Overview

overview

10

Static

static

7

setup/Pre-...up.exe

windows7_x64

10

setup/Pre-...up.exe

windows10-2004_x64

10

setup/Setup+Crack.exe

windows7_x64

10

setup/Setup+Crack.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    setup.zip

  • Size

    11.5MB

  • Sample

    220618-xe1pcsafap

  • MD5

    9b93818d604d5acf071ba0d8ccf55238

  • SHA1

    3c7eae22dc42bf796060ad7a1fafc2b377d7c666

  • SHA256

    0b62937b27d7826f2a514e230b5ab508df220f422b2ecca38be0f32647a65c98

  • SHA512

    88c1e463587fdabe5fa8796c29ffede824e77031cc4130e0d64eb7f97c710d3c67cd964aa63e946c7bd7637261e7406f99507c5e06b70ea1cf38bb1bc81c84bb

Score
10/10
recordbreakerevasionstealerthemidatrojan

Malware Config

Extracted

Family

recordbreaker

C2

http://45.133.216.170/

http://146.19.247.52/

Targets

    • Target

      setup/Pre-Activated-Setup.exe

    • Size

      428.2MB

    • MD5

      15173dce1e7f34b1982d13504a38348a

    • SHA1

      d60ba35d66b68d12464bcaf1eb50dc560df477f0

    • SHA256

      98786bd9bbeb954b930d591750cdbc3b4a58556bb5dd42ce1c018748becca9a3

    • SHA512

      f4d303cd3fdddcd6e86054309e6359bdb9c1db04c4d302c44e94295f0facf5f92703aea88f6a8bf463cf3532ad3818952ebef479cdc44b5e501db1e4ba0aca95

    Score
    10/10
    recordbreakerevasionstealerthemidatrojan

    • RecordBreaker

      RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.

      stealerrecordbreaker

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      setup/Setup+Crack.exe

    • Size

      428.1MB

    • MD5

      2fd256b3be897b7270701dca32e52f2b

    • SHA1

      4641f5ef8509457127140817386cd3ab433c701f

    • SHA256

      4b03666c196e8ca7206be69a545ff119ee7b9bf121fd79e3da48a2986dd4ac35

    • SHA512

      38e680be0477093ba9f0d391ed4e3d65ed888ead5538ac81beb4fb3a9d4c1a007465da51bbae24acefb518bd18e2d7ca2e68902309b0d0d819b0a5c3570acdae

    Score
    10/10
    recordbreakerevasionstealerthemidatrojan

    • RecordBreaker

      RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.

      stealerrecordbreaker

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks