Overview

overview

10

Static

static

7

Setup.exe

windows7_x64

10

Setup.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Installer__Pass_1234.rar

  • Size

    6.0MB

  • Sample

    220620-p78xfafee4

  • MD5

    5e3ce385693dcc01f7105cb69f1e4080

  • SHA1

    c119534b1e0c53bc84c15ec216d42eb8fc0ebdba

  • SHA256

    6dfd5a3c0b4ee1678a45998424308b1e606809a28970ae17d14f36a3277e7a93

  • SHA512

    3eb78663adbf7b1ca95fced952cd9e8d8d5e5cc419abe9b6eab7e05adc1586d92aa2a971f1171b173a080ccc3b47017440bfb433a3a51bdd79cb01e374048158

Score
10/10
recordbreakerdiscoveryevasionspywarestealersuricatathemidatrojan

Malware Config

Extracted

Family

recordbreaker

C2

http://193.43.146.26/

http://45.133.216.170/

Targets

    • Target

      Setup.exe

    • Size

      387.1MB

    • MD5

      cc6bc8ed20240c6778caa26317730ebe

    • SHA1

      29800af4a4238442d850733ce8ec3b73a0932a63

    • SHA256

      5121fc3ddf49c3b5297a35386ff5847dc665401a2fa7b97d62628f4a00262092

    • SHA512

      8fbf9ac394bf52e8ea0cf79328151340427f0a56d678530a593d3e207f521e9be75d20f7dcf3bb6bb873c15842366833b597208a6ef80896b8ac8dbcdcc251b6

    Score
    10/10
    recordbreakerdiscoveryevasionspywarestealersuricatathemidatrojan

    • RecordBreaker

      RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.

      stealerrecordbreaker

    • suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata

    • suricata: ET MALWARE Generic Stealer Config Download Request

      suricata: ET MALWARE Generic Stealer Config Download Request

      suricata

    • suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

      suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks