.abuse.ch/ioc/842892/

Intelligence

File Origin
# of uploads :
1
# of downloads :
538
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
g3rgg.exe
Verdict:
Malicious activity
Analysis date:
2022-08-13 01:45:25 UTC
Tags:
evasion trojan socelars stealer opendir loader raccoon recordbreaker rat redline arkei
Link:
https://app.any.run/tasks/fe033a32-f11f-481d-9192-5a3964a513aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298423/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.49311304.10055.13855.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
DNS request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28879/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll alien packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/62f7895db9a899b949b80a74/reports/51444204-68f3-46ca-a40f-71eacc95bc6b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/051c77fa-f69c-4eb6-b3a4-580e366b77d4
Result
Threat name:
SmokeLoader, Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.evad.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1050995
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected VMProtect packer
DLL reload attack detected
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 683505 Sample: LvhNxnkQ0K.exe Startdate: 13/08/2022 Architecture: WINDOWS Score: 100 146 Malicious sample detected (through community Yara rule) 2->146 148 Antivirus detection for URL or domain 2->148 150 Multi AV Scanner detection for dropped file 2->150 152 8 other signatures 2->152 14 LvhNxnkQ0K.exe 1 5 2->14         started        16 svchost.exe 2->16         started        18 rundll32.exe 2->18         started        20 2 other processes 2->20 process3 process4 22 cmd.exe 1 14->22         started        25 TapiUnattend.exe 14->25         started        27 WerFault.exe 16->27         started        signatures5 162 Obfuscated command line found 22->162 164 Uses ping.exe to sleep 22->164 166 Drops PE files with a suspicious file extension 22->166 168 Uses ping.exe to check the status of other devices and networks 22->168 29 cmd.exe 2 22->29         started        33 conhost.exe 22->33         started        35 PING.EXE 1 22->35         started        process6 file7 120 C:\Users\user\AppData\...\Plasmare.exe.pif, PE32 29->120 dropped 182 Obfuscated command line found 29->182 184 Uses ping.exe to sleep 29->184 37 Plasmare.exe.pif 1 29->37         started        41 tasklist.exe 1 29->41         started        43 findstr.exe 1 29->43         started        45 2 other processes 29->45 signatures8 process9 file10 110 C:\Users\user\AppData\...\SMojGwDfMqSym.dll, PE32 37->110 dropped 170 DLL reload attack detected 37->170 172 Found API chain indicative of debugger detection 37->172 174 Found API chain indicative of sandbox detection 37->174 176 2 other signatures 37->176 47 Plasmare.exe.pif 61 37->47         started        signatures11 process12 dnsIp13 140 192.254.186.18 UNIFIEDLAYER-AS-1US United States 47->140 142 144.126.142.236 LOYOLAUS United States 47->142 144 11 other IPs or domains 47->144 86 C:\Users\user\AppData\Local\Temp\...\rtiqIS, PE32 47->86 dropped 88 C:\Users\user\AppData\Local\Temp\...\mBGYpL, PE32 47->88 dropped 90 C:\Users\user\AppData\Local\Temp\...\ydNnph, PE32 47->90 dropped 92 18 other files (8 malicious) 47->92 dropped 51 ydNnph 47->51         started        54 mBGYpL 2 47->54         started        57 rtiqIS 47->57         started        59 2 other processes 47->59 file14 process15 dnsIp16 154 Contains functionality to inject code into remote processes 51->154 156 Injects a PE file into a foreign processes 51->156 62 ydNnph 51->62         started        112 C:\Users\user\AppData\Local\...\mBGYpL.tmp, PE32 54->112 dropped 158 Obfuscated command line found 54->158 65 mBGYpL.tmp 26 41 54->65         started        69 rtiqIS 57->69         started        136 208.95.112.1 TUT-ASUS United States 59->136 138 172.67.188.70 CLOUDFLARENETUS United States 59->138 114 C:\Users\user\AppData\Local\Temp\db.dll, PE32 59->114 dropped 160 Creates processes via WMI 59->160 file17 signatures18 process19 dnsIp20 186 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 62->186 188 Maps a DLL or memory area into another process 62->188 190 Checks if the current machine is a virtual machine (disk enumeration) 62->190 192 Creates a thread in another existing process (thread injection) 62->192 71 explorer.exe 5 1 62->71 injected 122 68.232.34.200 EDGECASTUS United States 65->122 124 13.32.99.69 AMAZON-02US United States 65->124 132 2 other IPs or domains 65->132 98 C:\Users\user\...\xmrBridge.dll (copy), PE32+ 65->98 dropped 100 C:\Users\user\...\unins000.exe (copy), PE32 65->100 dropped 102 C:\Users\user\...\nvrtc64_100_0.dll (copy), PE32+ 65->102 dropped 106 31 other files (none is malicious) 65->106 dropped 76 vc_redist.x64.exe 65->76         started        126 94.26.226.51 PTC-YEMENNETYE Russian Federation 69->126 128 5.101.153.227 BEGET-ASRU Russian Federation 69->128 130 185.201.10.40 AS-HOSTINGERLT Germany 69->130 104 C:\Users\user\AppData\...\IHC0L70H9F29A8J.exe, PE32+ 69->104 dropped 78 conhost.exe 69->78         started        file21 signatures22 process23 dnsIp24 134 93.184.220.29 EDGECASTUS European Union 71->134 116 C:\Users\user\AppData\Roaming\erhjdgs, PE32 71->116 dropped 178 Benign windows process drops PE files 71->178 180 Hides that the sample has been downloaded from the Internet (zone.identifier) 71->180 118 C:\Windows\Temp\...\vc_redist.x64.exe, PE32 76->118 dropped 80 vc_redist.x64.exe 76->80         started        file25 signatures26 process27 file28 94 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 80->94 dropped 96 C:\Windows\Temp\...\wixstdba.dll, PE32 80->96 dropped 83 VC_redist.x64.exe 80->83         started        process29 file30 108 C:\ProgramData\...\VC_redist.x64.exe, PE32 83->108 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efc8050295c035540f9bc11f7b5c5c68acd3b105d1a4df3e1de5bb68cdacf121/
Threat name:
Win32.PUA.Pearfoos
Create hunting rule
Status:
Malicious
First seen:
2022-08-06 10:38:27 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
16 of 26 (61.54%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=57eakauvya2vid43yepxwxc4ncwnhmif2gsn6pq54w5wrtnm6eqq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220813-nfzzsabgb9/
Behaviour
Checks processor information in registry
Enumerates processes with tasklist
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
144c003e9e51c075df8f042feb86c8def62d5ed888fa0418228128ddf370806e
MD5 hash:
54121542c64ff2076d7e26571a4528a4
SHA1 hash:
c9f7346e84cb0378bd42b3b7d30694c75b87e7e9
Link:
https://www.unpac.me/results/e5ee82a9-6a4f-46b4-8357-57cc88a92b67/
SH256 hash:
efc8050295c035540f9bc11f7b5c5c68acd3b105d1a4df3e1de5bb68cdacf121
MD5 hash:
7308d8adf1dfaa81814c54e1a92a57cf
SHA1 hash:
e29cd09aa81e6a6c247645fe511a405861e4715a
Link:
https://www.unpac.me/results/e5ee82a9-6a4f-46b4-8357-57cc88a92b67/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efc8050295c035540f9bc11f7b5c5c68acd3b105d1a4df3e1de5bb68cdacf121

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298423/

Comments