MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
SHA3-384 hash: 0889913c8748efdb7353ee32f17ed65655d048626c83185815c7a1dcedebf0886c6c89f0b16536496526d802703e0bae
SHA1 hash: fd40bbe6eaeea4004046f65a8c647fabb35e1742
MD5 hash: a121db3e0809289a5c41c44958ff6fa0
humanhash: muppet-beer-low-indigo
File name:a121db3e0809289a5c41c44958ff6fa0.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'823'623 bytes
First seen:2021-10-17 23:35:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JVw5AxSbnFouWDC50KmHeIQT8ZVK+zoN3aZdKfFEqsJtn05C5H+ZB3pjHOR:Ja5AeFeC5UH5a87/oN3aZdKNyxeCH+ZY
Threatray 634 similar samples on MalwareBazaar
TLSH T11646334ED5C0A06FD3038BB54D7D520B0B1B982F7E7C3B6C1EE32A6BB98A19159213D5
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe RedLineStealer


Avatar
abuse_ch
DiamondFox C2:
http://185.163.204.33/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.204.33/ https://threatfox.abuse.ch/ioc/234895/

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198005/
Detection(s):
Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901388-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed
Link:
https://www.filescan.io/uploads/616d071e9a5a1e91c5c331a1/reports/84b31eba-5a25-43da-b520-00de6a9e3558/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7dc8b930-c014-4877-be13-bc863ce88698
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871888
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (creates a PE file in dynamic memory)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files with a suspicious file extension
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 504316 Sample: iVOdgBmo8O.exe Startdate: 18/10/2021 Architecture: WINDOWS Score: 100 130 Antivirus detection for URL or domain 2->130 132 Antivirus detection for dropped file 2->132 134 Multi AV Scanner detection for dropped file 2->134 136 17 other signatures 2->136 10 iVOdgBmo8O.exe 10 2->10         started        process3 file4 52 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->52 dropped 13 setup_installer.exe 23 10->13         started        process5 file6 54 C:\Users\user\AppData\...\setup_install.exe, PE32 13->54 dropped 56 C:\Users\user\...\Fri20fbc038b0b02ea.exe, PE32 13->56 dropped 58 C:\Users\user\...\Fri20ee0a6fe195bd09.exe, PE32 13->58 dropped 60 17 other files (11 malicious) 13->60 dropped 142 Creates HTML files with .exe extension (expired dropper behavior) 13->142 17 setup_install.exe 1 13->17         started        signatures7 process8 dnsIp9 86 104.21.87.76 CLOUDFLARENETUS United States 17->86 88 127.0.0.1 unknown unknown 17->88 138 Adds a directory exclusion to Windows Defender 17->138 21 cmd.exe 1 17->21         started        23 cmd.exe 17->23         started        25 cmd.exe 17->25         started        27 14 other processes 17->27 signatures10 process11 signatures12 30 Fri20ee0a6fe195bd09.exe 4 61 21->30         started        35 Fri209d5bfbb2.exe 23->35         started        37 Fri2002ce5f91c761.exe 25->37         started        140 Adds a directory exclusion to Windows Defender 27->140 39 Fri2050293ea5.exe 27->39         started        41 Fri20fbc038b0b02ea.exe 27->41         started        43 Fri20e095683c2b3a0c.exe 27->43         started        45 9 other processes 27->45 process13 dnsIp14 90 188.72.236.239 WEBZILLANL Netherlands 30->90 92 103.155.93.196 TWIDC-AS-APTWIDCLimitedHK unknown 30->92 100 8 other IPs or domains 30->100 62 C:\Users\user\...\search_hyperfs_204[1].exe, PE32 30->62 dropped 64 C:\Users\user\AppData\...\Service[1].bmp, PE32 30->64 dropped 66 C:\Users\user\...\DownFlSetup999[1].exe, PE32 30->66 dropped 74 21 other files (3 malicious) 30->74 dropped 104 Creates HTML files with .exe extension (expired dropper behavior) 30->104 106 Disable Windows Defender real time protection (registry) 30->106 68 C:\Users\user\...68iceProcessX64[1].bmp, PE32+ 35->68 dropped 76 7 other files (1 malicious) 35->76 dropped 108 Detected unpacking (creates a PE file in dynamic memory) 35->108 110 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 35->110 112 Tries to harvest and steal browser information (history, passwords, etc) 35->112 94 172.67.221.103 CLOUDFLARENETUS United States 37->94 70 C:\Users\user\AppData\Roaming\3825640.scr, PE32 37->70 dropped 114 Multi AV Scanner detection for dropped file 37->114 116 Machine Learning detection for dropped file 37->116 118 Drops PE files with a suspicious file extension 37->118 120 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 39->120 122 Checks if the current machine is a virtual machine (disk enumeration) 39->122 124 Antivirus detection for dropped file 41->124 126 Sample uses process hollowing technique 41->126 96 162.159.133.233 CLOUDFLARENETUS United States 43->96 72 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 43->72 dropped 98 208.95.112.1 TUT-ASUS United States 45->98 102 7 other IPs or domains 45->102 78 2 other files (none is malicious) 45->78 dropped 128 2 other signatures 45->128 47 Fri20d5530575e8aa3ed.tmp 45->47         started        50 mshta.exe 45->50         started        file15 signatures16 process17 file18 80 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 47->80 dropped 82 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 47->82 dropped 84 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 47->84 dropped
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-10-16 05:37:35 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bvu4v7tqbkksuyq4tnmycucogdettq6wzq2ekjur7tthwlvwyhgq._file
Verdict:
unknown
Similar samples:
3eaed1d4442ddd5cb4691a9cfd5aef6f374be2a3489b934d9043bb6e980a4841
RedLineStealer
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
RedLineStealer
80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e
RedLineStealer
91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5
RedLineStealer
941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
RedLineStealer
995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b
RedLineStealer
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
RedLineStealer
b41ece0fdbd279c8c8dd615981603fb4cb7052d28d26ce803fbeb0eef5ea01d2
RedLineStealer
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
RedLineStealer
f5f477d945634e37e1abca7c1390e03a7535005c9ff071a191f4d24274bdf075
RedLineStealer
+ 624 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:932 botnet:933 botnet:937 botnet:ani botnet:she aspackv2 backdoor discovery evasion infostealer persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211017-3lkjlsdggp/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
135.181.129.119:4805
https://mas.to/@sslam
194.104.136.5:46013
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Unpacked files
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
51083f1071cc6c67bc643417a0be92c3190a044f6cb0d913bb8afb01adc08f3f
MD5 hash:
59073d016866002414aa2c915f8d1f6e
SHA1 hash:
dc285bc11154c5d4b932514934bd16c71b2a3938
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
d95b8e2d8bf52369a369cf6ee5366297a8984380210d7eea29a82cf53b8501fa
MD5 hash:
4da644a647b164089629ff894110d9cf
SHA1 hash:
8f29d97853790d852203c0921c39609ee8c6b27e
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
642f5d31e9797e4509429807009ee2871ac9826b5b513ff229956a3d87ed1f8e
MD5 hash:
488029d7287523022a3a3c0fad808e36
SHA1 hash:
1f28a900f11d99b0f6e65cf3b1e63b0bd22f45db
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
b7400825df4e2e22e14b51b60809bb7706cd5f8c0c758c08dbb7f97ef3bd0597
MD5 hash:
1651d2eee32c15f79fd5f2e42551f4dc
SHA1 hash:
f254b220184e991792401f4818bcae33ac37ad4f
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
4a44a0fc6aceb163aabf5afc9670493f47fa618115fa94bb0128a1328486f235
MD5 hash:
59da41e6156d69e6021bad240a41b7e7
SHA1 hash:
d310aaa0ad5940e4e7725ff98a75c8d0ab322b62
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
e902c155d53599ee9b7f1e1625fa42e2b2c276c29f4d576150b35691014236f3
MD5 hash:
4d97612dd15f8e6aceaa1e6f70fa7bb5
SHA1 hash:
c9e41779e90a68ec9911b1c5e3b3cc32712a8449
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
477aad5cff9cae696fef979a92ece04fe37a54770117969f80380314fd724888
MD5 hash:
f098c07afd1ae3c2645a945c363caf1b
SHA1 hash:
a280593be3514accc1fcc85b36c2bbd9e227088a
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
dc851b5e6a3d9b6a382d8857e238a79c63bd6d3318f52174052e0ba4cbbe9971
MD5 hash:
9e971401ad594d9b9a6758e242ce8828
SHA1 hash:
78bcf7e39703b9e23d7181c15e32d80ffa2f05e6
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
874c4eab9d0422ee52a1e02e4e95b07805a143dda5a54a19c6a122580aabdb68
MD5 hash:
44cfc728f9fbacd834c9b10ce768d41a
SHA1 hash:
6589a1435a2ba5ec11a312de5f339597831227d0
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
2a10b40792437e252fec16f3131b29acea6fcfaf626da30ed8e328c9b8bbe09f
MD5 hash:
a95b477d927575d65ad8f3992186ff83
SHA1 hash:
441b4fec9a85bfad87e397b79b9496ce00d80a06
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
f7bd20f20b99c00dc5a59cd715dadc81febb6e3966f49da21fda7c1b08a84ad4
MD5 hash:
8f54c1adeae8ee1f05f9e4b69726de9b
SHA1 hash:
3525571bc3a4b55493ea309594e080b1c6905868
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
174f4f8146a8998395b38774f52063130304ab214257d10badc37464578c8c1d
MD5 hash:
7dc5f09dde69421bd8581b40d994ccd7
SHA1 hash:
23788ae65ec05a9e542636c6c4e1d9d6be26d05c
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
2f926dfefffd2b9b0f8386ec984939e763c14fe12db386795e667c758ce854d1
MD5 hash:
f2f330ce6017ae35d75ce76c7b5798c9
SHA1 hash:
055c0f58f72272c8e03b0377abefa2649c226865
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
6525d30654a1a8255ac9a366035d841b991648e442f3a802f919726d604e9ce4
MD5 hash:
799f15cb784fe1bd6922939d46426c20
SHA1 hash:
43cc59cf651dca1208271ab740a7820054df8ba0
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
630a641bebd6ded36fb1c42520e4c7ddc5ace49436dede6c255d8f12ddbfbe54
MD5 hash:
cbbdd5a549a37602019203e20a21866a
SHA1 hash:
50c80b98548b24565decfa94c034b43b753a197a
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
72bec0907481d9835293b53415098684b0ffa9c0a84939714c657286c6b2044b
MD5 hash:
96b34c075745a468c250135ec3f6faca
SHA1 hash:
b7f0a809511569311640c82e1082d37f3681f248
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
f2ef3f733c538606575d2d7d8f28b78593618f5e23f58baa613a1f14ff5d307a
MD5 hash:
d39c13f1af5641d2381c3db577bf996e
SHA1 hash:
314ffe2b44e82b3043af221b40190aace1acce7c
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
ce38f086c2a54d7b35fb08c6751f557a929c72b053df4bc760c813863765da39
MD5 hash:
2550613cadcabf37f3cd29230392bf22
SHA1 hash:
7d3197b941f0c638154a6db4952fd51227fe1f75
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
5eeab22d46378145bf9aec4754abb3265b36fa56c750a53968b8bce12959eb39
MD5 hash:
6d981b155133068a8a79a76ececbb401
SHA1 hash:
7e5230720e59409d87a91ca2e2228f082bbfebc5
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
SH256 hash:
0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
MD5 hash:
a121db3e0809289a5c41c44958ff6fa0
SHA1 hash:
fd40bbe6eaeea4004046f65a8c647fabb35e1742
Link:
https://www.unpac.me/results/c3be0616-318f-4a7d-a4b6-4578b850952c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0d69cafe700a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/198005/

Comments