MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e144c258913a35001fd23c3413005c90e7bc35be3baff3f90ca77570a8c0a27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e144c258913a35001fd23c3413005c90e7bc35be3baff3f90ca77570a8c0a27
SHA3-384 hash: 86ad46054bcf621a0e48386e882c93bd37b6eb43c8ecade93d2c81215fc7c1713d71ec377c9e276f0de0472a4457ec4d
SHA1 hash: dd4016837111f836866a061f5b83c08beec0aa32
MD5 hash: 2d9f411233f0024958153f6093ac5a0f
humanhash: bravo-october-lactose-speaker
File name:0E144C258913A35001FD23C3413005C90E7BC35BE3BAF.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:14'662'291 bytes
First seen:2022-01-19 17:16:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 393216:xWdgaEKMJALRd1C82jg7DFnAylicuu6kl+iJ078WoXeL8mNe:QdgaE5JI2jCFnASicuu6aRJ078pXebNe
Threatray 2'182 similar samples on MalwareBazaar
TLSH T199E633013B9BA0FFFC894136BEDC2AB2327EE78E7B52984FDB4210156794195B13446A
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://138.68.162.128/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://138.68.162.128/ https://threatfox.abuse.ch/ioc/302456/

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Launching a process
DNS request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61e8479ed32385db630999ef/reports/c82c66a5-0cf8-4a52-b280-e5e4f698cdec/overview
Result
Verdict:
MALICIOUS
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a06cd61a-d305-43ea-b8be-9c51477c6ae1
Result
Threat name:
Amadey Raccoon RedLine SmokeLoader Socel
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923685
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to evade analysis by execution special instruction which cause usermode exception
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected onlyLogger
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 556159 Sample: 0E144C258913A35001FD23C3413... Startdate: 19/01/2022 Architecture: WINDOWS Score: 100 64 s3.nl-ams.scw.cloud 163.172.208.8, 49775, 80 OnlineSASFR United Kingdom 2->64 66 qoto.org 51.91.13.105, 443, 49768 OVHFR France 2->66 68 10 other IPs or domains 2->68 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Antivirus detection for URL or domain 2->78 80 Antivirus detection for dropped file 2->80 82 26 other signatures 2->82 10 0E144C258913A35001FD23C3413005C90E7BC35BE3BAF.exe 26 2->10         started        13 svchost.exe 1 2->13         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_install.exe, PE32 10->46 dropped 48 C:\Users\user\...\Wed23cea4f8267b98.exe, PE32 10->48 dropped 50 C:\Users\user\...\Wed23bead27eaf9f7.exe, PE32 10->50 dropped 52 21 other files (16 malicious) 10->52 dropped 15 setup_install.exe 1 10->15         started        process6 signatures7 108 Adds a directory exclusion to Windows Defender 15->108 110 Disables Windows Defender (via service or powershell) 15->110 18 cmd.exe 15->18         started        20 cmd.exe 1 15->20         started        22 cmd.exe 15->22         started        24 9 other processes 15->24 process8 signatures9 27 Wed23127957185857ba1.exe 18->27         started        32 Wed2360c9504c898.exe 20->32         started        34 Wed23cea4f8267b98.exe 22->34         started        84 Adds a directory exclusion to Windows Defender 24->84 86 Disables Windows Defender (via service or powershell) 24->86 36 Wed236a5a2b11bb5e717.exe 2 24->36         started        38 Wed23862508dc36.exe 24->38         started        40 Wed2390763d851f2361a.exe 24->40         started        42 3 other processes 24->42 process10 dnsIp11 70 new-androidapps.me 172.67.173.151, 443, 49760, 49767 CLOUDFLARENETUS United States 27->70 54 C:\Users\user\AppData\Roaming\RtBgJR5.exe, PE32 27->54 dropped 56 C:\Users\user\AppData\Roaming\LMO5cB2N.exe, PE32 27->56 dropped 58 C:\Users\user\AppData\Roaming\AOs8Fovcs.exe, PE32 27->58 dropped 62 3 other files (none is malicious) 27->62 dropped 88 Antivirus detection for dropped file 27->88 90 Multi AV Scanner detection for dropped file 27->90 92 Machine Learning detection for dropped file 27->92 94 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 32->94 96 Maps a DLL or memory area into another process 32->96 98 Checks if the current machine is a virtual machine (disk enumeration) 32->98 100 Query firmware table information (likely to detect VMs) 34->100 102 Tries to detect sandboxes / dynamic malware analysis system (registry check) 34->102 104 Tries to evade analysis by execution special instruction which cause usermode exception 36->104 72 ip-api.com 208.95.112.1, 49761, 80 TUT-ASUS United States 38->72 74 www.hdkapx.com 38->74 60 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 38->60 dropped 106 May check the online IP address of the machine 38->106 44 mshta.exe 42->44         started        file12 signatures13 process14
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0e144c258913a35001fd23c3413005c90e7bc35be3baff3f90ca77570a8c0a27/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 11:25:44 UTC
File Type:
PE (Exe)
Extracted files:
207
AV detection:
30 of 43 (69.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bykeyjmjcorvaap5epbucmafzehhxq234o5p6p4qzj3vocumbitq._file
Verdict:
malicious
Similar samples:
48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
RaccoonStealer
523c3d9d49ff39f7f97331e9d89c18053ab85c80f2ead0b505cc7e27e7aa2fcd
RaccoonStealer
55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb
RaccoonStealer
a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6
RaccoonStealer
aa3abbd93819a58f0612b60cf1cfcc3a296e10d1b776555b8a3f967608b00f06
RaccoonStealer
bcfa6e6fb8a5b32e164fd8a7b49d448e65482fae38fe17e48cc35cb6427a360e
RaccoonStealer
fea660657f6285124e61fe5dcafe9374344d941e6fbeaa89f3a2640572ccc784
RaccoonStealer
+ 2'172 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:onlylogger family:redline family:socelars aspackv2 evasion infostealer loader stealer suricata trojan
Link:
https://tria.ge/reports/220119-vtrc5abggp/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
NirSoft WebBrowserPassView
Nirsoft
OnlyLogger Payload
Amadey
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
suricata: ET MALWARE Amadey CnC Check-In
Malware Config
C2 Extraction:
http://www.wgqpw.com/
Unpacked files
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
715c468aae9722bde10a09ac27ee35f9bbf3de2a58ee19bd9d5f5a68a7b6837a
MD5 hash:
b6d1c8c7140a42d260186eccc6f5c700
SHA1 hash:
bebd7d53c3cacb295a466ac53de1015cfc6afabb
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
1e38e10b937be88caf62ee6b27a911ca3e3479bdf0c4cae89f30190b14b77fdc
MD5 hash:
28074a8b5baf2c448206f702c483a546
SHA1 hash:
2657f0d2a01f043f934eee726333da9ac217175f
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
376bf69f01fe65802f1ec35b8715067687c4bd47937154fc4c3903b06fe89a92
MD5 hash:
feea5b4bc6a46188e7998b53b668d6fe
SHA1 hash:
ff73a76d88ba96baba23acf669ab2fb61e541916
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
a174e0d67eca3a59399994a54a44f4f2b7584f286dcf3cdb7a80f1ef83c010c6
MD5 hash:
b3b683d8cb51a926977080d7f7cf4bf5
SHA1 hash:
82eb466d03c72417f1a3f1320ccb732899af5e88
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
cee3fb6b8d2eae39536a5147ab3a4a61a10e33dd62955d8516b4381ca6c66fd6
MD5 hash:
ee95cfb94acdb269a674b952296593b0
SHA1 hash:
2c465d93a9375646aab827e1b4a2fa05fc64f1a5
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
6ecaba189f108ba0dc83214fa41e43307fdc79147717f2ac68cd832181db9666
MD5 hash:
70768beb1a282fc79ecf19a0a73286f5
SHA1 hash:
e40e4b259715e740c83e3cc27a5654ea3c7bfa37
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
fef7035989f56b8ab573adb9d3d91363668af7b0b71d4cb44d52f941fde3ad4f
MD5 hash:
b712d9cd25656a5f61990a394dc71c8e
SHA1 hash:
f981a7bb6085d3b893e140e85f7df96291683dd6
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
aa3a0d7634ab8093e93bc6efc8644816ba5b9277f5ea1052a05fccbdb5058b43
MD5 hash:
15aff45cc55cc43ed3d184a01002bac0
SHA1 hash:
f49979891aac9fe7e401d0e864fed712605258f9
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
c53afa91c58451dea92adc1c85cec4086de114fdcd59eb93ab23c28f3c982e7d
MD5 hash:
d3b3492b8ce02a13a20a865dff1a2961
SHA1 hash:
e20c04ef689355e6d47f5dce85146959ddcd3a31
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
c394bc87320d9f89414024be6cc0fbc332d80bf2562db287dbd0d4cd2a4f5e77
MD5 hash:
f68d0b84bbcc2f2187617522eba20d3d
SHA1 hash:
de7a1d60617be132c2e3ce26e41ec71cab78bbaf
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
6e50f955469e64cec245568adcdef07147b5b756a7af9c50a898859ca17ba558
MD5 hash:
86d1fa38248a93563060871a12f94df5
SHA1 hash:
ddebf7e1bef5d0e04bcb090eb9a745d3970de2c7
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
ee3f9178db420242904907580f747192d070ba5f893bc24d7cdc9e2d68df0f8a
MD5 hash:
0a95d1e59bd1fa933d9e7d74a0635532
SHA1 hash:
dcd82a0d49126a118cabea10eca518ba41422e5c
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
ee2cc85a8e1972a29ce67ab0218d5daa8fc9b67f36111c71eccaf6da05219d19
MD5 hash:
f6271f82a952f96ba9271a4a27c9f22f
SHA1 hash:
d12708b9e39a0cd06add96316b65f1668d6a1246
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
451c693481de62b1a2768050df0e7aba4d7eaa2c70ef924ccc5992f947d27b70
MD5 hash:
2fa2b1760a549b8a8988fbf66c0204ab
SHA1 hash:
cf0a32127dd6d688fbebd56f6c2b672455b5683d
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
8cc5cc10238a34870a818ac4c1436c71f4b3515cecc20caeb0da41b823034d50
MD5 hash:
1572203c5b97df2ce44fa913231e37e0
SHA1 hash:
b458e8afdf06e8a08c0ee964347506e36fd368df
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
4ccb0f4b58fdf4452ff46f357848707b35532125fff748c88d52078d1b1d830c
MD5 hash:
7270ce24f30c91a0491d2b313399b15f
SHA1 hash:
9205cf478c9321ca27b2b064140dca560d593616
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
ae43af528be8956c58a1c245a4a945f7d1c6eb41b41adf9369bd469d08c724c1
MD5 hash:
25676fb6b2581c3bb750a88e83ebac03
SHA1 hash:
4f3258104034de4453701cfa0d9fa8067b80b616
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
53a13d9b85c62c225f80677e7e84f0e4b3980c0695a7606212176326f2ee72e0
MD5 hash:
ba4548a88c431f3b9e3777e165a62f60
SHA1 hash:
412ca7d19a5bbc44fe0382a59f1bbae0eb1be44d
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
544f2e6bc346ea60801d5a71f7f61d8a7065f3636a64e937b8e7539ce7069763
MD5 hash:
5ff879fa99e793a81d20ad84da6cdd9a
SHA1 hash:
3a42d1fbbaa9c25cd2ec1553ec5e1a00da791818
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
2ac2f22f376075b29c0b6c787c57ce9a70ef0727bfb1617c3bfb94198bfa7640
MD5 hash:
f9c6d895abb9e1dac411cf78baeb5dfb
SHA1 hash:
16445ba3e98d44624eb922f7d28ca1b7bbcce1bd
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
f2a308116ceb34724fc21543ce1b3f32896f45133a1ad2a7fb0b517df0bed330
MD5 hash:
e901d8cdcc38a63e8df2305828d69ac1
SHA1 hash:
0b7078d4d766ef24b940d48d12bd0b13baa4d516
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
329fca01535d94e2a7b2499bfc7064ab289681e56478e32058eac8876fe0cddd
MD5 hash:
d27078c9e0af3dd66abb7c3ac64b6ab9
SHA1 hash:
026a6b48f7a84edc1b2a881339f219c132e36b44
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
cd981497f6f4dd9354107206d7b2c13e09516f448e89de8786d65377fab16a62
MD5 hash:
21478aa41b2021c6053604f28304ce26
SHA1 hash:
6e38cce2438875c6720883fa79f3d44645888813
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
1b3268c68d70097492a5e79486f1511dd99fad34bc4de2bbdc871f0414b2e100
MD5 hash:
d235bd10cfd26eb018762b2314c5b028
SHA1 hash:
2e3cfebca4b1849e13587ff556271c23395a6b2f
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
e9b68974bcd194b025cb9fd99015e6136ffdfab778d4935e0c2c86691162ce7b
MD5 hash:
affd10d328d538c2a34d4346b68e35a2
SHA1 hash:
12e62a944dc17725cfb828f0c36fdccb9a365508
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
8574a48471222f3bff90063b71abe6cd13d33a377c9d18e8b99cb0d31d783101
MD5 hash:
0cf28ac6930dab5e37d6051d489c6fd0
SHA1 hash:
807413d90478c49aab721020ec7cbfd720cb6d48
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
4fc1efca470fb82969739d7b7c4d47fe2b20cc2f0dbc65ffb289109aa1830381
MD5 hash:
97beaf92a4d9bdb55de5a84b325f5011
SHA1 hash:
2c846662354f0656d9c3428f99f711eada69f58f
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
0237e09d83174ce5c9fee9c40927332a9b70f8985908b2c1c2c599f6258c178a
MD5 hash:
5b13039d2cb4f8a8075ebaddeba6f6bb
SHA1 hash:
0eb30a73b6670f32850f7b1c16c99231cb4ba724
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
SH256 hash:
0e144c258913a35001fd23c3413005c90e7bc35be3baff3f90ca77570a8c0a27
MD5 hash:
2d9f411233f0024958153f6093ac5a0f
SHA1 hash:
dd4016837111f836866a061f5b83c08beec0aa32
Link:
https://www.unpac.me/results/7f90d104-ff61-4671-a39f-f54fe86e1a68/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e144c258913a35001fd23c3413005c90e7bc35be3baff3f90ca77570a8c0a27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments