General

  • Size

    7MB

  • Sample

    220618-b1q66agea8

  • MD5

    f96a8e7ea02644c467123edc530f0980

  • SHA1

    7a6c2a5100f3252db27d9c96a0b964acbd836def

  • SHA256

    51dd593160a054cb0f10a011e7212c30ce12cf75fbb08f6fe537597892c9a6a2

  • SHA512

    584bd9e7465fcc7df7c1b4f7d81dfbc765aa6e59c0d5009aac83c4eef2b2412658b7019faee0ab422cb845212a299d9807fa1434975650c562c40ca44dc1fec9

Malware Config

Extracted

Family

recordbreaker

C2

http://142.132.229.12/

http://164.92.172.4/

Targets

    • Target

      ProtonVPN.exe

    • Size

      7MB

    • MD5

      f96a8e7ea02644c467123edc530f0980

    • SHA1

      7a6c2a5100f3252db27d9c96a0b964acbd836def

    • SHA256

      51dd593160a054cb0f10a011e7212c30ce12cf75fbb08f6fe537597892c9a6a2

    • SHA512

      584bd9e7465fcc7df7c1b4f7d81dfbc765aa6e59c0d5009aac83c4eef2b2412658b7019faee0ab422cb845212a299d9807fa1434975650c562c40ca44dc1fec9

    • RecordBreaker

      RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.

    • suricata: ET MALWARE Generic Stealer Config Download Request

      suricata: ET MALWARE Generic Stealer Config Download Request

    • suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

      suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation