recordbreaker | 0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262

Analysis

max time kernel
102s
max time network
105s
platform
windows7_x64
resource
win7-20220414-en
submitted
21/06/2022, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe
Size

1.4MB
MD5

3489c407c7328f4976d5b490aad8b145
SHA1

992a53af7a34ed38ebdac5517e067ac029a4bdb2
SHA256

0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262
SHA512

e3c479f3c46e5bb036129fe14e2eb42b0bfa4d0fd80af0617a953f7f86f1deb13af778272d07c4ec24785469681ca3d748f676ab8597c46e944f09bf8ad25e2f

Score

10^/10

recordbreaker stealer suricata

Malware Config

Extracted

Family

recordbreaker

http://51.195.166.184/

Signatures

Raccoon ver2 5 IoCs

Raccoon ver2.

resource	yara_rule
behavioral1/memory/1296-83-0x0000000000400000-0x0000000000412000-memory.dmp	raccoon_v2
behavioral1/memory/1296-81-0x0000000000400000-0x0000000000412000-memory.dmp	raccoon_v2
behavioral1/memory/1296-80-0x0000000000400000-0x0000000000412000-memory.dmp	raccoon_v2
behavioral1/memory/1296-86-0x0000000000400000-0x0000000000412000-memory.dmp	raccoon_v2
behavioral1/memory/1296-88-0x0000000000400000-0x0000000000412000-memory.dmp	raccoon_v2

RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
suricata
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 644 set thread context of 1168	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	29
PID 1168 set thread context of 1296	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe
1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe
Token: SeDebugPrivilege	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 2044	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	28
PID 644 wrote to memory of 2044	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	28
PID 644 wrote to memory of 2044	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	28
PID 644 wrote to memory of 2044	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	28
PID 644 wrote to memory of 1168	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	29
PID 644 wrote to memory of 1168	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	29
PID 644 wrote to memory of 1168	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	29
PID 644 wrote to memory of 1168	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	29
PID 644 wrote to memory of 1168	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	29
PID 644 wrote to memory of 1168	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	29
PID 644 wrote to memory of 1168	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	29
PID 644 wrote to memory of 1168	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	29
PID 644 wrote to memory of 1168	644	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	29
PID 1168 wrote to memory of 672	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	30
PID 1168 wrote to memory of 672	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	30
PID 1168 wrote to memory of 672	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	30
PID 1168 wrote to memory of 672	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	30
PID 1168 wrote to memory of 1296	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	31
PID 1168 wrote to memory of 1296	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	31
PID 1168 wrote to memory of 1296	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	31
PID 1168 wrote to memory of 1296	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	31
PID 1168 wrote to memory of 1296	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	31
PID 1168 wrote to memory of 1296	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	31
PID 1168 wrote to memory of 1296	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	31
PID 1168 wrote to memory of 1296	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	31
PID 1168 wrote to memory of 1296	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	31
PID 1168 wrote to memory of 1296	1168	0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe	31

C:\Users\Admin\AppData\Local\Temp\0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe
"C:\Users\Admin\AppData\Local\Temp\0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe
  "C:\Users\Admin\AppData\Local\Temp\0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe"
  2⤵
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe
  "C:\Users\Admin\AppData\Local\Temp\0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe
    "C:\Users\Admin\AppData\Local\Temp\0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe"
    3⤵
    PID:672
- - C:\Users\Admin\AppData\Local\Temp\0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe
    "C:\Users\Admin\AppData\Local\Temp\0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262.exe"
    3⤵
    PID:1296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-54-0x0000000000CE0000-0x0000000000E42000-memory.dmp

Filesize
1.4MB

Download
memory/644-55-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/644-56-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/644-57-0x000000000A460000-0x000000000A574000-memory.dmp

Filesize
1.1MB

Download
memory/644-58-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download
memory/644-59-0x00000000084C0000-0x000000000857C000-memory.dmp

Filesize
752KB

Download
memory/1168-60-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1168-61-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1168-63-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1168-64-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1168-65-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1168-68-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1168-70-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1168-72-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/1168-73-0x00000000081E0000-0x0000000008252000-memory.dmp

Filesize
456KB

Download
memory/1168-74-0x0000000000960000-0x0000000000974000-memory.dmp

Filesize
80KB

Download
memory/1296-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1296-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1296-78-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1296-83-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1296-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1296-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1296-86-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1296-88-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download