recordbreaker | 20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161

General

Target

20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe
Size

300KB
MD5

5a7d42ef154a45a749d3ab174323f303
SHA1

51bbb8e59761636e26c985f230d22d8282917594
SHA256

20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161
SHA512

7a6c2fb849cf6886f6a93f57e00db0159cbe1a9f8a592ce928b8e6cb25c5415b63ec8d55c54da8c32363447587f50721b8fccceaa6c3d91c37c400d72f25b4c7

Score

10^/10

recordbreaker stealer suricata

Malware Config

Extracted

Family

recordbreaker

C2

http://51.195.166.201/

Signatures

Raccoon ver2 5 IoCs

Raccoon ver2.

Processes:

resource	yara_rule
behavioral1/memory/916-61-0x0000000000080000-0x0000000000092000-memory.dmp	raccoon_v2
behavioral1/memory/916-62-0x0000000000080000-0x0000000000092000-memory.dmp	raccoon_v2
behavioral1/memory/916-66-0x0000000000080000-0x0000000000092000-memory.dmp	raccoon_v2
behavioral1/memory/916-69-0x0000000000080000-0x0000000000092000-memory.dmp	raccoon_v2
behavioral1/memory/916-72-0x0000000000080000-0x0000000000092000-memory.dmp	raccoon_v2

RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
suricata
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe

description	pid	Process	procid_target
PID 1684 set thread context of 916	1684	20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe

description	pid	Process
Token: SeDebugPrivilege	1684	20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe

description	pid	Process	procid_target
PID 1684 wrote to memory of 916	1684	20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe	28
PID 1684 wrote to memory of 916	1684	20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe	28
PID 1684 wrote to memory of 916	1684	20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe	28
PID 1684 wrote to memory of 916	1684	20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe	28
PID 1684 wrote to memory of 916	1684	20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe	28
PID 1684 wrote to memory of 916	1684	20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe	28
PID 1684 wrote to memory of 916	1684	20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe	28
PID 1684 wrote to memory of 916	1684	20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe	28
PID 1684 wrote to memory of 916	1684	20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe	28
PID 1684 wrote to memory of 916	1684	20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe	28

C:\Users\Admin\AppData\Local\Temp\20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe
"C:\Users\Admin\AppData\Local\Temp\20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-56-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/916-57-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/916-59-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/916-61-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/916-62-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/916-65-0x0000000000407486-mapping.dmp

Download
memory/916-66-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/916-69-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/916-72-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/1684-54-0x0000000000A40000-0x0000000000A90000-memory.dmp

Filesize
320KB

Download
memory/1684-55-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads