MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 045a93ee4aa61fd3bb2c7f706085a249b9664876b7a2e5d8282129ac6df15be2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 13


Intelligence 13 IOCs 3 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 045a93ee4aa61fd3bb2c7f706085a249b9664876b7a2e5d8282129ac6df15be2
SHA3-384 hash: 7266ea40f981bd23d25540f6eb14d8563f5de684b2986a2018ffd9b554be406f4be44e94575d961989a3a3078b1ed060
SHA1 hash: 98c265f9877abfb8c90c84f05ad0ca871bb38524
MD5 hash: e7dac1680784996bdbd5f97595c351b4
humanhash: alaska-music-sixteen-oven
File name:045A93EE4AA61FD3BB2C7F706085A249B9664876B7A2E.exe
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:5'853'819 bytes
First seen:2022-03-10 18:31:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JsgwzJgmhSFUZTkz7UzVWiWorPzFPqGG7bd0IF7RkOkkGlcUIsjIb8D6m4F0Ry:JVRmBYz7UzJ35y3d0+7RokGlmsUYDvRy
TLSH T1F74633F7772B88D6F5D678B0213CA4B414F511DE8A63B2157376F0C8E8A38EE4606356
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe Smoke Loader


Avatar
abuse_ch
Smoke Loader C2:
http://91.219.236.212/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.219.236.212/ https://threatfox.abuse.ch/ioc/393367/
http://94.250.253.4/Wp/8testDownloads/0ProcessorTrafficmariadb/imageApiVoiddbpython/ProtonProcess/5/js/UniversalProcessVideoApi/7Base/Dlegeo58/2/ServerWindowsSql/2datalifeEternalsecure/processDefaultLinuxwindows.php https://threatfox.abuse.ch/ioc/393503/
193.106.191.67:44400 https://threatfox.abuse.ch/ioc/393504/

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/249215/
Detection(s):
Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult barys clipbanker control.exe manuscrypt overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/622a43ed0cd58dbd92782edc/reports/ef9091b4-c7a4-4aaa-83ce-edc2ca86c10c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b45f9fd-1da4-4ad9-84a6-42aea6d459d1
Result
Threat name:
SmokeLoader Socelars onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/954443
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Downloads files with wrong headers with respect to MIME Content-Type
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected onlyLogger
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 586923 Sample: 045A93EE4AA61FD3BB2C7F70608... Startdate: 10/03/2022 Architecture: WINDOWS Score: 100 62 ip-api.com 208.95.112.1, 49801, 49803, 80 TUT-ASUS United States 2->62 64 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->64 66 10 other IPs or domains 2->66 84 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for URL or domain 2->88 90 18 other signatures 2->90 10 045A93EE4AA61FD3BB2C7F706085A249B9664876B7A2E.exe 10 2->10         started        signatures3 process4 file5 40 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->40 dropped 13 setup_installer.exe 24 10->13         started        process6 file7 42 C:\Users\user\AppData\...\setup_install.exe, PE32 13->42 dropped 44 C:\Users\...\61e2586ba6932_Sat057e02d2c.exe, PE32+ 13->44 dropped 46 C:\...\61e2586a97c0d_Sat055136b66075.exe, PE32 13->46 dropped 48 17 other files (11 malicious) 13->48 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 58 127.0.0.1 unknown unknown 16->58 60 raitanori.xyz 16->60 80 Performs DNS queries to domains with low reputation 16->80 82 Disables Windows Defender (via service or powershell) 16->82 20 cmd.exe 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        26 3 other processes 16->26 signatures10 process11 signatures12 29 61e25859c408e_Sat05a0437e4a7.exe 20->29         started        34 61e2585818331_Sat05bb7ba43d42.exe 12 22->34         started        36 61e25858bc092_Sat05923e73c.exe 24->36         started        92 Disables Windows Defender (via service or powershell) 26->92 38 powershell.exe 26 26->38         started        process13 dnsIp14 68 innovicservice.net 29->68 70 212.193.30.21, 49739, 80 SPD-NETTR Russian Federation 29->70 78 15 other IPs or domains 29->78 50 C:\Users\...\76urrzZ06mi__XRQaDoErwWg.exe, PE32+ 29->50 dropped 52 C:\Users\user\AppData\...\yrpp1047[1].exe, PE32+ 29->52 dropped 54 C:\Users\user\AppData\Local\...\yli[1].exe, PE32 29->54 dropped 56 3 other files (1 malicious) 29->56 dropped 94 Antivirus detection for dropped file 29->94 96 Multi AV Scanner detection for dropped file 29->96 98 May check the online IP address of the machine 29->98 108 3 other signatures 29->108 72 signaturebusinesspark.com 194.195.211.98, 443, 49746, 49809 NEXINTO-DE Germany 34->72 74 iplogger.org 148.251.234.83, 443, 49737, 49747 HETZNER-ASDE Germany 34->74 76 192.168.2.1 unknown unknown 34->76 100 Machine Learning detection for dropped file 34->100 102 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 34->102 104 Contains functionality to inject code into remote processes 34->104 file15 106 Performs DNS queries to domains with low reputation 68->106 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/045a93ee4aa61fd3bb2c7f706085a249b9664876b7a2e5d8282129ac6df15be2/
Threat name:
Win32.Trojan.SelfDel
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 23:08:20 UTC
File Type:
PE (Exe)
Extracted files:
335
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=arnjh3skuyp5hozmp5ygbbncjg4wmsdww6rolwbieeu2y3prlpra._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:redline family:smokeloader family:socelars botnet:2 botnet:media1422 botnet:v2user1 botnet:ww aspackv2 backdoor discovery evasion infostealer loader spyware stealer suricata trojan
Link:
https://tria.ge/reports/220310-w53qzadahm/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
NirSoft WebBrowserPassView
Nirsoft
OnlyLogger Payload
Modifies Windows Defender Real-time Protection settings
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
Malware Config
C2 Extraction:
http://www.kvubgc.com/
88.99.35.59:63020
92.255.57.115:59426
193.106.191.67:44400
http://nahbleiben.at/upload/
http://noblecreativeaz.com/upload/
http://tvqaq.cn/upload/
http://recmaster.ru/upload/
http://sovels.ru/upload/
193.203.203.82:23108
Unpacked files
SH256 hash:
41fc8e9bb6251603258e573597bfe552f0cdf9ba8152d7ae5bc03ced9d916570
MD5 hash:
a9c713054dffed4cb033d0d5df5c7620
SHA1 hash:
f172fd5af953549796528ce3a0c34a0c1426df39
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
5016791e68923e487490a99dd308857b8f12eb3d42018693a2efc4f817e593c3
MD5 hash:
7f5ce18b5fd544fe1c4478070ac5a8a7
SHA1 hash:
11c33b9c8d587090ac4ac3c14b779d4068506409
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
e38a8ccf4894792679323c0bb51c2c75c3540076fed192f9aa6371a5c752ab5b
MD5 hash:
11e2aaab6dfe22a9aab8f2083deb5776
SHA1 hash:
feba86d5d1a7b945987ba175c206fe01ab6e27b4
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
0fe299e45e0cb2f8da8f67e97be07cef9a92c686f43619ca6a79c5bf0af80cff
MD5 hash:
985b6df707f86fb4f607cfd315dfb45e
SHA1 hash:
ef58c621a5ea0c55b1256d24e079f78e9da5d255
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
677bc6003f3d853b885e41c6ff3f6f9340877368a65532574e245a7fe8c28e74
MD5 hash:
9a6d166eadba7e651a7594a3d9f3196f
SHA1 hash:
e9d2fdc99aa0dfa27ad0e3605586fabca0994547
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
a36b23d78ef0dc642c12a4c6fdd5b89b055b4ca3fecd15b29ba053024d94becd
MD5 hash:
40c197b3f62220bfb0a8baf3f49c1bd3
SHA1 hash:
e80b6b02df6c7d0020f4ffc4264fe74e50591489
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
3835a96ca089b496c65579b2c01ae6bc32ed09d83d05020d2f9d5b97e9069cf0
MD5 hash:
6a8a77fdbc95f9ec343badcda095e5ce
SHA1 hash:
b58f2963ed4d1203628163caf6c530b8c25480ca
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
1b74c7127ff9e06969286d47971c24e52a59380695f346de6317491c08ec8d90
MD5 hash:
d1a111e2f98a6b10b69fcfccc39ff1a8
SHA1 hash:
b1d3ff645b063a0d8e42f5864e851d1e6ec2ffcf
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
c61c3e582a6a99df722edfd507d9450cb4d976b7e8e56e328a531c3824e93745
MD5 hash:
32190246c349f64e8e0c1725c6d6648e
SHA1 hash:
a59f01d67985ecf3e59c1b5634ea0422fb5ee57f
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
f4ab0c535a9ed38c9f75907ba4c2a36908a6c5ab90eae2e5b3dd6eafb84ca780
MD5 hash:
f72fcf2ba3166d6922b8c603bdfb57c4
SHA1 hash:
a3259bde7e9e900ba7ffce73caca3a472b426509
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
972a0e854ff961af09d649f5ea803d8ff0ce1620b07fce2f7df0cfb7725cfe59
MD5 hash:
5cb1bdec1867d32b74056614aafeaa77
SHA1 hash:
879639c795b971a651bbe2de8d598b82575a36b3
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
22daf2dd059727625365a45804e6d7f166c94bd454308f17db7b6ca98868c478
MD5 hash:
083374f39da3e9715df66220cff16850
SHA1 hash:
6734596fc2593799bcb1e8789925d5381e9f7ec3
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
da8ee5cfcc09533d57bbfd7f5ca4fe7d99ffd630007d39fbb1330b6dd364612e
MD5 hash:
c36a81f718c15848320cba628ea61630
SHA1 hash:
428bc95c42dbc0bcd0791a0dd09b8b4c884f5de2
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
a962bd1157017d37327c87486656053eabd08a0cca0b6c6c80b11e7eb30205c3
MD5 hash:
778650c51e0ad36b3e4f95447458ffd5
SHA1 hash:
3cedbd6df862b09fcc1bcb480eae60b8de362fb0
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
13182f2a5943ecd27b4aa00c9a4f4a13cbb8bba6ad72d028b16a2a4c65c07075
MD5 hash:
f1fdfc46674a3930362d0be893eb5dad
SHA1 hash:
31e62d5dbcce47f8c4853120de5372061439b199
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
edaaa9c24062675e34c291d8b3317e544da06a805c5165b779c5c1d2cfc6b338
MD5 hash:
c82c78bed0a461e43ba785cdc26fde22
SHA1 hash:
300db6d428c4e7d1ff410baaaf875e5dd1add8ed
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
77dae8bfb2f71eb22292e284468dae35f8a7f0d6bccbb655979839447d13634c
MD5 hash:
89e7d1d102e675ef49f3dbf4040617e7
SHA1 hash:
38e83ba9c7201ea942fd5f6f464d4537007c1cd9
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
c67d03aab3ed99556c901190c120407749e94cfd10a3478b6a78985a475efa1b
MD5 hash:
efd491a6a1cf1fdfdbf29ca25753af40
SHA1 hash:
3bddc4c097ce86792b0fb170052c7aba5b1bb82b
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
85499df09e8fbbf705022420b948be9cc381a5ebc04bfb022c80847d3493107d
MD5 hash:
f26434683122ed2fba4a07e70f2bc15e
SHA1 hash:
6a265706fe9b700a1b6befe920eca5782c9402ee
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
e64c118d4d9a654035ed981b1e060ed4360803ebcf60ec8aa9ca3bda5219d41a
MD5 hash:
6c55102c9a12b0500ab599303d569c15
SHA1 hash:
f15608f92efe793b831cd0ebcbf908c8f2ba26ac
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
42b93f40d2865c20d06c01ffa8d4149ef4775ef362b3e3887d7623df1a2b889d
MD5 hash:
306ea0d78ee5e1e29f03b8683cee39cd
SHA1 hash:
73b9d401f8ec2c5989166a3ac7565f601ae76eb6
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
f126f71796cfdebdbf9d4674f67930f673b9e74f0f8934afb902bf991a270c25
MD5 hash:
33dd7fc1281d18ccaba3199052d18d8f
SHA1 hash:
7c9f36250448d576df8a25229196a83a2b070b03
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
4a2753a489ba99112f197e37fb53287cf13693a537698f59e06ab056b90d9aa2
MD5 hash:
c2651c2abbd85e7d21487536def9b0ed
SHA1 hash:
086bd3a7ed5b361a6a6317a5bada4b8d891feecb
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
49820e5867e8638790174bf66d850b9e0faf69f24da64e835560ee1c8dbc847a
MD5 hash:
c9fcd620da949c9e4bad5b28447fcee4
SHA1 hash:
b5357f02d85be6f2f2b912e4cf92553b8cd010fd
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
SH256 hash:
045a93ee4aa61fd3bb2c7f706085a249b9664876b7a2e5d8282129ac6df15be2
MD5 hash:
e7dac1680784996bdbd5f97595c351b4
SHA1 hash:
98c265f9877abfb8c90c84f05ad0ca871bb38524
Link:
https://www.unpac.me/results/1a0a586a-e60d-4d1d-a309-c0a50a24ba60/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/045a93ee4aa6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/045a93ee4aa61fd3bb2c7f706085a249b9664876b7a2e5d8282129ac6df15be2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/249215/

Comments