MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f85362fa96806ce4ff93b8a49e0e74f65dea0b759ae8701ccc336609c119487b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f85362fa96806ce4ff93b8a49e0e74f65dea0b759ae8701ccc336609c119487b
SHA3-384 hash: 3225e60e7c3506e5e5bd3a6d1bd7bba0185b351da294b19a912bdd19629a60cedf6b963b777add46d7940c0dc7eadcb9
SHA1 hash: ecdf2a060e6d02606486f168c11b555283b199ce
MD5 hash: 43c5418a66f1d9483280d8fbc44c9fb9
humanhash: pasta-illinois-sweet-lithium
File name:F85362FA96806CE4FF93B8A49E0E74F65DEA0B759AE87.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:1'672'200 bytes
First seen:2024-01-19 22:10:22 UTC
Last seen:2024-01-19 23:30:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/cmmKic6QL3E2vVsjECUAQT45deRV9RY:sBuZrEUoKIy029s4C1eH9G
TLSH T14075BF3FF268A13EC56A1B3245B38320997BBA51B81A8C1E47FC344DCF765601E3B656
TrID 39.3% (.EXE) Inno Setup installer (107240/4/30)
21.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.7% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://78.153.130.188/

Intelligence

File Origin
# of uploads :
2
# of downloads :
340
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471763/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.5479.6594.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/65aaf37e68f6c896b6d3a3a3/reports/57034ef6-4b85-4d96-86ff-1f87a7f73c89/overview
Verdict:
Suspicious
Labled as:
TR/Downloader.Generic
Link:
https://www.hybrid-analysis.com/sample/f85362fa96806ce4ff93b8a49e0e74f65dea0b759ae8701ccc336609c119487b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/96ddbc0c-7cc2-41f7-8790-0f865c7b2196
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.spyw.evad
Score:
46 / 100
Link:
https://www.joesandbox.com/analysis/1377774
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Installs a global event hook (focus changed)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1377774 Sample: F85362FA96806CE4FF93B8A49E0... Startdate: 19/01/2024 Architecture: WINDOWS Score: 46 157 Antivirus detection for URL or domain 2->157 159 Antivirus detection for dropped file 2->159 161 Multi AV Scanner detection for dropped file 2->161 163 4 other signatures 2->163 13 F85362FA96806CE4FF93B8A49E0E74F65DEA0B759AE87.exe 2 2->13         started        16 launcher.exe 2->16         started        process3 file4 117 F85362FA96806CE4FF...F65DEA0B759AE87.tmp, PE32 13->117 dropped 18 F85362FA96806CE4FF93B8A49E0E74F65DEA0B759AE87.tmp 26 18 13->18         started        119 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 16->119 dropped 23 installer.exe 16->23         started        process5 dnsIp6 137 104.21.61.51 CLOUDFLARENETUS United States 18->137 139 172.67.210.35 CLOUDFLARENETUS United States 18->139 87 C:\Windows\unins000.exe (copy), PE32 18->87 dropped 89 C:\Windows\is-QJIIF.tmp, PE32 18->89 dropped 91 C:\Users\user\AppData\...\setup.exe (copy), PE32 18->91 dropped 95 3 other files (2 malicious) 18->95 dropped 165 Writes many files with high entropy 18->165 25 setup.exe 49 18->25         started        93 Opera_installer_2401192230345884508.dll, PE32+ 23->93 dropped file7 signatures8 process9 dnsIp10 141 107.167.110.216 OPERASOFTWAREUS United States 25->141 143 23.106.59.52 LEASEWEB-UK-LON-11GB United Kingdom 25->143 145 5 other IPs or domains 25->145 99 C:\winrar-x64-623.exe, PE32+ 25->99 dropped 101 C:\Users\user\AppData\Local\...\setup_5.exe, PE32 25->101 dropped 103 C:\Users\user\AppData\Local\...\setup_3.exe, PE32 25->103 dropped 105 7 other malicious files 25->105 dropped 29 setup_0.exe 46 25->29         started        file11 process12 dnsIp13 151 107.167.110.217 OPERASOFTWAREUS United States 29->151 153 107.167.125.189 OPERASOFTWAREUS United States 29->153 155 5 other IPs or domains 29->155 129 Opera_installer_2401192229227435052.dll, PE32 29->129 dropped 131 C:\Users\user\AppData\Local\...\setup_0.exe, PE32 29->131 dropped 133 C:\Users\user\AppData\Local\...\opera_package, PE32 29->133 dropped 135 4 other malicious files 29->135 dropped 171 Writes many files with high entropy 29->171 34 setup_0.exe 1 162 29->34         started        37 Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe 29->37         started        39 setup_0.exe 5 29->39         started        41 2 other processes 29->41 file14 signatures15 process16 file17 69 Opera_installer_2401192229240805572.dll, PE32 34->69 dropped 71 C:\Users\user\AppData\...\win8_importing.dll, PE32+ 34->71 dropped 73 C:\Users\user\...\win10_share_handler.dll, PE32+ 34->73 dropped 85 25 other malicious files 34->85 dropped 43 installer.exe 34->43         started        47 setup_0.exe 4 34->47         started        75 C:\Users\user\AppData\Local\...\mojo_core.dll, PE32 37->75 dropped 77 C:\Users\user\...\browser_assistant.exe, PE32 37->77 dropped 79 C:\Users\user\...\assistant_installer.exe, PE32 37->79 dropped 81 Opera_installer_2401192229230731224.dll, PE32 39->81 dropped 83 Opera_installer_2401192229234912320.dll, PE32 41->83 dropped 49 assistant_installer.exe 41->49         started        process18 file19 107 Opera_installer_2401192230243602704.dll, PE32+ 43->107 dropped 109 C:\Users\user\AppData\Local\...\opera.exe, PE32+ 43->109 dropped 111 C:\Users\user\AppData\Local\...\launcher.exe, PE32+ 43->111 dropped 113 C:\...\launcher.exe.1705703425.old (copy), PE32+ 43->113 dropped 167 Installs a global event hook (focus changed) 43->167 51 launcher.exe 43->51         started        53 installer.exe 43->53         started        56 explorer.exe 43->56 injected 58 15 other processes 43->58 115 Opera_installer_2401192229246894028.dll, PE32 47->115 dropped signatures20 process21 file22 60 opera.exe 51->60         started        65 opera_gx_splash.exe 51->65         started        97 Opera_installer_2401192230246565676.dll, PE32+ 53->97 dropped process23 dnsIp24 147 192.168.2.5 unknown unknown 60->147 149 239.255.255.250 unknown Reserved 60->149 121 C:\Users\user\AppData\Roaming\...\000003.log, COM 60->121 dropped 123 C:\Windows\...behaviorgraphX_Wallpaper_classic.png, PNG 60->123 dropped 125 C:\Windows\...behaviorgraphX_Wallpaper_Light_classic.png, PNG 60->125 dropped 127 15 other malicious files 60->127 dropped 169 Tries to harvest and steal browser information (history, passwords, etc) 60->169 67 opera_crashreporter.exe 60->67         started        file25 signatures26 process27
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f85362fa96806ce4ff93b8a49e0e74f65dea0b759ae8701ccc336609c119487b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f85362fa96806ce4ff93b8a49e0e74f65dea0b759ae8701ccc336609c119487b/
Threat name:
Win32.Trojan.OffLoader
Create hunting rule
Status:
Malicious
First seen:
2024-01-19 14:51:24 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7bjwf6uwqbwoj74txcsj4dtu6zo6uc3vtluhahgmgntatqizjb5q._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240119-13xt6aeeam/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
561dc6b55d17cd8e0c3acd7f7a0f2cb4a56bc73986cd1da1ea0f088af376fcf2
MD5 hash:
31750774249f2fd5531428c98ec51cb3
SHA1 hash:
761793612761c6cf775916df4885e3f074d538c4
Link:
https://www.unpac.me/results/433976e1-3b50-44c1-ad83-4c47ce176dca/
SH256 hash:
f85362fa96806ce4ff93b8a49e0e74f65dea0b759ae8701ccc336609c119487b
MD5 hash:
43c5418a66f1d9483280d8fbc44c9fb9
SHA1 hash:
ecdf2a060e6d02606486f168c11b555283b199ce
Link:
https://www.unpac.me/results/433976e1-3b50-44c1-ad83-4c47ce176dca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f85362fa96806ce4ff93b8a49e0e74f65dea0b759ae8701ccc336609c119487b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471763/

Comments