recordbreaker | 905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a

General

Target

905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe
Size

218KB
MD5

387af1d8f0c82fa1111931c2cad2f912
SHA1

7dc4b93f1c6031512ea2f232741740292f0d3232
SHA256

905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a
SHA512

d72c4a04ff54c3d9c22e0c22eb843f420ee7ba423ebc9ed77e72bf6477fbbcbfc756c2e8003bcae63e2ef63330dc878f482cf300877841484be8d31437696d31

Score

10^/10

recordbreaker redline mario2 infostealer spyware stealer suricata

Malware Config

Extracted

Family

redline

Botnet

mario2

C2

193.106.191.129:80

Attributes

auth_value
4ef7e3fec3a418b2f0233b604d0560d9

Signatures

RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3688-158-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
suricata
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

7DFA.exe93D5.exe

pid process

4944 7DFA.exe
4496 93D5.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

7DFA.exe

description pid process target process

PID 4944 set thread context of 3688 4944 7DFA.exe InstallUtil.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

916 2848 WerFault.exe explorer.exe

pid	process
4944	7DFA.exe
4496	93D5.exe

description	pid	process	target process
PID 4944 set thread context of 3688	4944	7DFA.exe	InstallUtil.exe

pid	pid_target	process	target process
916	2848	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe

pid	process
3896	905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe
3896	905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3020
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe

pid process

3896 905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe
3020
3020
3020
3020

pid	process
3020

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

InstallUtil.exe

description	pid	process
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	3688	InstallUtil.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

7DFA.exe

description	pid	process	target process
PID 3020 wrote to memory of 4944	3020		7DFA.exe
PID 3020 wrote to memory of 4944	3020		7DFA.exe
PID 3020 wrote to memory of 4944	3020		7DFA.exe
PID 3020 wrote to memory of 4496	3020		93D5.exe
PID 3020 wrote to memory of 4496	3020		93D5.exe
PID 3020 wrote to memory of 4496	3020		93D5.exe
PID 3020 wrote to memory of 2848	3020		explorer.exe
PID 3020 wrote to memory of 2848	3020		explorer.exe
PID 3020 wrote to memory of 2848	3020		explorer.exe
PID 3020 wrote to memory of 2848	3020		explorer.exe
PID 3020 wrote to memory of 3892	3020		explorer.exe
PID 3020 wrote to memory of 3892	3020		explorer.exe
PID 3020 wrote to memory of 3892	3020		explorer.exe
PID 4944 wrote to memory of 3688	4944	7DFA.exe	InstallUtil.exe
PID 4944 wrote to memory of 3688	4944	7DFA.exe	InstallUtil.exe
PID 4944 wrote to memory of 3688	4944	7DFA.exe	InstallUtil.exe
PID 4944 wrote to memory of 3688	4944	7DFA.exe	InstallUtil.exe
PID 4944 wrote to memory of 3688	4944	7DFA.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe
"C:\Users\Admin\AppData\Local\Temp\905fcb65077aa07005af8f7f7cbc3392205c56576f0b30ba407f78f72edaba2a.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3896

C:\Users\Admin\AppData\Local\Temp\7DFA.exe
C:\Users\Admin\AppData\Local\Temp\7DFA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3688

C:\Users\Admin\AppData\Local\Temp\93D5.exe
C:\Users\Admin\AppData\Local\Temp\93D5.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 872
  2⤵
  - Program crash
  PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2848 -ip 2848
1⤵
PID:992

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7DFA.exe

Filesize
1.6MB

MD5
df9cc49add3e01f23c63b0f73469f752

SHA1
6f8199ae9280e13671f5eb5715b093cd93f6732e

SHA256
b18d30fdfaa2f3469131da279fe2a64ed3cf6c1cbc8785ea1ba6e7596ae85419

SHA512
09100b76b4d0ba5a417da4a68977ed0a9eba8563cc5866e0cf912234ebded7598c482967e1812c143868c43c49eb882f82588dfafc041698b814c564decfc9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7DFA.exe

Filesize
1.6MB

MD5
df9cc49add3e01f23c63b0f73469f752

SHA1
6f8199ae9280e13671f5eb5715b093cd93f6732e

SHA256
b18d30fdfaa2f3469131da279fe2a64ed3cf6c1cbc8785ea1ba6e7596ae85419

SHA512
09100b76b4d0ba5a417da4a68977ed0a9eba8563cc5866e0cf912234ebded7598c482967e1812c143868c43c49eb882f82588dfafc041698b814c564decfc9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\93D5.exe

Filesize
6.6MB

MD5
a840af25865513286606284b38490add

SHA1
3ab6eaaa2457f3afc1a37645152a91efa95751af

SHA256
26923ba499b7c445e86e76c616dee82cd5699de4bdfcf61d3e09562b36f2fbad

SHA512
fec4a023ac03aa0733d6e4f11dd9f79c1329b2b73acd543e85b96d2fd32de4374a26250dd36f82919e32bd022fa3e753c8bf09cdb9e92670314ba0f7ef38ceb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\93D5.exe

Filesize
6.6MB

MD5
a840af25865513286606284b38490add

SHA1
3ab6eaaa2457f3afc1a37645152a91efa95751af

SHA256
26923ba499b7c445e86e76c616dee82cd5699de4bdfcf61d3e09562b36f2fbad

SHA512
fec4a023ac03aa0733d6e4f11dd9f79c1329b2b73acd543e85b96d2fd32de4374a26250dd36f82919e32bd022fa3e753c8bf09cdb9e92670314ba0f7ef38ceb6

Download Submit
memory/2848-149-0x0000000001420000-0x000000000148B000-memory.dmp

Filesize
428KB

Download
memory/2848-146-0x0000000001420000-0x000000000148B000-memory.dmp

Filesize
428KB

Download
memory/2848-145-0x0000000001490000-0x0000000001504000-memory.dmp

Filesize
464KB

Download
memory/2848-144-0x0000000000000000-mapping.dmp

Download
memory/3688-170-0x00000000085E0000-0x0000000008B0C000-memory.dmp

Filesize
5.2MB

Download
memory/3688-155-0x0000000000000000-mapping.dmp

Download
memory/3688-160-0x00000000057A0000-0x0000000005DB8000-memory.dmp

Filesize
6.1MB

Download
memory/3688-169-0x0000000007EE0000-0x00000000080A2000-memory.dmp

Filesize
1.8MB

Download
memory/3688-168-0x0000000006700000-0x0000000006766000-memory.dmp

Filesize
408KB

Download
memory/3688-171-0x0000000007570000-0x00000000075C0000-memory.dmp

Filesize
320KB

Download
memory/3688-162-0x0000000005320000-0x000000000542A000-memory.dmp

Filesize
1.0MB

Download
memory/3688-158-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3688-156-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3688-161-0x00000000051F0000-0x0000000005202000-memory.dmp

Filesize
72KB

Download
memory/3688-163-0x0000000005250000-0x000000000528C000-memory.dmp

Filesize
240KB

Download
memory/3688-167-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/3688-166-0x0000000006BB0000-0x0000000007154000-memory.dmp

Filesize
5.6MB

Download
memory/3688-165-0x0000000006560000-0x00000000065F2000-memory.dmp

Filesize
584KB

Download
memory/3688-164-0x0000000006440000-0x00000000064B6000-memory.dmp

Filesize
472KB

Download
memory/3892-148-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/3892-147-0x0000000000000000-mapping.dmp

Download
memory/3896-131-0x0000000000780000-0x0000000000789000-memory.dmp

Filesize
36KB

Download
memory/3896-132-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/3896-133-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/3896-130-0x0000000000A0D000-0x0000000000A1B000-memory.dmp

Filesize
56KB

Download
memory/4496-138-0x0000000000000000-mapping.dmp

Download
memory/4496-152-0x0000000000B90000-0x00000000015EC000-memory.dmp

Filesize
10.4MB

Download
memory/4496-142-0x0000000000B90000-0x00000000015EC000-memory.dmp

Filesize
10.4MB

Download
memory/4944-159-0x00000000030EF000-0x000000000323E000-memory.dmp

Filesize
1.3MB

Download
memory/4944-154-0x0000000011850000-0x0000000011995000-memory.dmp

Filesize
1.3MB

Download
memory/4944-153-0x0000000011850000-0x0000000011995000-memory.dmp

Filesize
1.3MB

Download
memory/4944-151-0x00000000030EF000-0x000000000323E000-memory.dmp

Filesize
1.3MB

Download
memory/4944-150-0x0000000002CE6000-0x00000000030DF000-memory.dmp

Filesize
4.0MB

Download
memory/4944-141-0x00000000030EF000-0x000000000323E000-memory.dmp

Filesize
1.3MB

Download
memory/4944-137-0x0000000002CE6000-0x00000000030DF000-memory.dmp

Filesize
4.0MB

Download
memory/4944-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads