recordbreaker | f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11

General

Target

f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe
Size

1.4MB
MD5

6a4fe454abe491c0c24c8cfd3c759900
SHA1

0df05c838d2d73f817f25a3441dfe4dc67e26f3d
SHA256

f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11
SHA512

ec7af66871665f74c87129d2dbda8ceb2be8ecfe64143fd523bdbe97f62d6e37153d9131871c6e1fe7fbe8a71c9a10dfdc277360f1c38f51e08f61b5f8a54825

Score

10^/10

Family

recordbreaker

C2

http://82.202.172.185/

Raccoon ver2 3 IoCs

Raccoon ver2.

Processes:

resource	yara_rule
behavioral1/memory/1576-61-0x0000000000400000-0x0000000000412000-memory.dmp	raccoon_v2
behavioral1/memory/1576-64-0x0000000000400000-0x0000000000412000-memory.dmp	raccoon_v2
behavioral1/memory/1576-66-0x0000000000400000-0x0000000000412000-memory.dmp	raccoon_v2

RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
suricata
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata

Suspicious use of SetThreadContext 1 IoCs

Processes:

f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe

description	pid	Process	procid_target
PID 1768 set thread context of 1576	1768	f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe	26

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe

description	pid	Process	procid_target
PID 1768 wrote to memory of 1576	1768	f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe	26
PID 1768 wrote to memory of 1576	1768	f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe	26
PID 1768 wrote to memory of 1576	1768	f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe	26
PID 1768 wrote to memory of 1576	1768	f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe	26
PID 1768 wrote to memory of 1576	1768	f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe	26
PID 1768 wrote to memory of 1576	1768	f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe	26
PID 1768 wrote to memory of 1576	1768	f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe	26
PID 1768 wrote to memory of 1576	1768	f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe	26
PID 1768 wrote to memory of 1576	1768	f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe	26

C:\Users\Admin\AppData\Local\Temp\f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe
"C:\Users\Admin\AppData\Local\Temp\f97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1576

memory/1576-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1576-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1576-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1576-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1768-54-0x0000000000620000-0x0000000000759000-memory.dmp

Filesize
1.2MB

Download
memory/1768-55-0x0000000000620000-0x0000000000759000-memory.dmp

Filesize
1.2MB

Download
memory/1768-56-0x0000000000620000-0x0000000000759000-memory.dmp

Filesize
1.2MB

Download
memory/1768-57-0x0000000075C01000-0x0000000075C03000-memory.dmp

Filesize
8KB

Download
memory/1768-58-0x000000000C520000-0x000000000C601000-memory.dmp

Filesize
900KB

Download
memory/1768-63-0x0000000000620000-0x0000000000759000-memory.dmp

Filesize
1.2MB

Download