recordbreaker

Resubmissions

16-06-2022 18:46

220616-xe35gsgfgm 10

16-06-2022 18:46

220616-xex88sgfgk 1

16-06-2022 18:42

220616-xcmdysgfel 6

13-06-2022 17:14

220613-vr4knshegj 1

Sharing

Copy URL

Twitter E-mail

General

Target

Server.exe
Size

449KB
Sample

220616-xe35gsgfgm
MD5

4682b50369a41924c08401249ccb8511
SHA1

364062cce5ed118a6b3ddce1af5e726778cbb7d6
SHA256

729e7368bb7e28a5416896392bfed2f738804cb7d957c58e78a90a771ce4f976
SHA512

d7206a2d97da4f0c7ee854d0c7dbd514bfd9919159290ea25464dc6c0fe1a2a3009568fc94e37498dcadc8121fd5d4b2520cc604de229163528d3041222adfaf

Score

10^/10

Malware Config

Extracted

Family

recordbreaker

http://45.159.251.21/

http://5.252.22.107/

Targets

- Target
  
  Server.exe
- Size
  
  449KB
- MD5
  
  4682b50369a41924c08401249ccb8511
- SHA1
  
  364062cce5ed118a6b3ddce1af5e726778cbb7d6
- SHA256
  
  729e7368bb7e28a5416896392bfed2f738804cb7d957c58e78a90a771ce4f976
- SHA512
  
  d7206a2d97da4f0c7ee854d0c7dbd514bfd9919159290ea25464dc6c0fe1a2a3009568fc94e37498dcadc8121fd5d4b2520cc604de229163528d3041222adfaf
Score

10^/10

recordbreaker discovery evasion persistence stealer themida trojan
- Modifies system executable filetype association
  persistence
- RecordBreaker
  RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
  stealer recordbreaker
- evasion
  evasion.
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Registers COM server for autorun
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Modifies system executable filetype association

evasion

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Registers COM server for autorun

Checks BIOS information in registry

Themida packer

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4