MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 5 YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
SHA3-384 hash: d6663251c1b707523d031b8c4bed1c683c243e3b9b15fd78646b6543c4e13fe78221910667475c71dc409317528d1953
SHA1 hash: 6c265fe67fd1a6a3a7352a62ecaa87f3a965f359
MD5 hash: 4f1cc6351c88f208864d2766ef6728c8
humanhash: romeo-timing-vegan-oxygen
File name:4F1CC6351C88F208864D2766EF6728C8.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:4'242'295 bytes
First seen:2021-07-08 20:25:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:Ubui1zD6VopUOHzoizE4vXsvk3upL/ekyZ9prWt/:USi96V1S7ooXsvkuL+jxY
Threatray 109 similar samples on MalwareBazaar
TLSH T1AE1633537CE195B2D136163A0F756B12A43DBC104E38CEAF9798186E8A315C1FE32B97
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
65.21.122.45:8085

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.21.122.45:8085 https://threatfox.abuse.ch/ioc/158437/
95.213.224.25:80 https://threatfox.abuse.ch/ioc/158445/
http://34.89.184.90/ https://threatfox.abuse.ch/ioc/158448/
45.140.147.91:49644 https://threatfox.abuse.ch/ioc/158735/
195.133.40.204:80 https://threatfox.abuse.ch/ioc/158736/

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4F1CC6351C88F208864D2766EF6728C8.exe
Verdict:
Malicious activity
Analysis date:
2021-07-08 20:26:25 UTC
Tags:
autoit evasion
Link:
https://app.any.run/tasks/1851c68c-ce20-475a-a2dc-b04c3dedb8af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
タᅳテ
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170561/
Detection(s):
Win.Malware.Generic-9866235-0
Create hunting rule

Win.Malware.Nymeria-9873414-0
Create hunting rule

Win.Malware.SmokeLoader-9874090-1
Create hunting rule

Win.Malware.Generic-9874384-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb2b0982-b177-47d0-a8e8-d70628be3ca2
Result
Threat name:
Backstage Stealer SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813757
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 446168 Sample: iKcDLx5Wxc.exe Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 105 email.yg9.me 198.13.62.186 AS-CHOOPAUS United States 2->105 107 104.43.139.144 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->107 113 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->113 115 Multi AV Scanner detection for domain / URL 2->115 117 Antivirus detection for URL or domain 2->117 119 17 other signatures 2->119 9 iKcDLx5Wxc.exe 1 15 2->9         started        12 svchost.exe 2->12         started        15 iexplore.exe 2->15         started        signatures3 process4 file5 83 C:\Users\user\Desktop\pub2.exe, PE32 9->83 dropped 85 C:\Users\user\Desktop\jg3_3uag.exe, PE32 9->85 dropped 87 C:\Users\user\Desktop\KRSetp.exe, PE32 9->87 dropped 89 6 other files (2 malicious) 9->89 dropped 17 Info.exe 9->17         started        22 KRSetp.exe 15 7 9->22         started        24 pub2.exe 9->24         started        32 6 other processes 9->32 145 System process connects to network (likely due to code injection or exploit) 12->145 26 WerFault.exe 12->26         started        28 WerFault.exe 12->28         started        30 iexplore.exe 15->30         started        signatures6 process7 dnsIp8 91 www.anderesitebrauchen.com 17->91 93 www.jinhuamz.com 103.155.92.207, 49763, 80 TWIDC-AS-APTWIDCLimitedHK unknown 17->93 97 14 other IPs or domains 17->97 53 C:\Users\...\vfKUGbY7gZ7zxeoa3oKJiDwD.exe, PE32 17->53 dropped 55 C:\Users\...\uqzXK6owZ1kRKUz2jlEMkx2p.exe, PE32 17->55 dropped 57 C:\Users\...\uLJcrkdbJtKaC34avxUnR7sf.exe, PE32 17->57 dropped 65 37 other files (21 malicious) 17->65 dropped 121 Drops PE files to the document folder of the user 17->121 123 Creates HTML files with .exe extension (expired dropper behavior) 17->123 125 Performs DNS queries to domains with low reputation 17->125 127 Disable Windows Defender real time protection (registry) 17->127 99 2 other IPs or domains 22->99 59 C:\Users\user\AppData\Roaming\8446009.exe, PE32 22->59 dropped 67 2 other files (none is malicious) 22->67 dropped 34 8446009.exe 22->34         started        39 6640342.exe 22->39         started        41 6919899.exe 22->41         started        61 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 24->61 dropped 129 DLL reload attack detected 24->129 131 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 24->131 133 Renames NTDLL to bypass HIPS 24->133 135 Checks if the current machine is a virtual machine (disk enumeration) 24->135 101 2 other IPs or domains 30->101 95 176.113.115.136 SELECTELRU Russian Federation 32->95 103 10 other IPs or domains 32->103 63 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 32->63 dropped 69 5 other files (4 malicious) 32->69 dropped 43 File.exe 3 19 32->43         started        45 jfiag3g_gg.exe 32->45         started        47 WerFault.exe 32->47         started        49 conhost.exe 32->49         started        file9 signatures10 process11 dnsIp12 109 download-serv-632457.xyz 172.67.139.169, 443, 49754 CLOUDFLARENETUS United States 34->109 71 C:\ProgramData\67\vcruntime140.dll, PE32 34->71 dropped 73 C:\ProgramData\67\sqlite3.dll, PE32 34->73 dropped 75 C:\ProgramData\67\softokn3.dll, PE32 34->75 dropped 81 4 other files (none is malicious) 34->81 dropped 137 Performs DNS queries to domains with low reputation 34->137 77 C:\Users\user\AppData\...\WinHoster.exe, PE32 39->77 dropped 111 newja.webtm.ru 92.53.96.150, 49738, 80 TIMEWEB-ASRU Russian Federation 43->111 79 C:\Users\Public\run.exe, PE32 43->79 dropped 139 Binary is likely a compiled AutoIt script file 43->139 141 Drops PE files to the user root directory 43->141 51 run.exe 43->51         started        143 Tries to harvest and steal browser information (history, passwords, etc) 45->143 file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 19:58:42 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=acwd56spvkrze7jix55xq6j5jwwazakm3px3eakxgtlwx3umtchq._file
Verdict:
malicious
Similar samples:
0bcf14216198351151d34d3e6ea6c05bf06c62eee05e15804ba132ea455b3710
RaccoonStealer
1a1d8823b35b8c0d8dfcebe065520a07fe105589893262976fce4122317c55b8
RaccoonStealer
3c167530a131f9dc899b73b9eac971b38e44d41cf291893fde8e575602c2b846
RaccoonStealer
48643d9ccc694960fb84f505524d0f148a0331a7e2569171ff3999dd60bc7154
RaccoonStealer
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
RaccoonStealer
924bb78c8e816ebd25d656fb6cf0387449cd4b3cd55846c99d4f0ddb47f71dd5
RaccoonStealer
adb98685d3d6a8fa5e90b6fd9d458601d874718d5815f8aab66728ba9d067440
RaccoonStealer
af350212764e6304bf417e81cf0009b494119670e4bc1b187cd79cf4c487c7b6
RaccoonStealer
bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034
RaccoonStealer
efea5e4af45434b028bbb6f0f45e57d74cc37a0d46ba85921f456806d48bc97c
RaccoonStealer
+ 99 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:408 botnet:865 backdoor discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210708-149hcwqkbx/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
autoit_exe
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
https://sergeevih43.tumblr.com/
Unpacked files
SH256 hash:
8ac07124315f36db78c157ed5d2c3d7ed75120ecc4d0d4a6622de2a98f587c16
MD5 hash:
2f1ae78cae116a020760f54479c3e9b3
SHA1 hash:
433fe2252e21043a302af27a6a0741499cefd4ed
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
SH256 hash:
000c16f27003d3d26dda0f446cee9934fb0b9f7d580e106a27db5ab7ff86de3f
MD5 hash:
fc3f9f28652f551eb282cdcb3fc3567d
SHA1 hash:
9d11469a79979969ec6e69f15f4f270b4d6bc227
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
SH256 hash:
0b1e42c29060d15c6295ed54091ca3749d260a47bfcc728600df909707610ddc
MD5 hash:
4b785223c3b9e57796c6dda58d559da9
SHA1 hash:
9ad049b7fdbe36274db1b9fbb3737e48240099f7
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
SH256 hash:
e3887e12924fd4d6dbedfc08b6a1b7d405c25738b2f2eced726a4295fc644f69
MD5 hash:
af4d2d05b17be13f131240e5529e0afe
SHA1 hash:
24b6b5c6927f251636c716942cf2cfa1d7aa3e73
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
SH256 hash:
574a1e8093a8a16ebc96234701b1b14851f0c3bd2d5d5f687be59ac09b6554f3
MD5 hash:
08ff8f4643d75e0e160dfe7d9c9c006a
SHA1 hash:
890c655b9b28e0ac6bac1c8666b5b4be47011867
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
SH256 hash:
67cdc7c5de5e46229adc831dc6fd3053d996ecf02e94706b6b6ae1b0ed976f2c
MD5 hash:
555b5b60b2dcc53e71e6d9ba8302c4b9
SHA1 hash:
550326b1226629a867d4606ad0c98c4ef9596b47
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
Parent samples :
e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
SH256 hash:
21a27c1c007206117edc2618bb834fa31d07f0aa0fe15ef0171e90ec70733017
MD5 hash:
71a8b425237ed53182cebb5dbc841332
SHA1 hash:
4220c9de6b28f499a8e37818e3a1118ca49ed509
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
SH256 hash:
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
MD5 hash:
89c739ae3bbee8c40a52090ad0641d31
SHA1 hash:
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
SH256 hash:
41e43c7b58034ee3d59d8e81952a0113f92513a88f3b56ba5ff542dde35cb47f
MD5 hash:
1cdcc5ad3d27e7c44cba2e9a40fe059d
SHA1 hash:
865e6952e1b6f7ffb174f771bfaacdbf48a12c71
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
SH256 hash:
53851947e5dcda3b1e190bc68ee10a25a7c7eaddf841d71502cbb6a45da2757a
MD5 hash:
904fefe373ba01cdfb1e6e197919a9de
SHA1 hash:
dab9ac54820a587c428d0b0ba60669e9bf3c8dce
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
SH256 hash:
62a3f7c9b3b80b217504306ce1d4ac7e172305365398e35fc8ff0084987f424b
MD5 hash:
26620f5493e9bf26e8e47c4f10a49bdf
SHA1 hash:
913376c00277ec7b35658bbc878f203ba26e61c6
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
SH256 hash:
4d26574606e9d389267da70ade103b3be38fdbd3945a0dd8d8dcd0e08c4954a0
MD5 hash:
260709c636c4200a1bab0385031d3ee3
SHA1 hash:
cff36e617d7d56bc455c4393f7a265170426bdf1
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
SH256 hash:
cb5ac363e256fe077713808d30e2f616a7bd4ec2310131dc450af4538128ac18
MD5 hash:
0885cf5d1489b7305bd1f837b9e3c684
SHA1 hash:
63f2e043ca29800a4621a8553270e6b0d687493f
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
SH256 hash:
ff0bfcd3ffea44e3efa5471d34baa521bf6ae1a30745dfdab0237f1ca1446be0
MD5 hash:
52cb29c8b2e4a3a295725d675db91504
SHA1 hash:
8082a928e6c4f5b1fb8611b2d82981e2f0269fb1
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
SH256 hash:
00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
MD5 hash:
4f1cc6351c88f208864d2766ef6728c8
SHA1 hash:
6c265fe67fd1a6a3a7352a62ecaa87f3a965f359
Link:
https://www.unpac.me/results/9b3ae586-3caa-492a-b489-6fde1c713e1d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_smokeloader_a2
Create hunting rule
Author:pnx
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170561/

Comments