MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 093c40a96a55be0cc76dd3f234eebc8e66f453626f0d217fce4bb91d5e5afa5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 093c40a96a55be0cc76dd3f234eebc8e66f453626f0d217fce4bb91d5e5afa5c
SHA3-384 hash: cab6b9c5c2038333e572835c6ec21961741c0cf1aaf51b1132a75eb31fd19c97bbf7cb2e5a5da158bb53ff7a782ab8b5
SHA1 hash: e781082d1998162c11c2858a7a4b14db110c201f
MD5 hash: 295b842a1a8473e51468fed24d1527cd
humanhash: fruit-india-november-march
File name:295b842a1a8473e51468fed24d1527cd.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:5'292'636 bytes
First seen:2021-09-21 22:35:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:x8CvLUBsgnCa7CUqSvSHV9z2G6xi8FYPWrWyqW1w2kDblQgvZ8Q4y/40z8L8Vi:xhLUCgnCavqSvS1FZ68HPAWyvSD5QK8l
Threatray 566 similar samples on MalwareBazaar
TLSH T11736335273C1A877DF412674F64C0B32F4BAC38019B19ADBA328964C1F3DD1ADB2959E
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://185.163.45.42/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.45.42/ https://threatfox.abuse.ch/ioc/224597/

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
295b842a1a8473e51468fed24d1527cd.exe
Verdict:
No threats detected
Analysis date:
2021-09-21 22:36:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1cc38d94-a230-45d4-a270-dc95d2d1536c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190012/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5dc56b02-b124-4daa-9547-aef7711ecc22
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855251
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files with a suspicious file extension
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487682 Sample: Y78VYTy1rQ.exe Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 82 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->82 84 104.21.6.148 CLOUDFLARENETUS United States 2->84 86 3 other IPs or domains 2->86 92 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->92 94 Antivirus detection for URL or domain 2->94 96 Multi AV Scanner detection for dropped file 2->96 98 14 other signatures 2->98 9 Y78VYTy1rQ.exe 21 2->9         started        12 svchost.exe 1 2->12         started        signatures3 process4 file5 60 C:\Users\user\AppData\...\setup_install.exe, PE32 9->60 dropped 62 C:\Users\user\...\Mon11cce54fe7cc83fa3.exe, PE32 9->62 dropped 64 C:\Users\user\...\Mon11c710f55e48b36.exe, PE32 9->64 dropped 66 16 other files (11 malicious) 9->66 dropped 14 setup_install.exe 1 9->14         started        process6 dnsIp7 88 hsiens.xyz 104.21.87.76, 49741, 80 CLOUDFLARENETUS United States 14->88 90 127.0.0.1 unknown unknown 14->90 128 Performs DNS queries to domains with low reputation 14->128 130 Adds a directory exclusion to Windows Defender 14->130 18 cmd.exe 14->18         started        20 cmd.exe 14->20         started        22 cmd.exe 1 14->22         started        24 12 other processes 14->24 signatures8 process9 signatures10 27 Mon1160373b3b6ac3f.exe 18->27         started        30 Mon117107f765b140f6f.exe 20->30         started        32 Mon11c20bd59014d.exe 22->32         started        100 Adds a directory exclusion to Windows Defender 24->100 36 Mon11cce54fe7cc83fa3.exe 14 6 24->36         started        38 Mon114596ddbd42f8.exe 24->38         started        40 Mon1133139d83b18.exe 24->40         started        42 8 other processes 24->42 process11 dnsIp12 102 Multi AV Scanner detection for dropped file 27->102 104 Detected unpacking (changes PE section rights) 27->104 106 Query firmware table information (likely to detect VMs) 27->106 124 3 other signatures 27->124 108 Machine Learning detection for dropped file 30->108 126 3 other signatures 30->126 68 194.145.227.161 CLOUDPITDE Ukraine 32->68 44 C:\Users\user\AppData\Local\...\null[1], PE32 32->44 dropped 46 C:\Users\user\AppData\Local\...\null[1], PE32 32->46 dropped 110 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 32->110 70 dependstar.bar 104.21.14.200, 443, 49745, 49750 CLOUDFLARENETUS United States 36->70 48 C:\Users\user\AppData\Roaming\7614884.scr, PE32 36->48 dropped 50 C:\Users\user\AppData\Roaming\4448675.scr, PE32 36->50 dropped 52 C:\Users\user\AppData\Roaming\2851829.scr, PE32 36->52 dropped 112 Drops PE files with a suspicious file extension 36->112 72 162.159.129.233, 443, 49749 CLOUDFLARENETUS United States 38->72 114 Antivirus detection for dropped file 38->114 74 37.0.10.244, 80 WKD-ASIE Netherlands 40->74 78 4 other IPs or domains 40->78 116 Tries to harvest and steal browser information (history, passwords, etc) 40->116 118 Disable Windows Defender real time protection (registry) 40->118 76 ip-api.com 208.95.112.1, 49734, 80 TUT-ASUS United States 42->76 80 7 other IPs or domains 42->80 54 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 42->54 dropped 56 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 42->56 dropped 58 C:\Users\user\AppData\...\Mon112a4b301b.tmp, PE32 42->58 dropped 120 May check the online IP address of the machine 42->120 122 Creates processes via WMI 42->122 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/093c40a96a55be0cc76dd3f234eebc8e66f453626f0d217fce4bb91d5e5afa5c/
Threat name:
Win32.Trojan.RedlineStealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 18:09:52 UTC
AV detection:
28 of 44 (63.64%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=be6ebklkkw7azr3n2pzdj3v4rztpiu3cn4gsc76ojo4r2xs27joa._file
Verdict:
malicious
Similar samples:
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
ArkeiStealer
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
ArkeiStealer
96b3a6f88bebb213230bd38f95804466296c238e0774861ceec6ad4424dcfb45
ArkeiStealer
987a2417a285a7e885e5acdd635d3e2dfa1cf00bb98b6a39fbc17bc7c3fb4993
ArkeiStealer
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
ArkeiStealer
e63f3efc1462f054169998d9bdb7e5b2ca0cb78b393e978880458965472f76de
ArkeiStealer
f25e4213555bb2e557f66fb99d91a03972c1882ca8c2ac8748e25fc09798e2be
ArkeiStealer
+ 556 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:janesam aspackv2 backdoor discovery evasion infostealer persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/210921-2h8xcsddfq/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
https://petrenko96.tumblr.com/
65.108.20.195:6774
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
bc4bacc3b8b28d898f1671b79f216cca439f95eb60cd32d3e3ecafbecac42780
MD5 hash:
047bca47d9d12191811fb2e87cded3aa
SHA1 hash:
afdc5d27fb919d1d813e6a07466f889dbc8c6677
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
247d69da57e075f15e7fedc62ef99404f3e4e15988d35c598054f6771567b12a
MD5 hash:
0ef47ae88282ced5a011034e25a46e07
SHA1 hash:
4ee96fa7cf4c7c0d3d909a1726a48551a81aaf72
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
783b3a965eda0a559d3def4df0164de4a7169cc75c16754ee07c2d837dc616fa
MD5 hash:
27b4eead0ff97958df13f3e353937c17
SHA1 hash:
fb6858c9f66b57f8f190c8b3bcf0398135f70aca
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
9a42e29ceb3a830aef50756af4a666808c91fc0993fb63d0fc20abc03992bf3e
MD5 hash:
04e21f099bd801619b0ba0ea34c3e549
SHA1 hash:
f502443a34773aeb4f3c46754d6b0132fcc5dacf
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
89aeb910a8ed2136a6c9a07847050f579afd2d7e3ff9544dc9913523b851aa21
MD5 hash:
6907b9cac61b596f75b7eccbb2f09e19
SHA1 hash:
cc3364a047e2c7d89cec24d69a7b4f0cce45c7aa
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
ab753f314f8289fa879dc906a5b3e78be5352ef06d0cfd908c2eba70d18d1785
MD5 hash:
56f6840b2b7e680f8323dd66226ed8e0
SHA1 hash:
bf635846ff4e054c7683448cb0ff14224b8d3558
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
02547d948c41ce0e28915eb3e93bc1e762e4bb5853c142bf4b76fc25533a2738
MD5 hash:
2c8344b9296470d44d6e6158e80f5dd5
SHA1 hash:
a2d9ed850157a3765a5956dff36f60350988ac7e
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
1d04bbabdb6da4db379ca057ac0d63fb27d8891b01cf3ffcb94573be1853ecaf
MD5 hash:
d58b4be4f3dec4843801511def20ae7d
SHA1 hash:
90be9caf1efa58d6ea70ae6783bfc8e05bd9ea16
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
d722273e8109743f31ed749e0c5c4826dcc423c8204e425151c92f35eefe4dce
MD5 hash:
340f88287c1688b8f481c5e446b5dbc4
SHA1 hash:
75588df8cb7f6785e2fd78ee3490a59a201fb6c4
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
aff9ab692225614831ee1630686474da45ab76c978f91345309f76dc8f85c039
MD5 hash:
3a07caaa60f3b83b0e230fbfa6b0b357
SHA1 hash:
57d995c58ad58865787f32d7a1a0eedab1cf8e0f
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
d5add8ec7ace47437bcc153d2314ec7633f46ee3be0e3e5b850cec175d2f1bbd
MD5 hash:
346f24bf350984f26264edba7d4227e8
SHA1 hash:
2fe85fb012b0e5abbee8ef2637869a9026a708e0
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
664c563263c5fe41339c503a1eb12f23b3f64b993fd5d5146fdb0907b57631dd
MD5 hash:
f512e0f7ddd9b95a1a04e89caa9be57a
SHA1 hash:
2f23ebf8467081142df8aaf3f12e5bdeac87e292
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
ff236ccbd61d322a223e3152e768d0a195bde866d4debbe98929a80946382832
MD5 hash:
14b846dbd77dbedb574227310467d5fb
SHA1 hash:
01318111c3ae602914839f4f44f66dc095f3aa51
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
0fbd853a669d4590b44cda0525f41aa99175133be439db7ca9cd575a2af2636b
MD5 hash:
bb4e4f419dbe419d5cdca7e8534ac023
SHA1 hash:
cdacd0ad82dcefa585734e751b1cea42161a9033
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
ddd50a452faa6f242a335508429c1da7d838fd8f48fa5391f53e171e8861b9ed
MD5 hash:
f43ac649f9b7e76402fccb9feddfeb05
SHA1 hash:
e2e6f40e6acad366956417a7dd3c9afa09578a68
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
ddc532f819b9ec81eccf8a98fb3eaacca261efeccd46dfc0a8f181768d369ed4
MD5 hash:
408d05b22076c61df9344e02848f6617
SHA1 hash:
f8179a8e1c444f84dcc832d50672c842493dd806
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
3edc0a36b1063d5a8479040f1cec59d216e32c662675c2a238bf920fc0ac989e
MD5 hash:
2798dc4cbaaa7ed2303230f949a3ab15
SHA1 hash:
94ec1be32dacd95281ae2ac0dba6b4e05439ddf8
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
fef3da6090cbc8fabdbf83faec8af072c56942c85b7cd601564c1686860aea5f
MD5 hash:
c3b67790ee249ce740d8ca612abb9a7e
SHA1 hash:
dcb333d758816038ef0b828fae1b068ed38260eb
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
d032122688defda20e2006cbde3e3daa8643b4617f8c6123667b8fd1e5244bcc
MD5 hash:
071795ce2e4a8526310350fc97687b68
SHA1 hash:
22529d8b4672515b899a250ecf44365878b5b897
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
SH256 hash:
093c40a96a55be0cc76dd3f234eebc8e66f453626f0d217fce4bb91d5e5afa5c
MD5 hash:
295b842a1a8473e51468fed24d1527cd
SHA1 hash:
e781082d1998162c11c2858a7a4b14db110c201f
Link:
https://www.unpac.me/results/82957cec-7680-4cac-9b81-be44dbf8f13a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/093c40a96a55be0cc76dd3f234eebc8e66f453626f0d217fce4bb91d5e5afa5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190012/

Comments