Overview

overview

10

Static

static

8

winprofile

windows7_x64

10

winprofile

windows10_x64

10

Analysis

  • max time kernel
    164s
  • max time network
    182s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    21-06-2022 03:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03a8531989aeeec1befecbba4f3ee218309306224bd22b7e52104537e32bacd6.exe

  • Size

    5.2MB

  • MD5

    b1057feaae568f50eb9ff99a0fd2e545

  • SHA1

    b6e1d147b2f1564224a530b07af1681fa7a991e3

  • SHA256

    03a8531989aeeec1befecbba4f3ee218309306224bd22b7e52104537e32bacd6

  • SHA512

    c69024ff4629f752af10f2a628580d616ec6e4db1986e95a45b523c1f30b72c361ee12744a152c01e7ad8fadf68146d1ef42300b4f3556efa6eefa0e6259c482

Score
10/10
recordbreakerdiscoveryevasionpersistencespywarestealersuricatathemidatrojanvmprotect

Malware Config

Extracted

Family

recordbreaker

C2

http://51.195.166.175/

Signatures

  • Raccoon ver2 5 IoCs

    Raccoon ver2.

  • RecordBreaker

    RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.

    stealerrecordbreaker
  • suricata: ET MALWARE Generic Stealer Config Download Request

    suricata: ET MALWARE Generic Stealer Config Download Request

    suricata
  • suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

    suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

    suricata
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • VMProtect packed file 8 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03a8531989aeeec1befecbba4f3ee218309306224bd22b7e52104537e32bacd6.exe
    "C:\Users\Admin\AppData\Local\Temp\03a8531989aeeec1befecbba4f3ee218309306224bd22b7e52104537e32bacd6.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Users\Admin\AppData\Roaming\278UEAF6.exe
      "C:\Users\Admin\AppData\Roaming\278UEAF6.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:33380
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 60640
          3⤵
          • Program crash
          PID:33496
      • C:\Users\Admin\AppData\Roaming\P9ZBp3hd.exe
        "C:\Users\Admin\AppData\Roaming\P9ZBp3hd.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:3036

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    3
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\278UEAF6.exe
      Filesize

      3.1MB

      MD5

      a62cb58dab2cebf44106b23818707493

      SHA1

      d977a584b70455b676fe396ff4a6d5fd55fb0186

      SHA256

      100dbe8317c99125d08478807bebe40ac7b669a2104989337e9daef41f2b2da7

      SHA512

      5b88e662f50c6ca2fefdda32f39dcef2cf3a30f2a99fedd0bf6cf73f06b1264b7672de537ccf6931f3b6c26212ec162e4f9026dd99417e5b97ac225beeaecd96

      Download Submit
    • C:\Users\Admin\AppData\Roaming\278UEAF6.exe
      Filesize

      3.1MB

      MD5

      a62cb58dab2cebf44106b23818707493

      SHA1

      d977a584b70455b676fe396ff4a6d5fd55fb0186

      SHA256

      100dbe8317c99125d08478807bebe40ac7b669a2104989337e9daef41f2b2da7

      SHA512

      5b88e662f50c6ca2fefdda32f39dcef2cf3a30f2a99fedd0bf6cf73f06b1264b7672de537ccf6931f3b6c26212ec162e4f9026dd99417e5b97ac225beeaecd96

      Download Submit
    • C:\Users\Admin\AppData\Roaming\P9ZBp3hd.exe
      Filesize

      67KB

      MD5

      2fcb8272b748dbb1c67e39b0d80fa15c

      SHA1

      63b82a8590ca47ab14f31729c7ea9ff59ccccdda

      SHA256

      3e3c2806c4ea2f1a51060efde3a5637939dc454fddf82f18b5d2db3d35d9f9cd

      SHA512

      6c5082c14d42e3616e156697008fd391c545c5591e62be94a2a0c0e969a03b9e320e6ea7304a2a7ca0cbcf7ce378a235f18e69f2625706dc8cab43404f2951c9

      Download Submit
    • C:\Users\Admin\AppData\Roaming\P9ZBp3hd.exe
      Filesize

      67KB

      MD5

      2fcb8272b748dbb1c67e39b0d80fa15c

      SHA1

      63b82a8590ca47ab14f31729c7ea9ff59ccccdda

      SHA256

      3e3c2806c4ea2f1a51060efde3a5637939dc454fddf82f18b5d2db3d35d9f9cd

      SHA512

      6c5082c14d42e3616e156697008fd391c545c5591e62be94a2a0c0e969a03b9e320e6ea7304a2a7ca0cbcf7ce378a235f18e69f2625706dc8cab43404f2951c9

      Download Submit
    • \Users\Admin\AppData\LocalLow\mozglue.dll
      Filesize

      612KB

      MD5

      f07d9977430e762b563eaadc2b94bbfa

      SHA1

      da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

      SHA256

      4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

      SHA512

      6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

      Download Submit
    • \Users\Admin\AppData\LocalLow\nss3.dll
      Filesize

      1.9MB

      MD5

      f67d08e8c02574cbc2f1122c53bfb976

      SHA1

      6522992957e7e4d074947cad63189f308a80fcf2

      SHA256

      c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

      SHA512

      2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

      Download Submit
    • \Users\Admin\AppData\LocalLow\sqlite3.dll
      Filesize

      1.0MB

      MD5

      dbf4f8dcefb8056dc6bae4b67ff810ce

      SHA1

      bbac1dd8a07c6069415c04b62747d794736d0689

      SHA256

      47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

      SHA512

      b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

      Download Submit
    • memory/2228-213-0x0000000000000000-mapping.dmp
      Download
    • memory/3036-242-0x0000012DB9AC0000-0x0000012DB9AC6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/3036-239-0x0000012DB97C0000-0x0000012DB97D6000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3036-232-0x0000000000000000-mapping.dmp
      Download
    • memory/3616-160-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-167-0x0000000000FA0000-0x0000000001B63000-memory.dmp
      Filesize

      11.8MB

      Download
    • memory/3616-131-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-133-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-134-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-132-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-135-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-136-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-137-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-138-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-139-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-140-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-141-0x0000000000FA0000-0x0000000001B63000-memory.dmp
      Filesize

      11.8MB

      Download
    • memory/3616-146-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-147-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-148-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-149-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-150-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-151-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-152-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-153-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-154-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-155-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-156-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-157-0x0000000000FA0000-0x0000000001B63000-memory.dmp
      Filesize

      11.8MB

      Download
    • memory/3616-158-0x0000000000FA0000-0x0000000001B63000-memory.dmp
      Filesize

      11.8MB

      Download
    • memory/3616-159-0x0000000000FA0000-0x0000000001B63000-memory.dmp
      Filesize

      11.8MB

      Download
    • memory/3616-118-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-161-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-162-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-163-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-164-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-165-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-130-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-166-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-168-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-169-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-170-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-171-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-172-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-173-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-174-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-175-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-176-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-177-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-178-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-129-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-180-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-181-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-182-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-128-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-184-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-185-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-127-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-190-0x0000000000FA0000-0x0000000001B63000-memory.dmp
      Filesize

      11.8MB

      Download
    • memory/3616-125-0x0000000000FA0000-0x0000000001B63000-memory.dmp
      Filesize

      11.8MB

      Download
    • memory/3616-126-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-124-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-123-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-122-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-121-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-120-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-119-0x00000000774E0000-0x000000007766E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3616-243-0x0000000000FA0000-0x0000000001B63000-memory.dmp
      Filesize

      11.8MB

      Download
    • memory/33380-250-0x0000000000424B63-mapping.dmp
      Download