MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb528ac820607536012da05cb0fba939d52c49dba666b31c97a72726e826bdd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb528ac820607536012da05cb0fba939d52c49dba666b31c97a72726e826bdd1
SHA3-384 hash: b20b89eb7ebfc141450773c9b56c5d1c8169be628fa892d51b0e82525d7b1144bb4ff3758f0a70513f011d37bc72eef5
SHA1 hash: 2e1f554eb3b7dfce17b379d249fbdca8ab312ee2
MD5 hash: 67c73b9b9b10e0f7ee42045adaed8eb8
humanhash: uranus-asparagus-alpha-moon
File name:SecuriteInfo.com.Variant.Lazy.234097.11251.148
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:119'784 bytes
First seen:2022-08-21 21:30:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3fd1f5963acd9c393595c6bf09172dfb (3 x RedLineStealer, 2 x RecordBreaker)
ssdeep 3072:JOj+4A4RzCNj6uoobY68pgi/QlOJfEPUpDDnmapXFS:rmzioo6HfEPGDDnmSs
Threatray 5'480 similar samples on MalwareBazaar
TLSH T140C3AE03B9D1C832EA7619311464D9B19D7FF9611A20DE672BAD52790F323C1CE21EAF
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Lazy.234097.11251.148
Verdict:
Suspicious activity
Analysis date:
2022-08-21 21:32:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a6b1677a-2419-485a-817f-4385dd5848d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300065/
Detection(s):
SecuriteInfo.com.Variant.Lazy.234097.11251.148.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29578/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed
Link:
https://www.filescan.io/uploads/6302a4943cbb13868a6c6ecd/reports/a6cad25b-37fc-44ba-b098-8fb407694e16/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/74f8bcd6-68e7-4d31-bafa-863260ffb78f
Result
Threat name:
Raccoon Stealer v2, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1055154
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 687667 Sample: SecuriteInfo.com.Variant.La... Startdate: 21/08/2022 Architecture: WINDOWS Score: 100 79 in.appcenter.ms 2->79 81 coinsurf.com 2->81 113 Snort IDS alert for network traffic 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 Antivirus detection for URL or domain 2->117 119 7 other signatures 2->119 10 SecuriteInfo.com.Variant.Lazy.234097.11251.exe 1 2->10         started        13 dtigfcc 2 2->13         started        15 dtigfcc 2->15         started        signatures3 process4 signatures5 121 Writes to foreign memory regions 10->121 123 Allocates memory in foreign processes 10->123 125 Injects a PE file into a foreign processes 10->125 17 MSBuild.exe 10->17         started        20 WerFault.exe 23 9 10->20         started        23 conhost.exe 10->23         started        25 conhost.exe 13->25         started        27 conhost.exe 15->27         started        process6 dnsIp7 93 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->93 95 Maps a DLL or memory area into another process 17->95 97 Checks if the current machine is a virtual machine (disk enumeration) 17->97 99 Creates a thread in another existing process (thread injection) 17->99 29 explorer.exe 8 17->29 injected 83 192.168.2.1 unknown unknown 20->83 signatures8 process9 dnsIp10 87 185.215.113.58, 49753, 49762, 80 WHOLESALECONNECTIONSNL Portugal 29->87 89 45.138.74.104, 49754, 80 HOSTGLOBALPLUS-ASRU Russian Federation 29->89 91 2 other IPs or domains 29->91 71 C:\Users\user\AppData\Roaming\dtigfcc, PE32 29->71 dropped 73 C:\Users\user\AppData\Local\Temp\AA49.exe, PE32 29->73 dropped 75 C:\Users\user\AppData\Local\Temp\7369.exe, PE32 29->75 dropped 77 C:\Users\user\AppData\Local\Temp\5BF8.exe, PE32 29->77 dropped 133 System process connects to network (likely due to code injection or exploit) 29->133 135 Benign windows process drops PE files 29->135 137 Injects code into the Windows Explorer (explorer.exe) 29->137 139 2 other signatures 29->139 34 5BF8.exe 1 29->34         started        37 AA49.exe 1 29->37         started        39 7369.exe 4 29->39         started        42 10 other processes 29->42 file11 signatures12 process13 file14 101 Machine Learning detection for dropped file 34->101 103 Contains functionality to inject code into remote processes 34->103 105 Writes to foreign memory regions 34->105 44 MSBuild.exe 25 34->44         started        49 conhost.exe 34->49         started        107 Allocates memory in foreign processes 37->107 109 Injects a PE file into a foreign processes 37->109 51 conhost.exe 37->51         started        53 MSBuild.exe 37->53         started        55 WerFault.exe 37->55         started        59 C:\Users\user\AppData\Local\...\Update.exe, PE32 39->59 dropped 111 Multi AV Scanner detection for dropped file 39->111 57 Update.exe 7 39->57         started        signatures15 process16 dnsIp17 85 89.208.104.46, 49757, 80 PSKSET-ASRU Russian Federation 44->85 61 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 44->61 dropped 63 C:\Users\user\AppData\LocalLow\nss3.dll, PE32 44->63 dropped 65 C:\Users\user\AppData\LocalLow\mozglue.dll, PE32 44->65 dropped 69 4 other files (none is malicious) 44->69 dropped 127 Tries to harvest and steal browser information (history, passwords, etc) 44->127 129 DLL side loading technique detected 44->129 131 Tries to steal Crypto Currency Wallets 44->131 67 C:\Users\user\AppData\Local\...\Update.exe, PE32 57->67 dropped file18 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb528ac820607536012da05cb0fba939d52c49dba666b31c97a72726e826bdd1/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-08-21 21:31:09 UTC
File Type:
PE (Exe)
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7njivsbamb2tmajnubolb65jhhksyso3uztlghexu4tsn2bgxxiq._file
Verdict:
malicious
Similar samples:
049ae382c00f3cbd42e9108966c445234ed5bccce0913dae44c313295879a6c2
RecordBreaker
0d5f72de2638164abf4e3c913cc91721e5c011fb85f7ccb81c86f8d17712b2d6
RecordBreaker
1a1a1fc106492d46570f3031f05ccc27dd23b8266df4208d648923a7b684d1af
RecordBreaker
5cd575c5fa62c375ac8f979a0231f39b1779122a277ce4a5c2faa9f5e69e1d11
RecordBreaker
6cb9da274bb4ffc27b53ac639f8ed1cbcddf990b8cd622c298863aa162eb2f50
RecordBreaker
7968a4ce56f635c65b0f2bbdc8d72364a58eab71642ec195cb4fd579a134fca7
RecordBreaker
b247929c0dacbb6bbf61af984da9386a64139fa70e9ec9c77aeb339e2ae53fb0
RecordBreaker
c7946da08940de7da39c9bcd1417e1926616d7953974ef5f24aacc6de9b362c9
RecordBreaker
e68eb5c847f58f8a3322208932734601f1c8909f529e5d64aec129e095f02ad3
RecordBreaker
f5f0060d8e6b44619fdcf74db5cc5d6e50be365cf7c92b32325e3a91d622a1f9
RecordBreaker
+ 5'470 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220821-1c14wshdg9/
Unpacked files
SH256 hash:
c9f6582d5c08a359808efbf5d9ebf6aed62527b76e0cdffd9606dcac5101707f
MD5 hash:
d66c888a96c49048c8a08b4fcfdffbd2
SHA1 hash:
70b0ec754430c426dc5b38577af871cbcd9887fc
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/31441560-1ec6-4c08-bad9-880419bd52c7/
SH256 hash:
fb528ac820607536012da05cb0fba939d52c49dba666b31c97a72726e826bdd1
MD5 hash:
67c73b9b9b10e0f7ee42045adaed8eb8
SHA1 hash:
2e1f554eb3b7dfce17b379d249fbdca8ab312ee2
Link:
https://www.unpac.me/results/31441560-1ec6-4c08-bad9-880419bd52c7/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fb528ac82060/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fb528ac820607536012da05cb0fba939d52c49dba666b31c97a72726e826bdd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RecordBreaker

Executable exe fb528ac820607536012da05cb0fba939d52c49dba666b31c97a72726e826bdd1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2275334/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/300065/

Comments