General
-
Target
ali.ps1
-
Size
1.0MB
-
Sample
220621-p1kw2adedr
-
MD5
e579b1afc9c6bf6f25f461fc8f96c349
-
SHA1
c6b10e55440832e2b9877c05e77b2c93585f507d
-
SHA256
249fa3bc0b500df45b167912505c5edffeac8681e3d4708e92e97340f155da67
-
SHA512
683804fdbda25be2763726d49ee0186959c7e2d3b855c53ff74d42c6601c18cde7e1b8db547d11accbd34f3c326bcc8b43ebe71284cd5f681b855932bf34d12a
Static task
static1
Behavioral task
behavioral1
Sample
ali.ps1
Resource
win7-20220414-en
Malware Config
Extracted
recordbreaker
http://136.244.65.99/
http://140.82.52.55/
Extracted
arkei
Default
Targets
-
-
Target
ali.ps1
-
Size
1.0MB
-
MD5
e579b1afc9c6bf6f25f461fc8f96c349
-
SHA1
c6b10e55440832e2b9877c05e77b2c93585f507d
-
SHA256
249fa3bc0b500df45b167912505c5edffeac8681e3d4708e92e97340f155da67
-
SHA512
683804fdbda25be2763726d49ee0186959c7e2d3b855c53ff74d42c6601c18cde7e1b8db547d11accbd34f3c326bcc8b43ebe71284cd5f681b855932bf34d12a
-
RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
-
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-