General

  • Target

    ghjkl.exe

  • Size

    768KB

  • Sample

    220626-f9rlhaage6

  • MD5

    63645a9e1f5e77ba3c75366f3a14ab87

  • SHA1

    ed1497c47dc283118bbc57d49cd9f354785cf73d

  • SHA256

    2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

  • SHA512

    4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Score
10/10

Malware Config

Extracted

Family

recordbreaker

C2

http://136.244.65.99/

http://140.82.52.55/

Targets

    • Target

      ghjkl.exe

    • Size

      768KB

    • MD5

      63645a9e1f5e77ba3c75366f3a14ab87

    • SHA1

      ed1497c47dc283118bbc57d49cd9f354785cf73d

    • SHA256

      2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

    • SHA512

      4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

    Score
    10/10
    • RecordBreaker

      RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks