MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 024eb21bd037fb35d9a56affa3a4e845585b963f65a4dfdbc5eaa93d5ef950a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 024eb21bd037fb35d9a56affa3a4e845585b963f65a4dfdbc5eaa93d5ef950a0
SHA3-384 hash: 9a432433d30b1f7ddc4cfba5ccf782e1dc1fe3130da65e417118ad12af0d9235b2a1d296db340a921e7436ada1adc1fa
SHA1 hash: f6e987386a9cd94d5912061f74e5b025f432e7ed
MD5 hash: d93ccf8e9442170e3e27e203ed1314fb
humanhash: social-fifteen-kansas-vermont
File name:d93ccf8e9442170e3e27e203ed1314fb.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:5'977'600 bytes
First seen:2022-01-29 10:15:15 UTC
Last seen:2022-01-29 11:54:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:9LHzZzvH89cQozUulSBGKCz2UAI+jt/XhW7rm98Lkmklyjjkwvt8blOszvE8FhbE:9hM8QpAd/ROlXhWPm98LGl2jkwjMhbd9
Threatray 806 similar samples on MalwareBazaar
TLSH T19956E0373B3B1B1147AB56D67298B757ADAF1A23CAD7CAD40018529C47BB0D0DA2CE07
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://159.223.25.220/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://159.223.25.220/ https://threatfox.abuse.ch/ioc/357405/

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d93ccf8e9442170e3e27e203ed1314fb.exe
Verdict:
Malicious activity
Analysis date:
2022-01-29 10:22:47 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/5c6e986e-f34f-4f65-be70-cc1119f447d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/225774/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.5103.21039.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% directory
Сreating synchronization primitives
DNS request
Creating a process from a recently created file
Searching for synchronization primitives
Creating a window
Creating a file
Searching for the window
Sending a custom TCP request
Sending an HTTP POST request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm mokes obfuscated packed
Link:
https://www.filescan.io/uploads/61f513e6541b3627065537bc/reports/8a3e952c-087c-4bf6-aea8-e16cc6eb88b1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15b9cbec-e4c6-422a-8f11-49667ea2965f
Result
Threat name:
Cookie Stealer Nitol RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930105
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected Cookie Stealer
Yara detected Generic Downloader
Yara detected Nitol
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 562583 Sample: xporXSudMO.exe Startdate: 29/01/2022 Architecture: WINDOWS Score: 100 126 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 Antivirus detection for URL or domain 2->130 132 14 other signatures 2->132 9 xporXSudMO.exe 16 2->9         started        12 rundll32.exe 2->12         started        14 svchost.exe 2->14         started        process3 file4 100 C:\Users\user\AppData\Local\Temp\zj.exe, PE32 9->100 dropped 102 C:\Users\user\AppData\Local\...\toolspab2.exe, PE32 9->102 dropped 104 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 9->104 dropped 106 12 other files (9 malicious) 9->106 dropped 17 anytime1.exe 9->17         started        22 setup.exe 2 9->22         started        24 toolspab2.exe 9->24         started        34 11 other processes 9->34 26 rundll32.exe 12->26         started        178 System process connects to network (likely due to code injection or exploit) 14->178 28 WerFault.exe 14->28         started        30 WerFault.exe 14->30         started        32 WerFault.exe 14->32         started        signatures5 process6 dnsIp7 112 cdn.discordapp.com 162.159.134.233, 443, 49760, 49763 CLOUDFLARENETUS United States 17->112 70 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32+ 17->70 dropped 134 Detected unpacking (overwrites its own PE header) 17->134 136 May check the online IP address of the machine 17->136 36 LzmwAqmV.exe 17->36         started        72 C:\Users\user\AppData\Local\...\setup.tmp, PE32 22->72 dropped 138 Obfuscated command line found 22->138 39 setup.tmp 3 13 22->39         started        42 toolspab2.exe 24->42         started        140 Writes to foreign memory regions 26->140 142 Allocates memory in foreign processes 26->142 144 Creates a thread in another existing process (thread injection) 26->144 44 svchost.exe 26->44 injected 114 176.123.1.95 ALEXHOSTMD Moldova Republic of 34->114 116 bregar.si 185.53.12.185, 443, 49748, 49751 TELEMACH-HOSTINGSI Slovenia 34->116 118 5 other IPs or domains 34->118 74 C:\Users\user\AppData\Local\...\System.dll, PE32 34->74 dropped 76 C:\Users\user\AppData\Local\...\INetC.dll, PE32 34->76 dropped 78 C:\Users\...\MyNotes License Agreement.exe, PE32 34->78 dropped 80 C:\Users\...\MyNotes%20Installation[1].exe, PE32 34->80 dropped 146 Contains functionality to infect the boot sector 34->146 148 Contain functionality to detect virtual machines 34->148 150 Contains functionality to inject code into remote processes 34->150 152 Creates processes via WMI 34->152 46 cmd.exe 34->46         started        48 zj.exe 2 34->48         started        51 WerFault.exe 34->51         started        file8 signatures9 process10 dnsIp11 154 Multi AV Scanner detection for dropped file 36->154 156 Writes to foreign memory regions 36->156 158 Allocates memory in foreign processes 36->158 160 Creates a thread in another existing process (thread injection) 36->160 92 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 39->92 dropped 94 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 39->94 dropped 96 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->96 dropped 53 setup.exe 39->53         started        162 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->162 164 Maps a DLL or memory area into another process 42->164 166 Checks if the current machine is a virtual machine (disk enumeration) 42->166 57 explorer.exe 42->57 injected 168 Sets debug register (to hijack the execution of another thread) 44->168 170 Modifies the context of a thread in another process (thread injection) 44->170 59 svchost.exe 44->59         started        172 Uses ping.exe to check the status of other devices and networks 46->172 62 PING.EXE 46->62         started        64 conhost.exe 46->64         started        108 v.xyzgamev.com 172.67.188.70, 443, 49745, 49747 CLOUDFLARENETUS United States 48->108 98 C:\Users\user\AppData\Local\Temp\db.dll, PE32 48->98 dropped 110 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 51->110 file12 signatures13 process14 dnsIp15 90 C:\Users\user\AppData\Local\...\setup.tmp, PE32 53->90 dropped 174 Obfuscated command line found 53->174 66 setup.tmp 53->66         started        122 toa.mygametoa.com 34.64.183.91 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 59->122 176 Query firmware table information (likely to detect VMs) 59->176 124 127.0.0.1 unknown unknown 62->124 file16 signatures17 process18 dnsIp19 120 search1search.com 34.138.254.66, 49766, 80 ATGS-MMD-ASUS United States 66->120 82 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 66->82 dropped 84 C:\Users\user\AppData\...\dllhostwin.exe, PE32 66->84 dropped 86 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 66->86 dropped 88 8 other files (none is malicious) 66->88 dropped file20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/024eb21bd037fb35d9a56affa3a4e845585b963f65a4dfdbc5eaa93d5ef950a0/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2022-01-27 17:28:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ajhleg6qg75tlwnfnl72hjhiivmfxfr7mwsn7w6f5kut2xxzkcqa._file
Verdict:
malicious
Similar samples:
00b5c410d204d6a92f6636e23998777d2716e8928f96b56826b093c9177afaae
RaccoonStealer
2992c4b00c678a438b0b935e09e0fd341a44c46fe0dd2f18621570f55133e4df
RaccoonStealer
3a6ca6a75525505890dc5d13ab3d888135b1cb4922605be0ee447579305b5e4b
RaccoonStealer
3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b
RaccoonStealer
4e1f743b60d65732d43e6a8c064016369a2cb6d03e81e04e114ed6a31297a2a7
RaccoonStealer
6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3
RaccoonStealer
892504033a259f380c1e2a35db15b95bffcff4f96c36a84731afde6c5b35371a
RaccoonStealer
98ad02342614a473b078f5b12274fa3c9c78779894750fbb7af82664b9e7ffa8
RaccoonStealer
+ 796 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:smokeloader family:socelars botnet:pablicher backdoor discovery infostealer loader persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220129-matedahhap/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger Payload
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
http://www.anquyebt.com/
185.215.113.10:39759
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Unpacked files
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
196c516ea546fb935ac669681a74a4dc80da79d9088f464f6cc6f126ae934f4e
MD5 hash:
c36de8bc9668ec4eaafca4c349dca0d5
SHA1 hash:
ea2cadfada69b93ca3abeb8b2462c5c18891fabf
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
Parent samples :
6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad
8928eed86ea55a63e3646bf8ca403b4b1e57702f73c1ecc8fa403b5700a304ef
18ad362dcae8df5827846223c09ceba7766e09733b685d4067ee39037daec452
da39948d95cdbce6e1ca9e0fdbb77080164a379f593e530b5732d3fc38df7bf8
7c74a8c41e24f69015185f78b8fbc177edcbe9d27099e904497b2310999f74cb
92ebb6be19502fe2573a9eac183bcc657b88ac5b0344285d9db409b0a3d88dab
af6fa095b427a0e95dd826696c2b92b0123e688e3c95f6d27825cc2928085d1b
de8099732ee5b73f3fa6d032a74e8576d06663fc16b2c6da27a34444fdced1c8
SH256 hash:
3cc9f00748917e25208d9c79a527208f96732ca54e9b3e01e18b6cae7c0c6f53
MD5 hash:
a9f1c095a080df7a008fd2b04f57c73b
SHA1 hash:
c7096f65671d61d9ddd8c5ae39103fdef40c850e
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
7fc7da02d4981d221c0cab839e570cb3efcd493a8614b279d3e0fbc7b11ea821
MD5 hash:
df55d8a062d7586f86aca724860b4910
SHA1 hash:
9eb8e378d1367f2e6b058cba805f7624cae2cd9d
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
c7a6f348b773167092b2ed297738bb2b59626b763ca57d5f1d8d638739008c45
MD5 hash:
d10e7015b72a02547055e0ab25c6b42b
SHA1 hash:
890d267b16afbc51a0aa8c19e27668f316114e7b
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
22da836421d0b9a7e53ec600647675c3136e83a6fcac0ee2077a2145e3abfb9c
MD5 hash:
e1bad62323481a431c80d80689c3370e
SHA1 hash:
608db08fd6f8acf951fa3b1a5d8939e7f0009e26
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
e0c05584bbe479fe3ca5bab69b8a771e134f98673318a1410cab0afda9d7191d
MD5 hash:
005ea5464174c96ca4fdbe4caad19c57
SHA1 hash:
3f3c54bbcc8c856c8957187378f0594ba09b70c9
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
4a0a6117b253a03cbab0870238525cd2a083b9fef55c847a379db883ffc1e5a1
MD5 hash:
7a818e8be3d4267bee1b2d6fe60a82cd
SHA1 hash:
f7bd7db94f09f1713e7f197a921f121a515d698f
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
4451c9a4764e8a0b7a81f2e3f9a2fe7c9cb81fc59aed1b16e590961fa4ac2834
MD5 hash:
48e8293b3956b336f863767af0544e5f
SHA1 hash:
cc9ca9ce22c475a91c14d7a505e403196e892fb1
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
af8582b1ca6e520e96732acd7de717749dad208853a3fdb90ddb5a432f766311
MD5 hash:
ac0ef194ea35d70898dde8c801e47067
SHA1 hash:
b2fa51db50f22dbdbfab35b646c878625f780c73
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
897a1efb61e29a0486718dbdab8b0fe1b08b886745e2e21c1a1ddbc08e7e76f6
MD5 hash:
1d3e9fe39151564f85cb3b38ad99704a
SHA1 hash:
7c0b6685c0c9804b58da66b0d4a7c656f6b09c07
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
8c05caf179091076587be0607b754808474426c741539fa597ca415aab2f8a91
MD5 hash:
fc360c96cb0eaaefed33438caba74884
SHA1 hash:
72fd6df4a2733823754c9512bb3be70821528a30
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
0bc00f897e110f4aa757889b42fd75167861d53fa4b3c3249cc47646b1f41fec
MD5 hash:
c8573f0c26cf7dff221b8bc93a9224cc
SHA1 hash:
3e11da945e5be8cbd9d54f62838f4babd6ef51bc
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
e6bc2a8fe0c10166a4ddad7cb804b6298d91c52c7ddd114902958639257c9f27
MD5 hash:
f4c9178895e50ad8d4cdc8c6298ed6ef
SHA1 hash:
3cd35638dcdccf62f7940da5676dfb5957251797
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
786c744c1f1dca0ab6615343adf4611ee89614a2d8562dc812f393e95eefdbba
MD5 hash:
d65a04dfb2739b617076f620eea0c4e1
SHA1 hash:
1a3877e377e0158b9c7a3ecf891c55194652e35b
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
fbb15da2642c36a2677fe7ff7f8a71af3d9dc57ad05780a47c0ba14b7a99a79c
MD5 hash:
34ff4271596119b60ba25e6c2452fd59
SHA1 hash:
19f59a265e8898120fa553f457d3899723c0b830
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
MD5 hash:
2b342079303895c50af8040a91f30f71
SHA1 hash:
b11335e1cb8356d9c337cb89fe81d669a69de17e
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
35d46ad7a5e07763a8b22519cc6cb3674ee6efdc63ac7f7dd03095ae0085f420
MD5 hash:
311a21c0bc133952fc5196dfc5b4f989
SHA1 hash:
2b271564994cd5eee407f43d4ba48c5666b2eaa3
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
455694cb7d936d8cc550d7c3694344daafbfda916e34d1d33427c9fe206fb564
MD5 hash:
4f0b06ce64beaacb063c85b9eb2196a9
SHA1 hash:
7d77a4b670f5c270bae415dd6e80417f321e1409
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
c6dd80a44d83ba70a152239abf7847acaabb66c3b7b55e45a57f310c667ae259
MD5 hash:
42b5f266bfe4de015b081e601d8631f0
SHA1 hash:
f4a36e1847e76e321efbdbeb55566cfef5d4584a
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
SH256 hash:
024eb21bd037fb35d9a56affa3a4e845585b963f65a4dfdbc5eaa93d5ef950a0
MD5 hash:
d93ccf8e9442170e3e27e203ed1314fb
SHA1 hash:
f6e987386a9cd94d5912061f74e5b025f432e7ed
Link:
https://www.unpac.me/results/bf920c11-ef4a-4219-bff1-68d5d6c85c86/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/024eb21bd037fb35d9a56affa3a4e845585b963f65a4dfdbc5eaa93d5ef950a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/225774/

Comments