MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc53884a4452b6f808e280dc3fc3a051d0129be2aabf61ea816dacf6c3ea9e80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 19


Intelligence 19 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc53884a4452b6f808e280dc3fc3a051d0129be2aabf61ea816dacf6c3ea9e80
SHA3-384 hash: 489b9bbf7fc5c1ffafe1e3f2388d9a7ced86afe91266f1e49da45a999562977fcc92116fb20d398545bf831113aee3e4
SHA1 hash: 60ac2902d8aedc6e08d1374795af281ef32002db
MD5 hash: 637d140a25eb70e57398fae83ad494fc
humanhash: double-robin-charlie-maine
File name:tuptuo.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:16'366'080 bytes
First seen:2025-08-09 16:30:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 393216:UbtXHjeRtW12z7RtWI2QzyW7H+BpzRdyRpczVI8IjzCjpKz:UxzevW12z7vWI2SehV6zn
Threatray 9 similar samples on MalwareBazaar
TLSH T1ECF601070C227A74D3B16E3FAC81B506289025277AD122FD354ED4F5EC39E895AADE7C
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon f0cca6aaaaa6ccf0 (6 x Formbook, 4 x XWorm, 2 x AsyncRAT)
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
147.185.221.30:57375

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
147.185.221.30:57375 https://threatfox.abuse.ch/ioc/1566599/

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
tuptuo.exe
Verdict:
Malicious activity
Analysis date:
2025-08-09 16:15:55 UTC
Tags:
evasion skuld loader auto-reg telegram stealer auto-startup arch-doc crypto-regex umbralstealer arch-scr discord exfiltration xworm quasar
Link:
https://app.any.run/tasks/9b9d706f-d464-499c-9975-f6338c8c7923

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19898/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6897743b11d7f9b979e6fdeb
Tags:
vmdetect autorun quasar
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Creating a window
DNS request
Connection attempt
Sending an HTTP POST request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Creating a file
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Moving a recently created file
Sending an HTTP GET request
Sending a TCP request to an infection source
Enabling the 'hidden' option for recently created files
BSOD occurred
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Query of malicious DNS domain
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/fc53884a4452b6f808e280dc3fc3a051d0129be2aabf61ea816dacf6c3ea9e80
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/62f29596-acf8-463d-be75-aa355fdba2e6
Result
Threat name:
AsyncRAT, Blank Grabber, Go Stealer, Qua
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1753752
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to infect the boot sector
Creates multiple autostart registry keys
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Excessive usage of taskkill to terminate processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potential Mpclient.DLL Sideloading Via Defender Binaries
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Startup Folder Persistence
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AsyncRAT
Yara detected Blank Grabber
Yara detected Go Stealer
Yara detected Quasar RAT
Yara detected Telegram RAT
Yara detected Telegram Stealer
Yara detected ThunderKitty Grabber
Yara detected Umbral Stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1753752 Sample: tuptuo.exe Startdate: 09/08/2025 Architecture: WINDOWS Score: 100 121 api.telegram.org 2->121 123 sell-underlying.gl.at.ply.gg 2->123 125 14 other IPs or domains 2->125 165 Suricata IDS alerts for network traffic 2->165 167 Found malware configuration 2->167 169 Malicious sample detected (through community Yara rule) 2->169 173 29 other signatures 2->173 10 tuptuo.exe 10 2->10         started        13 OpenWith.exe 2->13         started        16 OpenWith.exe 2->16         started        18 4 other processes 2->18 signatures3 171 Uses the Telegram API (likely for C&C communication) 121->171 process4 file5 105 C:\Users\user\AppData\...\workyhopey.exe, PE32 10->105 dropped 107 C:\Users\user\AppData\Roaming\uwu.exe, PE32+ 10->107 dropped 109 C:\Users\user\AppData\Roaming\rrrrr.exe, PE32 10->109 dropped 111 6 other malicious files 10->111 dropped 20 avast_free_antivirus_setup_online.exe 1 3 10->20         started        25 niggascaughtstealin.exe 10->25         started        27 uwu.exe 9 10->27         started        29 5 other processes 10->29 205 Installs a global keyboard hook 13->205 signatures6 process7 dnsIp8 127 ip-info-gcp.ff.avast.com 34.111.175.102, 443, 49693 GOOGLEUS United States 20->127 129 analytics-prod-gcp.ff.avast.com 34.117.223.223, 443, 49691, 49697 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->129 131 e9229.dscd.akamaiedge.net 23.215.57.147, 443, 49694, 49707 AKAMAI-ASUS United States 20->131 85 C:\...\avast_free_antivirus_online_setup.exe, PE32 20->85 dropped 175 Query firmware table information (likely to detect VMs) 20->175 177 Contains functionality to infect the boot sector 20->177 31 avast_free_antivirus_online_setup.exe 20->31         started        133 discord.com 162.159.135.232, 443, 49742 CLOUDFLARENETUS United States 25->133 87 C:\ProgramData\Microsoft\...\M0qu3.scr, PE32 25->87 dropped 89 C:\Windows\System32\drivers\etc\hosts, ASCII 25->89 dropped 179 Suspicious powershell command line found 25->179 181 Found many strings related to Crypto-Wallets (likely being stolen) 25->181 183 Uses cmd line tools excessively to alter registry or file data 25->183 195 6 other signatures 25->195 35 powershell.exe 25->35         started        37 cmd.exe 25->37         started        39 attrib.exe 25->39         started        46 9 other processes 25->46 135 api.telegram.org 149.154.167.220, 443, 49712 TELEGRAMRU United Kingdom 27->135 185 Found Tor onion address 27->185 187 Tries to harvest and steal browser information (history, passwords, etc) 27->187 197 2 other signatures 27->197 41 tasklist.exe 1 27->41         started        48 17 other processes 27->48 137 sell-underlying.gl.at.ply.gg 147.185.221.30, 16853, 49698, 49733 SALSGIVERUS United States 29->137 139 ip-api.com 208.95.112.1, 49700, 49705, 49739 TUT-ASUS United States 29->139 91 C:\Users\...\Windows Defender Command Line, PE32 29->91 dropped 93 C:\Users\user\AppData\...\MpCmdRun.exe, PE32 29->93 dropped 95 C:\Users\user\AppData\Local\Temp\skid, PE32 29->95 dropped 189 Antivirus detection for dropped file 29->189 191 Multi AV Scanner detection for dropped file 29->191 193 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->193 199 7 other signatures 29->199 43 MpCmdRun.exe 29->43         started        50 2 other processes 29->50 file9 signatures10 process11 dnsIp12 113 C:\Windows\Temp\...\icarus_ui.exe, PE32+ 31->113 dropped 115 C:\Windows\Temp\...\icarus_mod.dll, PE32 31->115 dropped 117 C:\Windows\Temp\...\icarus.exe, PE32+ 31->117 dropped 119 2 other malicious files 31->119 dropped 151 Query firmware table information (likely to detect VMs) 31->151 153 Contains functionality to infect the boot sector 31->153 155 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->155 52 icarus.exe 31->52         started        157 Loading BitLocker PowerShell Module 35->157 61 2 other processes 35->61 159 Uses ping.exe to check the status of other devices and networks 37->159 63 2 other processes 37->63 65 2 other processes 39->65 57 conhost.exe 41->57         started        147 147.185.221.25, 1187, 49704, 49737 SALSGIVERUS United States 43->147 161 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->161 163 Installs a global keyboard hook 43->163 59 schtasks.exe 43->59         started        67 9 other processes 46->67 69 15 other processes 48->69 71 2 other processes 50->71 file13 signatures14 process15 dnsIp16 141 e4920.dscd.akamaiedge.net 23.64.242.25, 443, 49716 NTT-COMMUNICATIONS-2914US United States 52->141 143 shepherd-gcp.ff.avast.com 34.160.176.28, 443, 49715, 49720 ATGS-MMD-ASUS United States 52->143 145 14 other IPs or domains 52->145 97 C:\Windows\Temp\...\icarus_ui.exe, PE32+ 52->97 dropped 99 C:\Windows\Temp\...\icarus_rvrt.exe, PE32+ 52->99 dropped 101 C:\Windows\Temp\...\icarus_product.dll, PE32+ 52->101 dropped 103 9 other malicious files 52->103 dropped 201 Query firmware table information (likely to detect VMs) 52->201 73 icarus.exe 52->73         started        76 icarus.exe 52->76         started        78 icarus_ui.exe 52->78         started        81 conhost.exe 59->81         started        83 conhost.exe 59->83         started        file17 signatures18 process19 dnsIp20 203 Query firmware table information (likely to detect VMs) 73->203 149 ipm-gcp-prod.ff.avast.com 34.111.24.1, 443, 49740 GOOGLEUS United States 78->149 signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fc53884a4452b6f808e280dc3fc3a051d0129be2aabf61ea816dacf6c3ea9e80
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.86 Win 32 Exe x86
Link:
https://app.malva.re/file/637d140a25eb70e57398fae83ad494fc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc53884a4452b6f808e280dc3fc3a051d0129be2aabf61ea816dacf6c3ea9e80/
Verdict:
Malicious
Threat:
Family.XWORM
Link:
https://tip.neiki.dev/file/fc53884a4452b6f808e280dc3fc3a051d0129be2aabf61ea816dacf6c3ea9e80
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-08-09 16:15:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7rjyqssekk3pqchcqdod7q5akhibfg7cvk7wd2ubnwwpnq7kt2aa._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
umbral
Create hunting rule
xworm
Create hunting rule
skuldstealer
Create hunting rule
Similar samples:
1512ac97914055e1eab90a50fb37b8cd398167078dd3aec6d0e1568897b17aa5
XWorm
3718c458d29ae556d91c62b49c48346a1336a56eb812f0564efc82eb1b0f7324
XWorm
89c38e07053d405315eac0ba826f1de0795f257fd8b0904a50d69d730e7621bd
XWorm
error
XWorm
f257b40a001f5498a662bc645d5c2e584770ae7364d807f157ee4cd245f99e1a
XWorm
fc53884a4452b6f808e280dc3fc3a051d0129be2aabf61ea816dacf6c3ea9e80
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:quasar family:umbral family:xworm botnet:hail_china_mainland botnet:office04 botnet:xworm rce bootkit discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250809-t1ataahl5w/
Behaviour
Checks processor information in registry
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates processes with tasklist
Adds Run key to start application
Checks for any installed AV software in registry
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Detect Xworm Payload
Detects Umbral payload
Quasar RAT
Quasar family
Quasar payload
Umbral
Umbral family
Xworm
Xworm family
Malware Config
C2 Extraction:
147.185.221.30:57375
147.185.221.25:1187
147.185.221.30:8080
https://discord.com/api/webhooks/1402099083564417194/HLxUSK46CT6XY_Vd0am6Gs9aBVe6HaoHhRJ4f5maNKNynVz-ihaGxhuUWdNC1lvhYSQE
sell-underlying.gl.at.ply.gg:16853
selection-links.gl.at.ply.gg:58222
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b6b4dfd8-facc-4bb6-b49d-dd96e4784580
Unpacked files
SH256 hash:
fc53884a4452b6f808e280dc3fc3a051d0129be2aabf61ea816dacf6c3ea9e80
MD5 hash:
637d140a25eb70e57398fae83ad494fc
SHA1 hash:
60ac2902d8aedc6e08d1374795af281ef32002db
Link:
https://www.unpac.me/results/e16c75b9-488e-4c01-9747-f1dda5695dc2/
SH256 hash:
8bef8cc5cef02948f8aedf64e2cb78e44e5f8dd45144827f9c71be5f2f1a2733
MD5 hash:
a14a63390be5fb8a5ef0abc49e83b887
SHA1 hash:
e5ad23490547dbbbc96922c93c8049204f2c7765
Link:
https://www.unpac.me/results/e16c75b9-488e-4c01-9747-f1dda5695dc2/
SH256 hash:
f4493db8cdbf985cd9aa0cbcba20e3632ae34b560a5417ffc5ba387ee73894dd
MD5 hash:
a480b80c554306f80f28fcce73e71ff0
SHA1 hash:
00d4433ee1d2ffc552df62a393dcec2fe5d64a1b
Link:
https://www.unpac.me/results/e16c75b9-488e-4c01-9747-f1dda5695dc2/
SH256 hash:
99f8bd226531ef43fc7422f7d85cde3e2b529ac661bc9312415b9c6ca6a9ff34
MD5 hash:
5477dec8de5852de49932442b6f458f1
SHA1 hash:
18591ac91cac78eb017e780792b50ac090a09f07
Link:
https://www.unpac.me/results/e16c75b9-488e-4c01-9747-f1dda5695dc2/
SH256 hash:
c9736bed57d137a0bd4a454a70436020312db5a365bdd243037e766695c18ccd
MD5 hash:
41b34eab1585d5381c56730b93dd1310
SHA1 hash:
510b640517342dbcc40c81b63db23fa1444a71ed
Link:
https://www.unpac.me/results/e16c75b9-488e-4c01-9747-f1dda5695dc2/
SH256 hash:
3f88f212b3b7db4425ad9b4feb5e52351e99f217b9e7c1e129b506dd4d19bd9b
MD5 hash:
640a5599f8c63ef73119db14cee6d124
SHA1 hash:
694d3b6bda20440d04bcf645a9e9be747d54a139
Link:
https://www.unpac.me/results/e16c75b9-488e-4c01-9747-f1dda5695dc2/
SH256 hash:
e54b3f90f18efaba3b4e714533d5e1f0aaf2f656b9166d6498e15b659cc41b8c
MD5 hash:
4a3c2b2b73407e79a9ebc6caece6c144
SHA1 hash:
70f64ab70fdc0c484da6f914d2742115c7a97141
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/e16c75b9-488e-4c01-9747-f1dda5695dc2/
Parent samples :
5f2b5c871d9def423830873e376abeba49846bcd8cd8706e7eb02e3306ae85b2
f82eec674bf95ff5819f711f2009f1d1efefeb96cd7fd314150b964d4d8af7e7
659655e1978f173874b8e7ee162720482d3314cf04c4ec6a4a58022856dd6b7f
7607946bbdeb75cfa95d20ad272299405c86df13f17426fca36e4dfa6264d252
bf8af2f1ae9d243e207e34fffd7aefc629645d729fa4a4e76f93535fa036d92e
2d6903a6ab9162953059630ba9ea059da90b199e9c9c11a3fa5d8ae9b777c508
4d2c089e16f83ff8b02cd60907278e5651b158595d6556d48847b4a184fded9c
ca161bb7ec1a3ff41ed793353b5b39f3d9fa3022b634c04f2eb41c1ca23a0c8b
b76f0646dca066e84a66453203e8bb4f4b515f6d48d112f99b4a9f2e92abb394
5d6b6bcd74ed29295040fe1622bd3c681fe2b729eaa9f24b4538d1db6eb2e3e3
def7bbc3a2ebc9a5c96d91c3b916bf9326023cc13ff0330de21e7569525faf55
fc53884a4452b6f808e280dc3fc3a051d0129be2aabf61ea816dacf6c3ea9e80
507b813f47259eadd4260cb58e5a8244799d0ac3075d68147095b1bd9a2b7593
c30fdd073be8172d6975c53b1c6fa4955a0f20ebaef408228017540ba4d8ad62
4b0912cff58f405a3335f0d2685f3eb8a03ed1f85c899ad5f6235a66cb7faf2a
5067a1e7cdb7fd99b12ca0c3d76caca7cc12ed86f9da5f5d83a8ad37bba7dbdf
04e680c37b3e4dea85505d8b785912f9a9ad3c7bbfc440e1f1654fd06510bc3c
ee4552132293dd151868a5cfb0e3e3fd2816956ab3cd30af8fa37e3802014f0d
be3a31e848714f23f154adfa730c869805503a27927f26afcdb9009b380c46b5
SH256 hash:
29bb399358834f193cf5c89d26f08c79ce7ea92a8b87c08d447de9f76f14b09d
MD5 hash:
69f311b8b47466a6bd1b67887d68a4b4
SHA1 hash:
f93f03852c9aa69afba97654d8723cf0eb8da35a
Link:
https://www.unpac.me/results/e16c75b9-488e-4c01-9747-f1dda5695dc2/
SH256 hash:
a95735d398e358b89c7797f78e7d1b125d410b71da39befffd1a409ac3ab2d12
MD5 hash:
992291f290f5cd00873b8679e415ef52
SHA1 hash:
8a3e55711215a5e072c64203805b6b5e46ff07de
Detections:
win_xworm_w0
Create hunting rule
MAL_RANSOM_COVID19_Apr20_1
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/e16c75b9-488e-4c01-9747-f1dda5695dc2/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fc53884a4452/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc53884a4452b6f808e280dc3fc3a051d0129be2aabf61ea816dacf6c3ea9e80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/19898/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments