MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac
SHA3-384 hash: 1ec6d7c929afc01b5bca9488d43a444947b9e4dd9f49c94c09cc956ef732565c3bd0b402c8c9de2bad413aed58e3fce6
SHA1 hash: 70b34bd1d15b86e68ec9ce4c31357da635358889
MD5 hash: 90b1172f054ceae6fe035bac0b16464b
humanhash: double-mockingbird-april-gee
File name:90B1172F054CEAE6FE035BAC0B16464B.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:3'331'236 bytes
First seen:2021-07-17 01:05:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:UbA30BDzt1DcqD9PNl6yFtsKiaYcydNb3Wnt6jmjNL454v60NnP/xetQvWefp18+:UbdDpNv9SyFxim0Wt5L4iZ1XxHLv6ByL
Threatray 172 similar samples on MalwareBazaar
TLSH T1E3F52300BDC094B1D1A11D3A42749628A97D7C306F148BDFE7E45A6E8B361C1EF35BAB
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
45.14.49.91:60919

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.14.49.91:60919 https://threatfox.abuse.ch/ioc/160752/

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
90B1172F054CEAE6FE035BAC0B16464B.exe
Verdict:
Malicious activity
Analysis date:
2021-07-17 01:06:17 UTC
Tags:
evasion autoit stealer
Link:
https://app.any.run/tasks/d230fbfa-582d-4c18-af6a-9989c45e6621

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172303/
Detection(s):
Win.Malware.Clipbanker-9873068-0
Create hunting rule

Win.Malware.Generic-9873526-0
Create hunting rule

Win.Malware.Clipbanker-9874840-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a604c575-46b5-4890-8c3e-a8425b7ffae7
Result
Threat name:
Backstage Stealer Cookie Stealer Glupteb
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817753
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Backstage Stealer
Yara detected Cookie Stealer
Yara detected Glupteba
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450164 Sample: WAdStf9Llw.exe Startdate: 17/07/2021 Architecture: WINDOWS Score: 100 125 google.vrthcobj.com 2->125 177 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->177 179 Found malware configuration 2->179 181 Antivirus detection for URL or domain 2->181 183 13 other signatures 2->183 10 WAdStf9Llw.exe 1 27 2->10         started        13 svchost.exe 2->13         started        15 svchost.exe 1 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 file5 117 C:\Users\user\Desktop\pub2.exe, PE32 10->117 dropped 119 C:\Users\user\Desktop\jg3_3uag.exe, PE32 10->119 dropped 121 C:\Users\user\Desktop\Install.exe, PE32 10->121 dropped 123 4 other files (2 malicious) 10->123 dropped 19 Info.exe 10->19         started        24 Files.exe 24 10->24         started        26 pub2.exe 10->26         started        30 5 other processes 10->30 28 WerFault.exe 13->28         started        process6 dnsIp7 131 103.155.92.207 TWIDC-AS-APTWIDCLimitedHK unknown 19->131 133 136.144.41.201 WORLDSTREAMNL Netherlands 19->133 139 11 other IPs or domains 19->139 81 C:\Users\...\qucf3cJ5qNLKs2zwm3KTILEV.exe, PE32 19->81 dropped 83 C:\Users\...\m7frTFCYVXVe5YGpU9uH9B8T.exe, PE32 19->83 dropped 85 C:\Users\...\fbQ0MwvGpr2uzTsQ2llTKZgv.exe, PE32 19->85 dropped 95 23 other files (11 malicious) 19->95 dropped 189 Drops PE files to the document folder of the user 19->189 191 Disable Windows Defender real time protection (registry) 19->191 32 UJGUVWEnHJ1NFKOrqbOFwfUg.exe 19->32         started        35 qucf3cJ5qNLKs2zwm3KTILEV.exe 19->35         started        37 fbQ0MwvGpr2uzTsQ2llTKZgv.exe 19->37         started        49 6 other processes 19->49 87 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 24->87 dropped 39 File.exe 3 19 24->39         started        43 chrome.exe 24->43         started        89 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 26->89 dropped 193 DLL reload attack detected 26->193 195 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 26->195 197 Renames NTDLL to bypass HIPS 26->197 199 Checks if the current machine is a virtual machine (disk enumeration) 26->199 45 explorer.exe 26->45 injected 135 101.36.107.74, 49741, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 30->135 137 104.21.42.63 CLOUDFLARENETUS United States 30->137 141 5 other IPs or domains 30->141 91 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 30->91 dropped 93 C:\Users\user\AppData\Roaming\1352568.exe, PE32 30->93 dropped 97 3 other files (1 malicious) 30->97 dropped 201 Tries to harvest and steal browser information (history, passwords, etc) 30->201 203 Writes to foreign memory regions 30->203 205 Creates processes via WMI 30->205 47 chrome.exe 30->47         started        51 6 other processes 30->51 file8 signatures9 process10 dnsIp11 157 Query firmware table information (likely to detect VMs) 32->157 159 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->159 161 Hides threads from debuggers 32->161 163 Tries to detect sandboxes / dynamic malware analysis system (registry check) 32->163 165 Sample uses process hollowing technique 35->165 167 Injects a PE file into a foreign processes 35->167 53 conhost.exe 35->53         started        55 conhost.exe 37->55         started        143 oldd.webtm.ru 92.53.96.150, 49733, 80 TIMEWEB-ASRU Russian Federation 39->143 99 C:\Users\Public\run.exe, PE32 39->99 dropped 169 Binary is likely a compiled AutoIt script file 39->169 171 Drops PE files to the user root directory 39->171 57 run.exe 39->57         started        60 chrome.exe 43->60         started        145 iplogger.org 88.99.66.31, 443, 49740, 49754 HETZNER-ASDE Germany 47->145 153 6 other IPs or domains 47->153 101 C:\Users\user\AppData\Local\...\Cookies, SQLite 47->101 dropped 147 208.95.112.1 TUT-ASUS United States 49->147 155 3 other IPs or domains 49->155 103 C:\Users\user\Pictures\background.png, DOS 49->103 dropped 105 C:\Users\user\AppData\Local\Temp\22222.exe, PE32 49->105 dropped 113 2 other files (none is malicious) 49->113 dropped 173 Detected unpacking (changes PE section rights) 49->173 175 Detected unpacking (overwrites its own PE header) 49->175 62 conhost.exe 49->62         started        149 13.88.21.125 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 51->149 151 172.67.217.15 CLOUDFLARENETUS United States 51->151 107 C:\Users\user\AppData\...\WinHoster.exe, PE32 51->107 dropped 109 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 51->109 dropped 111 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 51->111 dropped 115 8 other files (none is malicious) 51->115 dropped 64 conhost.exe 51->64         started        file12 signatures13 process14 signatures15 207 Multi AV Scanner detection for dropped file 57->207 209 Injects a PE file into a foreign processes 57->209 66 run.exe 57->66         started        71 run.exe 57->71         started        process16 dnsIp17 127 195.201.225.248 HETZNER-ASDE Germany 66->127 129 34.89.184.90 GOOGLEUS United States 66->129 73 C:\Users\user\AppData\...\vcruntime140.dll, PE32 66->73 dropped 75 C:\Users\user\AppData\...\ucrtbase.dll, PE32 66->75 dropped 77 C:\Users\user\AppData\...\softokn3.dll, PE32 66->77 dropped 79 56 other files (none is malicious) 66->79 dropped 185 Tries to steal Mail credentials (via file access) 66->185 187 Tries to harvest and steal browser information (history, passwords, etc) 66->187 file18 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 16:19:59 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bgv6pgotbtoovmlabikccwb3dv5f2ou3ct5ytz67vdkmuts4qwwa._file
Verdict:
malicious
Similar samples:
00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
DiamondFox
2c1e4de15b0a08e77555d4b16f2bb56fae378081a9411138d323b6b52a7e891b
DiamondFox
419dbec500b45dcb0aca32df66ed6107975ae346cea116494e7f36445746aa27
DiamondFox
5c1f581f9d11fd4614ae17de1eaa58f5e37f47d15d18943214abe9c05f55e97d
DiamondFox
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
DiamondFox
bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034
DiamondFox
cc161c44340b9944936e1af83913c62bfe6cdc92703e19fc036e556bd89caf79
DiamondFox
fdccd5539f179d7b405ebbc63749ce662af29a3bbe0b66816cce09029e785aaf
DiamondFox
+ 162 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:buran family:glupteba family:metasploit family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:865 agilenet backdoor discovery dropper evasion infostealer loader persistence ransomware spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/210717-7etagkbyyx/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Interacts with shadow copies
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
autoit_exe
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Deletes shadow copies
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Buran
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
https://sslamlssa1.tumblr.com/
Unpacked files
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/a884452a-5505-4723-a471-ec1621bfa16a/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/a884452a-5505-4723-a471-ec1621bfa16a/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/a884452a-5505-4723-a471-ec1621bfa16a/
SH256 hash:
6b47cdab0328059d8edc5f6a8700ff47b95904f0d5ffd3071475922da632cb47
MD5 hash:
28dec7fa05b13908a0d80048d7554be8
SHA1 hash:
7a122fa8d5cf43465070c481e88efc9c40f37cde
Link:
https://www.unpac.me/results/a884452a-5505-4723-a471-ec1621bfa16a/
SH256 hash:
5559c74bb425c1803ff900ce51643d0453809b9a30584773bad518384f684087
MD5 hash:
5d3d5f41f5fd5d33ebcc5ed4ca0e64ff
SHA1 hash:
4a3967a8982cff6998ba599acd050b12d95c6baf
Link:
https://www.unpac.me/results/a884452a-5505-4723-a471-ec1621bfa16a/
SH256 hash:
3d67bae1a41794a00e7374e41087f29efb893257d0dac5218f571b46cc1040fa
MD5 hash:
2d8176c32761820c08580daa8434214a
SHA1 hash:
204e4038f0466b6f4b1b687fb647b851160cc1ae
Link:
https://www.unpac.me/results/a884452a-5505-4723-a471-ec1621bfa16a/
SH256 hash:
b98109b1cb6d02ffc6c49f470a68dedaba1e28ca5862de5261f1eaec86f34583
MD5 hash:
56e1e98f670dfb436cb82001a7041114
SHA1 hash:
d9d71bd521e59ac6c4e303d7f32bf2f1c3e54f27
Link:
https://www.unpac.me/results/a884452a-5505-4723-a471-ec1621bfa16a/
SH256 hash:
67cdc7c5de5e46229adc831dc6fd3053d996ecf02e94706b6b6ae1b0ed976f2c
MD5 hash:
555b5b60b2dcc53e71e6d9ba8302c4b9
SHA1 hash:
550326b1226629a867d4606ad0c98c4ef9596b47
Link:
https://www.unpac.me/results/a884452a-5505-4723-a471-ec1621bfa16a/
Parent samples :
e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
SH256 hash:
a5abe23c51a32940b54e2ae81a7086c4c70caa55abf20adeb8215210aedb5d52
MD5 hash:
c1bb7f4a08e1e3c58c5b4d3e03525182
SHA1 hash:
5e9a24e33908e39c44dfbf964f0996a3827ebfeb
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/a884452a-5505-4723-a471-ec1621bfa16a/
Parent samples :
09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
2ec6c6341ff83005a6515d942976d2092549312d419a29e59d0efb15d65749bf
SH256 hash:
ac26afeee64c01c697e8225aaead8bfc5331ba5bca9f7f7c9f2a0c058eed5aad
MD5 hash:
1f61e001139e58c95259e24910a67ccb
SHA1 hash:
7a444c4a84931eb8c577a312f683e2c6b2021874
Link:
https://www.unpac.me/results/a884452a-5505-4723-a471-ec1621bfa16a/
SH256 hash:
590a56745916cbf0b3c712722870c3446ccd66fb697bbebef4202f19694c4f63
MD5 hash:
f0d898f6024836e44a69fdc6b9543df8
SHA1 hash:
2219af42fd1a9cf64f73ead6796f0429b95e3de1
Link:
https://www.unpac.me/results/a884452a-5505-4723-a471-ec1621bfa16a/
SH256 hash:
1d1ab56d73ed08aa09f5f420639f4978916ecc7819a5ab05448fa901b1925492
MD5 hash:
d9bdb6a0cb249a978e9ea6aaa1cd6bfc
SHA1 hash:
00d28cd0e912454865c24e42ed2ba30cebe6a3f2
Link:
https://www.unpac.me/results/a884452a-5505-4723-a471-ec1621bfa16a/
SH256 hash:
ea77052d29011e698345b57dc70e56d7d010a7adae00cb065e2761acff265bd0
MD5 hash:
4016fc80c73364a11f1bed6264aead5e
SHA1 hash:
a4460a4dc14ece442c3269e756a926a89127512d
Link:
https://www.unpac.me/results/a884452a-5505-4723-a471-ec1621bfa16a/
SH256 hash:
09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac
MD5 hash:
90b1172f054ceae6fe035bac0b16464b
SHA1 hash:
70b34bd1d15b86e68ec9ce4c31357da635358889
Link:
https://www.unpac.me/results/a884452a-5505-4723-a471-ec1621bfa16a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172303/

Comments