MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0
SHA3-384 hash: e9cd8837e16ef9f289f0f2f6109eef82bcb08826485cf62553a6314e9e100b483e63d7fc29bf542d3179c9c82dc19065
SHA1 hash: 4e5d00df20e12a0cc74189eb691e063b3a84990a
MD5 hash: 591c62c68ce81550a99f07e173a56217
humanhash: oscar-connecticut-helium-friend
File name:setup_x86_x64_install.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'811'437 bytes
First seen:2021-09-17 05:14:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:yMz7bKY8qgkL5ZYlCV6JtZ1eJLPj4F4z/eHFDKED:yfY8V+5ZcCVmZ1eJLPj4ujeHxLD
Threatray 305 similar samples on MalwareBazaar
TLSH T1496633059397C5C7FCA24A3F27B0173A76A650233E572709DF7869B8B879673C038986
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe Loader RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
No threats detected
Analysis date:
2021-09-17 05:15:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/754a3424-50ee-4e4b-9dc6-91c0b79c794d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188538/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61752670a9d585e6d537128c/reports/1740c754-5392-432a-96cb-70036a689d93/overview
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ca8be80-074e-4565-a4ef-d85e1d5cbcca
Result
Threat name:
RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852458
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 484889 Sample: setup_x86_x64_install.exe Startdate: 17/09/2021 Architecture: WINDOWS Score: 100 105 104.21.37.182 CLOUDFLARENETUS United States 2->105 107 104.21.73.47 CLOUDFLARENETUS United States 2->107 109 2 other IPs or domains 2->109 141 Antivirus detection for URL or domain 2->141 143 Antivirus detection for dropped file 2->143 145 Multi AV Scanner detection for dropped file 2->145 147 15 other signatures 2->147 11 setup_x86_x64_install.exe 10 2->11         started        14 svchost.exe 1 2->14         started        signatures3 process4 file5 87 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->87 dropped 16 setup_installer.exe 20 11->16         started        process6 file7 53 C:\Users\user\AppData\...\setup_install.exe, PE32 16->53 dropped 55 C:\Users\user\...\Fri00ca113a71b9d765e.exe, PE32 16->55 dropped 57 C:\Users\user\AppData\...\Fri00b338dc203.exe, PE32 16->57 dropped 59 15 other files (8 malicious) 16->59 dropped 19 setup_install.exe 1 16->19         started        process8 dnsIp9 111 104.21.87.76 CLOUDFLARENETUS United States 19->111 113 127.0.0.1 unknown unknown 19->113 149 Adds a directory exclusion to Windows Defender 19->149 23 cmd.exe 19->23         started        25 cmd.exe 19->25         started        27 cmd.exe 19->27         started        29 11 other processes 19->29 signatures10 process11 signatures12 32 Fri00515c9ed9622f.exe 23->32         started        37 Fri00b338dc203.exe 25->37         started        39 Fri000fb585dc0ad7.exe 27->39         started        151 Adds a directory exclusion to Windows Defender 29->151 41 Fri007b1b030a1a32.exe 29->41         started        43 Fri004dba7f4795.exe 2 29->43         started        45 Fri009c920a62076f.exe 2 29->45         started        47 7 other processes 29->47 process13 dnsIp14 89 37.0.10.214 WKD-ASIE Netherlands 32->89 91 37.0.10.244 WKD-ASIE Netherlands 32->91 97 12 other IPs or domains 32->97 61 C:\Users\...\yeOsIe1NbWGzGRT2UQle0Jo4.exe, PE32 32->61 dropped 63 C:\Users\...\xoa2VVZmEXdP6ZW2MZGZjJMB.exe, PE32 32->63 dropped 65 C:\Users\...\wNzYdg0EsqmmBmtSKshC1FPF.exe, PE32 32->65 dropped 75 47 other files (43 malicious) 32->75 dropped 115 Drops PE files to the document folder of the user 32->115 117 Creates HTML files with .exe extension (expired dropper behavior) 32->117 119 Tries to harvest and steal browser information (history, passwords, etc) 32->119 121 Disable Windows Defender real time protection (registry) 32->121 93 172.67.160.135 CLOUDFLARENETUS United States 37->93 67 C:\Users\user\AppData\Roaming\8212852.scr, PE32 37->67 dropped 69 C:\Users\user\AppData\Roaming\8106747.scr, PE32 37->69 dropped 71 C:\Users\user\AppData\Roaming\6424022.scr, PE32 37->71 dropped 123 Drops PE files with a suspicious file extension 37->123 99 2 other IPs or domains 39->99 125 Machine Learning detection for dropped file 39->125 127 Tries to detect virtualization through RDTSC time measurements 39->127 129 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->129 131 Maps a DLL or memory area into another process 41->131 133 Checks if the current machine is a virtual machine (disk enumeration) 41->133 95 193.53.127.10 ASBAXETNRU Russian Federation 43->95 135 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 43->135 139 2 other signatures 45->139 101 3 other IPs or domains 47->101 73 C:\Users\user\AppData\Local\Temp\2.exe, PE32 47->73 dropped 77 6 other files (none is malicious) 47->77 dropped 137 Creates processes via WMI 47->137 49 Fri00ab2eee15cd1.tmp 47->49         started        file15 signatures16 process17 dnsIp18 103 162.0.213.132 ACPCA Canada 49->103 79 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 49->79 dropped 81 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 49->81 dropped 83 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 49->83 dropped 85 C:\Users\user\AppData\Local\...\___YHDG34.exe, PE32 49->85 dropped file19
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 05:15:08 UTC
AV detection:
29 of 45 (64.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d2zvott7vimncj2zang4ywrgvsinpg5n54l46gtujbkntkpedsya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4468428f16aeb36c8c1a53f40c68806473201d37d94b6ac8f1c0d324d1e17006
RedLineStealer
4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
RedLineStealer
59babf45239a61449061a606bd3f578c3caf0d604c1b9db4504e74582c6a4d30
RedLineStealer
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
RedLineStealer
aa5e9ff271143c3cd205988c3100f1bb844d70d2930f04a2b2002e9c0951a74e
RedLineStealer
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
RedLineStealer
bfdb06e19260107f468834d5601f7f295ca82b31966be48f856011d9dba1f5b7
RedLineStealer
c9371cc485825207fe107e6600c14cfd9049c34f74c8c7332f16a20afea88164
RedLineStealer
fff25302774366cdb466fa0e4015f9c7de93fd0192585a3cab2e2f51b635047c
RedLineStealer
+ 295 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:socelars family:xmrig botnet:ani botnet:medianew aspackv2 backdoor discovery dropper infostealer loader miner stealer suricata trojan vmprotect
Link:
https://tria.ge/reports/210917-fxkmeshfgq/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
XMRig Miner Payload
Glupteba
Glupteba Payload
MetaSploit
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
xmrig
Malware Config
C2 Extraction:
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
91.121.67.60:62102
45.142.215.47:27643
Unpacked files
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
bc4bacc3b8b28d898f1671b79f216cca439f95eb60cd32d3e3ecafbecac42780
MD5 hash:
047bca47d9d12191811fb2e87cded3aa
SHA1 hash:
afdc5d27fb919d1d813e6a07466f889dbc8c6677
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
62248dd1676adcfc39148ccab3d857637bee676917f9b05a1a295ac10e3d5375
MD5 hash:
c3d35a19a0effba430a7002601e693ae
SHA1 hash:
bae53bdb79a4f1282ff75a305480e5cbbd18a731
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
d20327831747b8da65d4d7b5134ad7dff6d8f9f4e530bb58a7afefff6be0744d
MD5 hash:
f6d45f89619583d2e75652d9cd54197c
SHA1 hash:
ff13590320f47f732b5c33d5b32a923463753a70
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
63afd59246c85954b0c24af0224461a398d9fb201a718835ea1cca009489588f
MD5 hash:
94aed1f6f70b155f301d6d23120e7481
SHA1 hash:
da6f82042f99d8613790ff3247b7c463f15a4820
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
0606c17b30a9c2434d9504b68a92a85ed22bc6d3d8a8ec214677ad11cfabcff6
MD5 hash:
01de02ba5651b8c07ab5ffe0418e7869
SHA1 hash:
cc04b73a4f76dda2b48eb44f46ea056f973a3960
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
da6e2470414935131c3a094758be78605ec1c1ba8ddc755d175ac73763cc307a
MD5 hash:
03cd7541a32149209ecec14115466bc3
SHA1 hash:
bff67b407cffb1d3f3afbbcee15046e968204af3
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
4fe08319887a448116fb5a3b3b188aa99090c79da6cf1f43141b8f2ac30a11d9
MD5 hash:
aa16ef939fd74c2d3587f543f71f528a
SHA1 hash:
bc43455d5367870e52abde8dd5688fe6c1b8f32e
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
6421351d6d55cb2d1ee2d6b009020e4d0f0a5817d152088beb096c462efa904a
MD5 hash:
7e4cc370db6ce2bfa3ffc39e9b939cf8
SHA1 hash:
aa02fbef07c9c12bee1602725e1b8b785d6c7faa
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
664de41bcae96fd26c460b9d5b08a23bb1da0daa8a91aac1d34d6cb0cc110934
MD5 hash:
d81ef383621321b9a9738ad70a30eef7
SHA1 hash:
9d939541cda19df17401cb083f49037d56ef7519
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
4642efed8979fa716ebc3b5a26f41abeed8168624311b99c2d85eeaf514b82d6
MD5 hash:
d258c188154a901a2c5805c4e6a90927
SHA1 hash:
8119d2625673b3a229be0750bd6f16179c19766e
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
c9c0cea775c221d9929746989b4db46f08599a0b089b3351a531531fa7866f38
MD5 hash:
ee57b660f978b8d9850be3e1b44afd01
SHA1 hash:
73c0b3540757b45dd54e5d4b657a898aa38dde6d
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
52701e2808de643baf6789222e4c2422cca70733222cd2e6d0b9f36a4f6eeabc
MD5 hash:
71a718d5f6f6a69ce1e844fec2a06f53
SHA1 hash:
5e3d339c99bb37e485eeadb71c9aa72a8e06fdab
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
7638f9e0678c351869ae937b77102cfe22cd0eb695191e37a68752e1cd15f8bc
MD5 hash:
83d18288ce1e94e0862b5b0ae4626b23
SHA1 hash:
439bbed11468f725a91f7fa89a81d02dda8d51df
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
664c563263c5fe41339c503a1eb12f23b3f64b993fd5d5146fdb0907b57631dd
MD5 hash:
f512e0f7ddd9b95a1a04e89caa9be57a
SHA1 hash:
2f23ebf8467081142df8aaf3f12e5bdeac87e292
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
1c25cf63ef5ab14f293ea29c88f1aa4be0423de32c588d18e8bc1d2e3b940144
MD5 hash:
0e0a60c252f2ca0b5621d61fe9ffdf43
SHA1 hash:
b191d77d9af5213360960496516a8355c52dcfe5
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
9758abedb6d7e8507325da22f9499cb77ebcafafd37c2d33d38593b0ec76c8f4
MD5 hash:
bd99f8cd21923034f3b22f8c6c3118d0
SHA1 hash:
b4f187ab391e8b2f5273a5b9981accc60635dede
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
b62604897a8ba4699497584377837cfa848f4dd44a27f03b985cbec445cabd2d
MD5 hash:
47aedd7c1536272c42a666efd80afaef
SHA1 hash:
1abb2374bf137c442dbdbc82fb32140c36ba6483
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
0c65071725df27a4c958efe0434342e8fa1722ce404a92a178a41cdd9438dc5a
MD5 hash:
a7dfed42473d1897207a5daadf6f8c55
SHA1 hash:
81a01b5b9fbf2814b28a99062071f1eaf687ff64
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
4171b2916fa53a8e4f44fdd18a5553b7e33aa2d9ece00dca918bb7c532a2a12a
MD5 hash:
e18e0739721ec46e9922db6702da8ce9
SHA1 hash:
c067f4828b762c0e6c916549b6ef5ac2c93421ac
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
520a81de7b4bcf842ecec18b547c554df3d77a0081fd46c1332fdb1388430642
MD5 hash:
d7cb1307cf425e1a035d97ddab877edc
SHA1 hash:
3100d9c4e921bb1ddc9e32001e408c090beff613
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
SH256 hash:
1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0
MD5 hash:
591c62c68ce81550a99f07e173a56217
SHA1 hash:
4e5d00df20e12a0cc74189eb691e063b3a84990a
Link:
https://www.unpac.me/results/99e377cf-a515-432e-9b10-64f7d3b89c83/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1eb3574e7faa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1eb3574e7faa18d12759034dcc5a26ac90d79badef17cf1a744854d9a9e41cb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188538/

Comments