Extracted

• • Target

    ProtonVPN.exe

  • Size

    7.3MB

  • MD5

    f96a8e7ea02644c467123edc530f0980

  • SHA1

    7a6c2a5100f3252db27d9c96a0b964acbd836def

  • SHA256

    51dd593160a054cb0f10a011e7212c30ce12cf75fbb08f6fe537597892c9a6a2

  • SHA512

    584bd9e7465fcc7df7c1b4f7d81dfbc765aa6e59c0d5009aac83c4eef2b2412658b7019faee0ab422cb845212a299d9807fa1434975650c562c40ca44dc1fec9

  Score

  10^/10

  recordbreakerdiscoveryevasionspywarestealersuricatathemidatrojan

  • RecordBreaker

    RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.

    stealerrecordbreaker

  • suricata: ET MALWARE Generic Stealer Config Download Request

    suricata: ET MALWARE Generic Stealer Config Download Request

    suricata

  • suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

    suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

    suricata

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2