Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zRZljp49Uz

Overview

General Information

Sample Name:zRZljp49Uz (renamed file extension from none to exe)
Analysis ID:650286
MD5:0cfa58846e43dd67b6d9f29e97f6c53e
SHA1:19d9fbfd9b23d4bd435746a524443f1a962d42fa
SHA256:022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03
Tags:exeRaccoonStealerRecordBreaker
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Uses 32bit PE files
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to query locales information (e.g. system language)
Found evasive API chain checking for process token information
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Program does not show much activity (idle)
IP address seen in connection with other malware

Classification

  • System is w10x64
  • zRZljp49Uz.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\zRZljp49Uz.exe" MD5: 0CFA58846E43DD67B6D9F29E97F6C53E)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
Timestamp:192.168.2.551.195.166.18449746802036934 06/22/22-12:00:13.668134
SID:2036934
Source Port:49746
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:192.168.2.551.195.166.18449746802036882 06/22/22-12:00:13.668134
SID:2036882
Source Port:49746
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: zRZljp49Uz.exeAvira: detected
Source: zRZljp49Uz.exeVirustotal: Detection: 73%Perma Link
Source: zRZljp49Uz.exeMetadefender: Detection: 28%Perma Link
Source: zRZljp49Uz.exeReversingLabs: Detection: 88%
Source: http://51.195.166.184/Avira URL Cloud: Label: malware
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41806 lstrlen,LocalAlloc,LocalAlloc,lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41726 CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,StrCpyW,LocalFree,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A417A1 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4617D LocalAlloc,CryptStringToBinaryA,lstrlen,CryptStringToBinaryA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,StrCpyW,LocalFree,StrCpyW,StrCpyW,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A43244 LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,LocalFree,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc,PathCombineW,CopyFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,LocalFree,CryptUnprotectData,wsprintfW,lstrlenW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,LocalFree,LocalFree,DeleteFileW,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A427C6 LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,LocalFree,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc,PathCombineW,CopyFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,LocalFree,CryptUnprotectData,wsprintfW,lstrlenW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,LocalFree,LocalFree,DeleteFileW,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A42CC6 LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,LocalFree,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,CopyFileW,DeleteFileW,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,lstrcmpW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,CryptUnprotectData,lstrcmpW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,
Source: zRZljp49Uz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: zRZljp49Uz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41E26 LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,PathCombineW,StrCpyW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,LocalAlloc,StrCpyW,wsprintfW,PathCombineW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4AF2C LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrcmpW,StrCpyW,StrCpyW,FindFirstFileW,LocalFree,LocalFree,lstrcmpW,lstrcmpW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrlenW,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalFree,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,LocalFree,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4643A LocalAlloc,StrCpyW,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,LocalAlloc,LocalAlloc,StrCpyW,StrCpyW,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A41B13 FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,StrStrW,lstrlenW,lstrlenW,LocalAlloc,PathCombineW,LocalFree,lstrlenW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4B29D LocalAlloc,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,DeleteFileW,LocalAlloc,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,FindNextFileW,LocalFree,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A43C9D StrStrW,StrStrW,StrStrW,lstrlenW,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,lstrlenW,LocalAlloc,LocalAlloc,StrStrW,StrStrW,LocalAlloc,PathCombineW,LocalAlloc,FindFirstFileW,StrStrW,LocalAlloc,StrCpyW,StrRChrW,StrRChrW,LocalAlloc,PathCombineW,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,StrStrW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A439E5 LocalAlloc,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,LocalAlloc,WideCharToMultiByte,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A49DEA LocalAlloc,StrCpyW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,PathCombineW,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A45870 LocalAlloc,StrCpyW,lstrlenW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,StrCpyW,LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,StrRChrW,StrCpyW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,GetFileSize,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4197C FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindClose,StrStrW,StrStrW,LocalAlloc,PathCombineW,lstrlenW,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A46053 FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindClose,lstrlenW,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A45D00 LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,GetLogicalDriveStringsW,GetDriveTypeW,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,StrStrW,StrStrW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,StrStrW,GetEnvironmentVariableW,LocalFree,LocalFree,StrCpyW,LocalFree,LocalFree,

Networking

barindex
Source: TrafficSnort IDS: 2036882 ET TROJAN Generic Stealer Config Download Request 192.168.2.5:49746 -> 51.195.166.184:80
Source: TrafficSnort IDS: 2036934 ET TROJAN Win32/RecordBreaker CnC Checkin 192.168.2.5:49746 -> 51.195.166.184:80
Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
Source: Joe Sandbox ViewIP Address: 51.195.166.184 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: unknownTCP traffic detected without corresponding DNS query: 51.195.166.184
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3 (Ubuntu)Date: Wed, 22 Jun 2022 10:00:13 GMTContent-Type: text/html; charset=utf-8Content-Length: 14Connection: keep-aliveContent-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requestsCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originX-DNS-Prefetch-Control: offExpect-CT: max-age=0X-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffOrigin-Agent-Cluster: ?1X-Permitted-Cross-Domain-Policies: noneReferrer-Policy: no-referrerX-XSS-Protection: 0ETag: W/"e-vDAjs2Bjp2gdskaBRytU+hHw1Ow"Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found
Source: zRZljp49Uz.exe, 00000000.00000002.415337506.0000000000802000.00000004.00000020.00020000.00000000.sdmp, zRZljp49Uz.exe, 00000000.00000003.414770587.0000000000802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://51.195.166.184/
Source: unknownHTTP traffic detected: POST / HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: recordHost: 51.195.166.184Content-Length: 95Connection: Keep-AliveCache-Control: no-cacheData Raw: 6d 61 63 68 69 6e 65 49 64 3d 64 30 36 65 64 36 33 35 2d 36 38 66 36 2d 34 65 39 61 2d 39 35 35 63 2d 34 38 39 39 66 35 66 35 37 62 39 61 7c 61 6c 66 6f 6e 73 26 63 6f 6e 66 69 67 49 64 3d 35 39 63 39 37 33 37 32 36 34 63 30 62 33 32 30 39 64 39 31 39 33 62 38 64 65 64 36 63 31 32 37 Data Ascii: machineId=d06ed635-68f6-4e9a-955c-4899f5f57b9a|user&configId=59c9737264c0b3209d9193b8ded6c127
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A479F3 LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,StrStrW,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,InternetOpenW,InternetOpenW,InternetConnectW,InternetConnectW,HttpOpenRequestW,HttpOpenRequestW,lstrlen,HttpSendRequestW,lstrlenW,HttpSendRequestW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrlen,MultiByteToWideChar,MultiByteToWideChar,LocalAlloc,lstrlen,MultiByteToWideChar,MultiByteToWideChar,LocalFree,LocalFree,LocalFree,
Source: zRZljp49Uz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: String function: 00A41806 appears 92 times
Source: zRZljp49Uz.exeVirustotal: Detection: 73%
Source: zRZljp49Uz.exeMetadefender: Detection: 28%
Source: zRZljp49Uz.exeReversingLabs: Detection: 88%
Source: zRZljp49Uz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\zRZljp49Uz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\zRZljp49Uz.exeCode function: 0_2_00A4A2D7 CreateToolhelp32Snapshot,Process32First,Process32Next,
Source: C:\Users\user\Desktop\zRZljp49Uz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
Source: C:\Users\user\Desktop\zRZljp49Uz.exeMutant created: \Sessions\1\BaseNamedObjects\8724643052
Source: classification engineClassification label: mal72.winEXE@1/0@0/1
Source: zRZljp49Uz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: zRZljp49Uz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG