MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
SHA3-384 hash: f62e760899d3156c7cef31fb67684f6c797526f16f4aa81bd39ef9da2ef2c7ed4ae5f6f862af973cb9cbfe11ee6862db
SHA1 hash: 27d8b878fb07d7a3f23955cfad710c702a4acc3e
MD5 hash: 7456a042d330c293f618181c1c52ee59
humanhash: north-kitten-ink-summer
File name:00C0934AF824603BEF01CE8A5D9FCBD0E97432C877D40.exe
Download: download sample
Signature N-W0rm
Create hunting rule
File size:2'638'222 bytes
First seen:2022-08-27 16:35:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:EghS3ALwLVtkYDnz+ZSPIa1QVtpnjCzSeyBOLnY9y8/OMm9vqw:JhS2qVtkYDuHLjCnGOT4yiOMm9f
TLSH T1FAC5337037F94916E3C367B0097834BA3D3AD9512337BA9B13539B5ADCC2242392BE65
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe N-W0rm


Avatar
abuse_ch
N-W0rm C2:
103.89.90.61:34589

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.89.90.61:34589 https://threatfox.abuse.ch/ioc/842491/

Intelligence

File Origin
# of uploads :
1
# of downloads :
365
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
00C0934AF824603BEF01CE8A5D9FCBD0E97432C877D40.exe
Verdict:
No threats detected
Analysis date:
2022-08-27 16:37:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2fd096a0-ecf9-4202-aeb6-9ea168b2bdd3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301658/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Packed.SmokeLoader-9880484-1
Create hunting rule

Win.Packed.SmokeLoader-9880490-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Moving a recently created file
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30357/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/630a4837c9bbd990979ad0e9/reports/c2c890f4-0307-4498-9476-451cb129ed44/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76d783d8-9531-42fc-aa06-3753328e6c83
Result
Threat name:
Nitol, PrivateLoader, RedLine, SmokeLoad
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1058979
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Nitol
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 691496 Sample: 00C0934AF824603BEF01CE8A5D9... Startdate: 27/08/2022 Architecture: WINDOWS Score: 100 128 telanganadigital.com 2->128 130 ozentekstil.com 2->130 132 4 other IPs or domains 2->132 162 Snort IDS alert for network traffic 2->162 164 Multi AV Scanner detection for domain / URL 2->164 166 Malicious sample detected (through community Yara rule) 2->166 168 21 other signatures 2->168 12 00C0934AF824603BEF01CE8A5D9FCBD0E97432C877D40.exe 10 2->12         started        15 rundll32.exe 2->15         started        signatures3 process4 file5 112 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->112 dropped 17 setup_installer.exe 15 12->17         started        20 rundll32.exe 15->20         started        process6 file7 80 C:\Users\user\AppData\...\setup_install.exe, PE32 17->80 dropped 82 C:\Users\user\AppData\Local\...\arnatic_7.txt, PE32+ 17->82 dropped 84 C:\Users\user\AppData\Local\...\arnatic_6.txt, PE32 17->84 dropped 86 10 other files (5 malicious) 17->86 dropped 23 setup_install.exe 1 17->23         started        170 Writes to foreign memory regions 20->170 172 Allocates memory in foreign processes 20->172 174 Creates a thread in another existing process (thread injection) 20->174 28 svchost.exe 20->28 injected 30 svchost.exe 20->30 injected 32 svchost.exe 20->32 injected 34 svchost.exe 20->34 injected signatures8 process9 dnsIp10 134 127.0.0.1 unknown unknown 23->134 136 motiwa.xyz 23->136 104 C:\Users\user\...\arnatic_6.exe (copy), PE32 23->104 dropped 106 C:\Users\user\...\arnatic_5.exe (copy), PE32 23->106 dropped 108 C:\Users\user\...\arnatic_2.exe (copy), PE32 23->108 dropped 110 4 other files (1 malicious) 23->110 dropped 176 Performs DNS queries to domains with low reputation 23->176 36 cmd.exe 1 23->36         started        38 cmd.exe 1 23->38         started        40 cmd.exe 23->40         started        46 7 other processes 23->46 178 System process connects to network (likely due to code injection or exploit) 28->178 180 Sets debug register (to hijack the execution of another thread) 28->180 182 Modifies the context of a thread in another process (thread injection) 28->182 42 svchost.exe 28->42         started        file11 signatures12 process13 dnsIp14 48 arnatic_5.exe 36->48         started        53 arnatic_2.exe 1 38->53         started        55 arnatic_6.exe 40->55         started        138 integrasidata.com 42->138 140 google.vrthcobj.com 42->140 184 Query firmware table information (likely to detect VMs) 42->184 57 arnatic_1.exe 2 46->57         started        59 arnatic_3.exe 12 46->59         started        61 arnatic_7.exe 46->61         started        63 arnatic_4.exe 14 2 46->63         started        signatures15 process16 dnsIp17 114 212.193.30.115, 49779, 49876, 80 SPD-NETTR Russian Federation 48->114 116 136.144.41.201, 80 WORLDSTREAMNL Netherlands 48->116 122 20 other IPs or domains 48->122 88 C:\Users\...\z1Sh8AH61Cm8I_9j3uONpr8H.exe, PE32 48->88 dropped 90 C:\Users\...\pjc67vu9Bh5RgYiUBsVQAKvN.exe, PE32 48->90 dropped 92 C:\Users\...\juuGXY17ztI5H0hVKAcsfEWa.exe, PE32 48->92 dropped 96 17 other malicious files 48->96 dropped 142 Drops PE files to the document folder of the user 48->142 144 May check the online IP address of the machine 48->144 146 Creates HTML files with .exe extension (expired dropper behavior) 48->146 148 Disable Windows Defender real time protection (registry) 48->148 65 juuGXY17ztI5H0hVKAcsfEWa.exe 48->65         started        67 dx5YIpYdofWdZF1vFNebSoUp.exe 48->67         started        94 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 53->94 dropped 150 DLL reload attack detected 53->150 152 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 53->152 154 Renames NTDLL to bypass HIPS 53->154 160 3 other signatures 53->160 69 explorer.exe 53->69 injected 124 3 other IPs or domains 55->124 156 Performs DNS queries to domains with low reputation 55->156 158 Creates processes via WMI 57->158 71 arnatic_1.exe 57->71         started        118 sslamlssa1.tumblr.com 74.114.154.22, 443, 49759 AUTOMATTICUS Canada 59->118 74 WerFault.exe 59->74         started        120 s.lletlee.com 61->120 76 WerFault.exe 61->76         started        126 2 other IPs or domains 63->126 file18 signatures19 process20 file21 98 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 71->98 dropped 100 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 71->100 dropped 102 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 71->102 dropped 78 conhost.exe 71->78         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0/
Threat name:
Win32.Trojan.Cookiesstealer
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 16:02:02 UTC
File Type:
PE (Exe)
Extracted files:
157
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=adajgsxyerqdx3ybz2ff3h6l2duximwio7kazlpef7p7362roxqa._file
Verdict:
malicious
Result
Malware family:
ytstealer
Create hunting rule
Score:
  10/10
Tags:
family:nymaim family:privateloader family:redline family:smokeloader family:tofsee family:vidar family:ytstealer botnet:933 botnet:nam6.2 botnet:ruzki9 aspackv2 backdoor evasion infostealer loader miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/220827-t38s4adcel/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
ASPack v2.12-2.42
Creates new service(s)
Detectes Phoenix Miner Payload
Vidar Stealer
Detects Smokeloader packer
Modifies Windows Defender Real-time Protection settings
NyMaim
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Tofsee
Vidar
YTStealer
YTStealer payload
Malware Config
C2 Extraction:
https://sslamlssa1.tumblr.com/
svartalfheim.top
jotunheim.name
103.89.90.61:34589
176.113.115.146:9582
Unpacked files
SH256 hash:
c7b04fbcec4fb07d04eb36f20866ac6d95709281a96db8ea2b8266ae40361818
MD5 hash:
911a3105c863639fb5310046dd547221
SHA1 hash:
da492d8c31a760318513da006c8f4f8b766ae724
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
SH256 hash:
2a90c166dfdd8c515ae4138a0c8b30b4011ace0b83c229ce291e3b592edd2802
MD5 hash:
61cf41057c09bd7b801e18ac34bb2862
SHA1 hash:
c9a3ad6be1e2f85a9afc4c918e141b771512224a
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
SH256 hash:
ef83a2c9f244da974619a0acd227cbe73541970196f8a1b48955d7f434c53568
MD5 hash:
f29a39b4b679a526b5bc9e66ae65be19
SHA1 hash:
a52ee9a8722ec74091c5c2c559703f7c677530d6
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
SH256 hash:
5da0d850941091855ce3a6f48447d2873452443282751fe376c104ef65a45efa
MD5 hash:
5df4d842ec44f8e63168ecb7cafd7e42
SHA1 hash:
cba084a866650d9a06d7dd1873f26ad3ba483163
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
Parent samples :
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
fef028c6eca2d0addeb19dacedcc97cd34f73a4ab8056ddc287dd86551b5c707
MD5 hash:
cfcd04cb50a5d48b368c76a353a8b58a
SHA1 hash:
7d76e8474b4b70d4f8e62653361c7b451a8f2fd2
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
Parent samples :
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
70e50de48c85c25259cf5247205792b0eb339ca700867c2a9a3ecfa7c4fca156
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
67cd381d1702cb66cc450e13b1e8a27a3ff8c6713af8a925945b1cb449247578
ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
SH256 hash:
6ace541e53b337773108bd7bd3c84fbb02d2da5a4b94d3e382d7773f6767a5fe
MD5 hash:
68e679e430a8a3bf2a66356e998562fd
SHA1 hash:
42d729a6149b96fd8aee0fc93d5ba063166bf10c
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
SH256 hash:
3c33e130ffc0a583909982f29c38bffb518ae0fd0ef7397855906beef3cd993d
MD5 hash:
4a1a271c67b98c9cfc4c6efa7411b1dd
SHA1 hash:
e2325cb6f55d5fea29ce0d31cad487f2b4e6f891
Detections:
win_privateloader_a0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
SH256 hash:
a0a30765d8de60813e2afee8d8045c6ef32ebdd81edd20e9b4d16cd7e470d24f
MD5 hash:
1c6c5449a374e1d3acecbf374dfcbb03
SHA1 hash:
3af9b2a06e52c6eaa666b3b28df942097f16b078
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
SH256 hash:
b683f2a5aaff97195699fd1062df696d61228f12a61781aca3dcd0edb79b3654
MD5 hash:
01c5b4765c7a409dce09a17bdfb9fe9d
SHA1 hash:
315b4dd49ad8b7ae46ff5f7bb0a934d9542fbbfd
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
SH256 hash:
9717f526bf9c56a5d06ccd0fb71eef0579d26b7100d01665b76d8fdd211b48bd
MD5 hash:
dbc3e1e93fe6f9e1806448cd19e703f7
SHA1 hash:
061119a118197ca93f69045abd657aa3627fc2c5
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
SH256 hash:
5d4c0d5f04633615c1b3ed98b9a209f68812d23fa0e1c9e30eb2069312f3704d
MD5 hash:
38611fd44e01684b6f3fb76d914e1b88
SHA1 hash:
43674cdfc42d81c6d00d37694ddcd69a4829b54f
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
SH256 hash:
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
MD5 hash:
7456a042d330c293f618181c1c52ee59
SHA1 hash:
27d8b878fb07d7a3f23955cfad710c702a4acc3e
Link:
https://www.unpac.me/results/afe3a877-8fc4-4403-8e5b-e13659996473/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/301658/

Comments