Overview

overview

10

Static

static

10

2106b6f94c...fc.exe

windows7_x64

10

2106b6f94c...fc.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16/06/2022, 16:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2106b6f94cebb55b1d55eb4b91fa83aef051c8866c54bb75ea4fd304711c4dfc.exe

  • Size

    55KB

  • MD5

    6844edfec32e4323ecfedc458f7d3b86

  • SHA1

    465d756d89a18d40a2721e74d99b4df8dc9438a8

  • SHA256

    2106b6f94cebb55b1d55eb4b91fa83aef051c8866c54bb75ea4fd304711c4dfc

  • SHA512

    94b2fea769586a0216466f2474f1a1c61d81f10b2bba79c5e7c3f18c3126302a8cff680ef71421fa91d3a70ac3fb37fea44ceeb6800cb83e0515068647356b95

Score
10/10
recordbreakerdiscoveryspywarestealersuricata

Malware Config

Signatures

  • RecordBreaker

    RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.

    stealerrecordbreaker
  • suricata: ET MALWARE Generic Stealer Config Download Request

    suricata: ET MALWARE Generic Stealer Config Download Request

    suricata
  • suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

    suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2106b6f94cebb55b1d55eb4b91fa83aef051c8866c54bb75ea4fd304711c4dfc.exe
    "C:\Users\Admin\AppData\Local\Temp\2106b6f94cebb55b1d55eb4b91fa83aef051c8866c54bb75ea4fd304711c4dfc.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    PID:4104

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\mozglue.dll
    Filesize

    612KB

    MD5

    f07d9977430e762b563eaadc2b94bbfa

    SHA1

    da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

    SHA256

    4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

    SHA512

    6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\nss3.dll
    Filesize

    1.9MB

    MD5

    f67d08e8c02574cbc2f1122c53bfb976

    SHA1

    6522992957e7e4d074947cad63189f308a80fcf2

    SHA256

    c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

    SHA512

    2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\sqlite3.dll
    Filesize

    1.0MB

    MD5

    dbf4f8dcefb8056dc6bae4b67ff810ce

    SHA1

    bbac1dd8a07c6069415c04b62747d794736d0689

    SHA256

    47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

    SHA512

    b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

    Download Submit