recordbreaker | 567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10

Analysis

max time kernel
164s
max time network
196s
platform
windows10_x64
resource
win10-20220414-en
submitted
21-06-2022 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10.exe
Size

2.6MB
MD5

e3a845bd8c0bf6f44104f8e31216929a
SHA1

e94f44c5c4aee2987c1e912b1616ef5ab316a8da
SHA256

567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10
SHA512

2ecebc4bd993a8f2d2adee95128131b9de07827a6724af9324843e554126bd4764543d192074bcace88a033d6b0593adf3b5289623e7f6998566bcc77900718b

Score

10^/10

recordbreaker evasion stealer themida trojan

Malware Config

Extracted

Family

recordbreaker

http://91.240.84.222/

Signatures

Raccoon ver2 3 IoCs

Raccoon ver2.

Processes:

resource	yara_rule
behavioral2/memory/1496-153-0x0000000001190000-0x0000000001814000-memory.dmp	raccoon_v2
behavioral2/memory/1496-154-0x0000000001190000-0x0000000001814000-memory.dmp	raccoon_v2
behavioral2/memory/1496-173-0x0000000001190000-0x0000000001814000-memory.dmp	raccoon_v2

RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1496-136-0x0000000001190000-0x0000000001814000-memory.dmp	themida
behavioral2/memory/1496-152-0x0000000001190000-0x0000000001814000-memory.dmp	themida
behavioral2/memory/1496-153-0x0000000001190000-0x0000000001814000-memory.dmp	themida
behavioral2/memory/1496-154-0x0000000001190000-0x0000000001814000-memory.dmp	themida
behavioral2/memory/1496-173-0x0000000001190000-0x0000000001814000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10.exe

pid	Process
1496	567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10.exe

C:\Users\Admin\AppData\Local\Temp\567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10.exe
"C:\Users\Admin\AppData\Local\Temp\567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-119-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-120-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-121-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-122-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-123-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-124-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-125-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-126-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-127-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-129-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-128-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-130-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-131-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-133-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-134-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-135-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-137-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-138-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-139-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-140-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-136-0x0000000001190000-0x0000000001814000-memory.dmp

Filesize
6.5MB

Download
memory/1496-132-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-141-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-142-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-143-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-144-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-145-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-146-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-147-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-148-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-149-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-150-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-151-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-152-0x0000000001190000-0x0000000001814000-memory.dmp

Filesize
6.5MB

Download
memory/1496-153-0x0000000001190000-0x0000000001814000-memory.dmp

Filesize
6.5MB

Download
memory/1496-154-0x0000000001190000-0x0000000001814000-memory.dmp

Filesize
6.5MB

Download
memory/1496-156-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-155-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-157-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-158-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-159-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-160-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-161-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-162-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-163-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-165-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-164-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-166-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-168-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-169-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-167-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-170-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-171-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-172-0x0000000077A80000-0x0000000077C0E000-memory.dmp

Filesize
1.6MB

Download
memory/1496-173-0x0000000001190000-0x0000000001814000-memory.dmp

Filesize
6.5MB

Download