Overview

overview

10

Static

static

7

Setup.exe

windows7_x64

10

Setup.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Pass_1234_Setup.rar

  • Size

    5.3MB

  • Sample

    220630-lkvjrabhf2

  • MD5

    a5d5cbd6d221b528f236857dd6dad09f

  • SHA1

    31881992e6c5cabb710bc131de947f86c9f5d87e

  • SHA256

    3b93d09292f2f38a0405954ff5c9a4697a2425fbcfad55d61782d4d055b2d9f7

  • SHA512

    df3412ae30fce4bf0402fc16a95442535febbc5fce94c09c45c5c3819b10d135b80b31362f9b5d1d62d7f6746df8e590dffbb7fcaa0bf3a2bf914da3ee013e53

Score
10/10
recordbreakerdiscoveryevasionspywarestealersuricatathemidatrojan

Malware Config

Extracted

Family

recordbreaker

C2

http://45.140.146.30/

http://45.133.216.200/

Targets

    • Target

      Setup.exe

    • Size

      400.2MB

    • MD5

      8c56d9ea1ae002bb3d998069fbd81a31

    • SHA1

      d8fd68e3344f490826afd859899b16477e879c78

    • SHA256

      a62628c4a68d9261ab6fe875a79f6876ef1089b5b68ba57f61c65f3854aeef73

    • SHA512

      4d493baf3787da147a88bab6da07faaef1ee7ed5381e3a9caf99d25d4db969829e79720c5f0acb8eeebe01d3efaea9a08ee9e7953b50b9e9a8cf615242657c6f

    Score
    10/10
    recordbreakerdiscoveryevasionspywarestealersuricatathemidatrojan

    • RecordBreaker

      RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.

      stealerrecordbreaker

    • suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata

    • suricata: ET MALWARE Generic Stealer Config Download Request

      suricata: ET MALWARE Generic Stealer Config Download Request

      suricata

    • suricata: ET MALWARE Win32/RecordBreaker CnC Checkin

      suricata: ET MALWARE Win32/RecordBreaker CnC Checkin

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks