MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9c90c61043fcb8fb22679e39061bf84bf44ab4833e02ef0d93305ca1aa4e81e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9c90c61043fcb8fb22679e39061bf84bf44ab4833e02ef0d93305ca1aa4e81e
SHA3-384 hash: 358636ccc2835758ed19d0c8cfabeda18713cf1e34dac81692ba176aa16b4b1898588fd11a7ffb3d331c37113cb94d0f
SHA1 hash: 3b224a326033ac13576fecad1452bf2cbcd2d6ba
MD5 hash: 18d0692cd14e34000b9093c49bfcf3d2
humanhash: carpet-shade-beryllium-july
File name:18d0692cd14e34000b9093c49bfcf3d2.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:13'802'792 bytes
First seen:2023-01-18 19:25:13 UTC
Last seen:2023-01-18 20:30:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 393216:aVt2PngoO4oIkNqmTlVG6sfbjTGkzk+G7Z:8t2PnghpNq+Dhqbn5QDZ
Threatray 4'187 similar samples on MalwareBazaar
TLSH T1F7D6233BB354653EC56A2A3037324B408937F651A41AAC1A77F40C4DEFEE6E01E3A6D5
TrID 61.8% (.EXE) Inno Setup installer (109740/4/30)
23.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.EXE) Win32 Executable (generic) (4505/5/1)
1.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon e0c0ccc6c4c6c0e0 (2 x Vjw0rm, 1 x RecordBreaker)
Reporter abuse_ch
Tags:exe recordbreaker signed

Code Signing Certificate

Organisation:Balistreri.com
Issuer:Balistreri.com
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-08T21:10:52Z
Valid to:2024-01-08T21:30:52Z
Serial number: 6149e65da4e8428e4b573343e8b0aa43
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 081861cb19ae540d751bf9c1435de88f59ec0802e9d29ef54f7dcb755d067f64
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RecordBreaker C2:
http://5.78.66.126/

Intelligence

File Origin
# of uploads :
2
# of downloads :
293
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
18d0692cd14e34000b9093c49bfcf3d2.exe
Verdict:
Malicious activity
Analysis date:
2023-01-18 19:26:12 UTC
Tags:
installer loader
Link:
https://app.any.run/tasks/b481ce1a-dd7e-485b-96c2-8dcab778d303

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64990455.17249.9974.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Moving a file to the %temp% subdirectory
Creating a file
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/61279/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63c847cca440a33aa70350de/reports/2fe89bc5-59db-44d8-b7b5-a3c91a8a9afe/overview
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32930e49-6ae4-44db-a12d-090124d1a60d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1154134
Signature
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Powershell drops PE file
Suspicious powershell command line found
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786863 Sample: g5xEnnmu8j.exe Startdate: 18/01/2023 Architecture: WINDOWS Score: 88 82 Antivirus detection for URL or domain 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 PE file has a writeable .text section 2->88 9 g5xEnnmu8j.exe 2 2->9         started        process3 file4 62 C:\Users\user\AppData\...\g5xEnnmu8j.tmp, PE32 9->62 dropped 92 Obfuscated command line found 9->92 13 g5xEnnmu8j.tmp 5 18 9->13         started        signatures5 process6 file7 66 C:\Users\user\AppData\Local\...\is-NACBS.tmp, PE32 13->66 dropped 68 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 13->68 dropped 70 C:\...\OfficeInstall+Activate.exe (copy), PE32 13->70 dropped 72 3 other files (2 malicious) 13->72 dropped 16 cmd.exe 1 13->16         started        19 OfficeInstall+Activate.exe 5 13->19         started        process8 file9 76 Suspicious powershell command line found 16->76 78 Very long command line found 16->78 80 Encrypted powershell cmdline option found 16->80 22 powershell.exe 20 16->22         started        25 powershell.exe 15 15 16->25         started        29 conhost.exe 16->29         started        50 C:\Users\user\AppData\Local\...\setup.exe, PE32 19->50 dropped 52 C:\Users\user\AppData\Local\...\files.dat, PE32 19->52 dropped 31 cmd.exe 1 19->31         started        33 cmd.exe 1 19->33         started        35 cmd.exe 1 19->35         started        signatures10 process11 dnsIp12 90 Powershell drops PE file 22->90 74 135.181.123.26, 49701, 49702, 80 HETZNER-ASDE Germany 25->74 64 C:\ProgramData\sccp32.dll, PE32 25->64 dropped 37 files.dat 10 31->37         started        40 conhost.exe 31->40         started        42 WMIC.exe 1 33->42         started        44 conhost.exe 33->44         started        46 WMIC.exe 1 35->46         started        48 conhost.exe 35->48         started        file13 signatures14 process15 file16 54 C:\Users\user\AppData\Local\...\cleanospp.exe, PE32 37->54 dropped 56 C:\Users\user\AppData\Local\...\cleanospp.exe, PE32+ 37->56 dropped 58 C:\Users\user\AppData\Local\...\msvcr100.dll, PE32 37->58 dropped 60 C:\Users\user\AppData\Local\...\msvcr100.dll, PE32+ 37->60 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9c90c61043fcb8fb22679e39061bf84bf44ab4833e02ef0d93305ca1aa4e81e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-10 20:16:23 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7heqyyieh7fy7mrgphrzayn7qs7ujk2igpqc54gzgmc4ugve5apa._file
Verdict:
malicious
Similar samples:
03f22c6859c5373a849fc2307700014405b28253e9e4ba643e0ca7cc4835888a
RecordBreaker
131e8b4cfd3d6911aa1a5a7109767a094b0593c405722d1691ee7422eeb00ea2
RecordBreaker
4cdace17e01f554f4fc14414d4a634136c7c3afe58d09a7eee935ebeefc17540
RecordBreaker
5f81f8ee08a7460a3abd3aed1da137f2824bbdf804951477546a96300bd1e31f
RecordBreaker
6990867f8f65b426d272b50509a49441adf37364d22e59d605f8a03dc38d839f
RecordBreaker
86890f5d0dc15d61b23cef3a33334a22fd11a729d8831f3eb9d8b54ffb48fa98
RecordBreaker
8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341
RecordBreaker
e62ec093ba3a6e4bddc236667d861e4334831e5ee1f123cb17f2e34f93af4d91
RecordBreaker
+ 4'177 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx
Link:
https://tria.ge/reports/230118-x5hlgace5v/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
Malware Config
Dropper Extraction:
http://135.181.123.26/sccp32.dll
http://135.181.123.26/rundll32.bat
Unpacked files
SH256 hash:
181bf0158cb4170917224a6224334514d2bba77d04fd1e81e6083da0435b15c9
MD5 hash:
906cef39ab7cc60b69c972887f38ec5a
SHA1 hash:
e9c19ba6ccc9f74a48769d57ff3265f75ac170be
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
SH256 hash:
6757400798e44ff7846877062c8c9e4df91e63ef67e2141a785cad6f4e29418a
MD5 hash:
e432a392192df6c0ef11c373dd49643b
SHA1 hash:
885a8b3c3a5f2ee3821c91e19beece68177a4ed7
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
SH256 hash:
8502d4a93f6d792adc7410feb8256b2d12855afc88f58c1b170f12779af73ea0
MD5 hash:
a37bacc63dfd0cfb5f3978d59a54d513
SHA1 hash:
082cc2e4d65bd5ff847eb5d70801a42fcd1c8dae
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
SH256 hash:
f548b7055cb2da39d1250489607a74324da8da590c0365ddb84d04b716a34185
MD5 hash:
8ec0bbe7b7e051ec955e5b40433c3de1
SHA1 hash:
fe9a26d97a12d07f2ae8352bd4b50bb0d452bff6
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
SH256 hash:
ad1f922b6f3f7c7d8c134007c60b14f391ff396bf81da22bd4cf3801523c88f9
MD5 hash:
e351290adeca87bbc122b5880eac7130
SHA1 hash:
f898b8e1f3f3cc396c83fa8a3a509d6d81136045
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
SH256 hash:
8ed4d1ba887f001385bc840c75965b776742b1e16bf9d4425724a2ad13c673b7
MD5 hash:
613b06e00dabfcffa33370402facd74b
SHA1 hash:
bf3c8b8206f31048ac7ec7fac4c1c2d9356f99d3
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
SH256 hash:
63e18ea0955385a775b9ec01eae796ec079a4e9ce84e96d2251eb204e821d5c5
MD5 hash:
95352bce7bccd9de87fa0a7efbaebeab
SHA1 hash:
b4e1a64afd51746430f6a4117da8da9175cf5c22
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
SH256 hash:
4e442002cdadac8c8812bdbabaa5947d32988051fea60485179502783e459d28
MD5 hash:
2c09b01013cce55f2846960354a0ac53
SHA1 hash:
aeeeca54d08750ec9944366c0556afeb731b2f10
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
SH256 hash:
d91e39855dc5b25445962b0d9946a99993ae899c51df9626a51958c576d41363
MD5 hash:
1cac5b8e98067e5b2eda5dc6791d3867
SHA1 hash:
8e0ffc19fc02af22dc035bda1aeb29c558b5d4b9
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
SH256 hash:
46be3f4adfc17252fb9d194ec4e45c516a2298d2e8647d09af661133b49150b7
MD5 hash:
1db972a511e55341e2bb65d5ef39c4d9
SHA1 hash:
802989975e0b0b3cc975de891fb6dbc16f28bd36
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
SH256 hash:
9349212231bcf66ed0333f499e4eca790eb7dc4f71ce356932e7a828bde8009d
MD5 hash:
7a257db300ff5ddd4b5d1d8cccf70c5f
SHA1 hash:
4489b2fa4a78bda57e1966f255cfdec3ca75fab1
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
SH256 hash:
832dadb4209122a4ba002b5a225cc558e252b76c54c9ab7568ffd62aedb6286d
MD5 hash:
ca004fc6ac04409d6a5d56f73d25afc4
SHA1 hash:
24de8d2a7ce2461da605243e4f17b900bf851e76
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
SH256 hash:
b4d38dce60b2b4de70aca928023aaa549e021ec495f7f9ff7b626a91f11cd384
MD5 hash:
b02b5510535fb8e8bb22c020d8e2391b
SHA1 hash:
0daf86535487bf01227e8e0540a8688c00a9a7c3
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
SH256 hash:
ffcda0e3b20f8cfa14921f1e4c882e1ac1b5ec4c237f3c6375e75474de339576
MD5 hash:
e89b680b3b1d0f5bf0f4bd40f36cb78b
SHA1 hash:
cafbc1b6d5ff634ad0f1c1cb91be1253ab641168
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
SH256 hash:
f9c90c61043fcb8fb22679e39061bf84bf44ab4833e02ef0d93305ca1aa4e81e
MD5 hash:
18d0692cd14e34000b9093c49bfcf3d2
SHA1 hash:
3b224a326033ac13576fecad1452bf2cbcd2d6ba
Link:
https://www.unpac.me/results/84346720-2d2a-4385-9bac-011a2aab866f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9c90c61043fcb8fb22679e39061bf84bf44ab4833e02ef0d93305ca1aa4e81e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments