MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21aba879ca90e3d4b3b58f61316b6b42c97d31f62dea2a0992460eece4bc0566. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 16


Intelligence 16 IOCs 6 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21aba879ca90e3d4b3b58f61316b6b42c97d31f62dea2a0992460eece4bc0566
SHA3-384 hash: 9f0355daea68ec55ec78c26dd241bbd8c7096e912a3ab492463a6481ea2fb2bde70643a56cec335cbaaabd0908a54058
SHA1 hash: 4857f024aba6f14074d21d2870fb3c77aa42b1d6
MD5 hash: 8d5617cc370d4b5f5a128b798bd7b184
humanhash: early-nine-nebraska-august
File name:21ABA879CA90E3D4B3B58F61316B6B42C97D31F62DEA2.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:6'596'850 bytes
First seen:2021-12-03 21:41:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:yQ9EwfIMBMuCAXVGMY/RMdLVVikb4Y3Hu:ySQhA3QMNVFb4Y3Hu
TLSH T1616633D272C2F506C23F10309E7276E5A9E5A9752A531F8393F089B57B397D2493E382
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
23.88.118.113:23817

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.88.118.113:23817 https://threatfox.abuse.ch/ioc/259023/
135.181.178.93:12952 https://threatfox.abuse.ch/ioc/259047/
91.241.19.213:46284 https://threatfox.abuse.ch/ioc/259048/
http://194.180.174.53/ https://threatfox.abuse.ch/ioc/259049/
http://ads-postback.biz/check.php https://threatfox.abuse.ch/ioc/259050/
95.143.178.132:21588 https://threatfox.abuse.ch/ioc/259051/

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
21ABA879CA90E3D4B3B58F61316B6B42C97D31F62DEA2.exe
Verdict:
No threats detected
Analysis date:
2021-12-03 21:43:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/213d2d5a-a1ff-4aa8-b2fc-1a12efeb5316

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211126/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Socelars-9895020-1
Create hunting rule

Win.Packed.Socelars-9895021-1
Create hunting rule

Win.Packed.Socelars-9895023-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
DNS request
Creating a window
Sending an HTTP GET request
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/700/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys mokes overlay packed
Link:
https://www.filescan.io/uploads/61aa8f2d4d8e6f3a5e0e142e/reports/76b5f099-42e0-4371-9f55-d8297c7a8a5a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/934037c5-7313-4153-808e-efa9f61e510c
Result
Threat name:
RedLine SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901189
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 533667 Sample: 21ABA879CA90E3D4B3B58F61316... Startdate: 03/12/2021 Architecture: WINDOWS Score: 100 104 staticimg.youtuuee.com 2->104 106 asfaltwerk.com 2->106 108 6 other IPs or domains 2->108 130 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->130 132 Antivirus detection for URL or domain 2->132 134 Antivirus detection for dropped file 2->134 138 20 other signatures 2->138 11 21ABA879CA90E3D4B3B58F61316B6B42C97D31F62DEA2.exe 10 2->11         started        signatures3 136 Tries to resolve many domain names, but no domain seems valid 106->136 process4 file5 66 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->66 dropped 14 setup_installer.exe 19 11->14         started        process6 file7 68 C:\Users\user\AppData\...\setup_install.exe, PE32 14->68 dropped 70 C:\Users\user\AppData\...\Mon21d495d45e.exe, PE32 14->70 dropped 72 C:\Users\user\...\Mon21ca19421a3910d.exe, PE32+ 14->72 dropped 74 14 other files (9 malicious) 14->74 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 84 127.0.0.1 unknown unknown 17->84 86 hsiens.xyz 17->86 88 a.goatgame.co 17->88 126 Performs DNS queries to domains with low reputation 17->126 128 Adds a directory exclusion to Windows Defender 17->128 21 cmd.exe 17->21         started        23 cmd.exe 17->23         started        25 cmd.exe 1 17->25         started        27 10 other processes 17->27 signatures10 process11 signatures12 30 Mon21a082d52c3a108.exe 21->30         started        33 Mon21d495d45e.exe 23->33         started        37 Mon21ca19421a3910d.exe 25->37         started        140 Adds a directory exclusion to Windows Defender 27->140 39 Mon21c7c7b6c97f6f6cb.exe 27->39         started        41 Mon2189f292a5.exe 27->41         started        43 Mon2184239491b5d3f.exe 1 27->43         started        45 6 other processes 27->45 process13 dnsIp14 142 Antivirus detection for dropped file 30->142 144 Multi AV Scanner detection for dropped file 30->144 146 Detected unpacking (changes PE section rights) 30->146 166 4 other signatures 30->166 47 explorer.exe 30->47 injected 94 7 other IPs or domains 33->94 60 C:\Users\user\...60iceProcessX64[1].bmp, PE32+ 33->60 dropped 62 C:\Users\...\ccaXgPhUOEmLwJ05L6kH4dX0.exe, PE32+ 33->62 dropped 148 Detected unpacking (creates a PE file in dynamic memory) 33->148 150 May check the online IP address of the machine 33->150 152 Machine Learning detection for dropped file 33->152 154 Disable Windows Defender real time protection (registry) 33->154 90 staticimg.youtuuee.com 37->90 96 3 other IPs or domains 37->96 156 Tries to harvest and steal browser information (history, passwords, etc) 37->156 158 Tries to detect virtualization through RDTSC time measurements 37->158 92 horoscope-online.bar 39->92 98 4 other IPs or domains 39->98 160 Performs DNS queries to domains with low reputation 39->160 64 C:\Users\user\AppData\...\Mon2189f292a5.tmp, PE32 41->64 dropped 162 Obfuscated command line found 41->162 51 Mon2189f292a5.tmp 41->51         started        100 3 other IPs or domains 43->100 54 WerFault.exe 43->54         started        102 11 other IPs or domains 45->102 56 Mon21457b4d3519.exe 45->56         started        58 WerFault.exe 45->58         started        file15 164 Tries to resolve many domain names, but no domain seems valid 92->164 signatures16 process17 dnsIp18 76 C:\Users\user\AppData\Roaming\uifuwfb, PE32 47->76 dropped 122 Benign windows process drops PE files 47->122 110 best-link-app.com 51->110 112 staticimg.youtuuee.com 51->112 120 2 other IPs or domains 51->120 78 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 51->78 dropped 80 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 51->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 51->82 dropped 114 45.142.215.47, 27643, 49800, 49828 CLOUDSOLUTIONSRU Russian Federation 56->114 116 staticimg.youtuuee.com 56->116 118 a.goatgame.co 56->118 file19 124 Tries to resolve many domain names, but no domain seems valid 110->124 signatures20
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/21aba879ca90e3d4b3b58f61316b6b42c97d31f62dea2a0992460eece4bc0566/
Threat name:
ByteCode-MSIL.Trojan.Antiloadr
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 06:55:34 UTC
File Type:
PE (Exe)
Extracted files:
225
AV detection:
35 of 45 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=egv2q6oksdr5jm5vr5qtc23lilex2mpwfxvcucmsiyhozzf4avta._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:ani aspackv2 backdoor infostealer spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/211203-1kb5qscda2/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Vidar Stealer
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
http://www.wgqpw.com/
https://dimonbk83.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
45.142.215.47:27643
Unpacked files
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
09dcc9bb73c6225814c4830e207f87c5ff674a2ff8797f8010ecf0691125f7ca
MD5 hash:
2a3cbd73e5b45a94cd4d0e64c0526258
SHA1 hash:
fd309345422c4ebf71b537589597af21df293273
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
c034ee0ed45c8278cf10e330a92220f7d33c2d3d10f2721c2acabcca552b6423
MD5 hash:
4df600c45dbfd49fa9e31134e8f47434
SHA1 hash:
f07d4411a7b3722206e9d17e94749819930cedcb
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
76dfed12190f13c429fbd4927ca86aba574101f0c34a7bb078e2f36c3f92c025
MD5 hash:
20db8d663190e8c34f8b42d54a160c2c
SHA1 hash:
eb45301ec9c5283634679482e9b5be7a83187bb5
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
fd43f9342d2f11ce1f3c40cc1db082db6eaf95af3bf2d5077490cc2d36438424
MD5 hash:
bd0209c99ad39e323fc5011a3b67cfac
SHA1 hash:
c508e6886293e841f3a999f1976580743c28e142
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
ac77b0eeef4d09fba26dc24fb67a9158b96c52f083e4ec58e89aa29df5a3675c
MD5 hash:
3d7be553c929902a460dd8e5057dc7be
SHA1 hash:
a043a0f5e90b5fa89d3f7a3d87d29d6cb03e5a32
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
d82217c34d36c6d9113d36c56adef7c91e24e1dca8c73fc11b4da21df93d58d6
MD5 hash:
ab5ccb0188e04bfb81e0b2c362d908dc
SHA1 hash:
8dd3777c832de644bb09c97bf0f037d49c56bc34
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
992004f0db18c19df1b9d3011e49a7a2f631219060d48eff505d6c62c056bd10
MD5 hash:
fc89a45c05ce4192fdc58707e881f4af
SHA1 hash:
5e7e5371d29a1ca65a2633137cadafac7fd550a3
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
c598a971f1d8bc58362396b10df4359654354e6c7b1b56741cea2a532e9bdd94
MD5 hash:
3367116dc59fc2b806bb5ec8c36bf2b6
SHA1 hash:
f4fb01a1efff6c7969383ccf7f64e4ac8cfc2c6f
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
Parent samples :
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
SH256 hash:
2c65c8f3bc2a428124ac04a788674683135caa90b8774e7c7aa8ef9fc2cc23ea
MD5 hash:
24c3b6ec40d9cba4f9a740fc1f0e5bff
SHA1 hash:
3a1b1183a2760bd6a8157c06d5a977a8f4475ad0
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
4a986f63e2352820af28f30c620aeb2f5f89ec57916b963627e2b705c10e463a
MD5 hash:
a48fe6352df538f5706097f91de92a5c
SHA1 hash:
0d16737353050e4fbbcf150e7e447520f42aaf4d
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
22740b5f60cebb44248fbd4c1ac449b592a168508cee212372ed8b3a51c572ea
MD5 hash:
6dc74701b6e0fd1f9ac84a98dd4dea66
SHA1 hash:
dc5a299cd93f9a0291edde2564faf9cf0532bdad
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
a38dddb6a63ba2d055f6c6911309c78b2874f09c55287ee7e31133bd54614305
MD5 hash:
7193f862a115cac3f0f2d5b16aa72adf
SHA1 hash:
5127407e6c2c6714c9157c22b32bd056b17e6c32
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
1fb77de0863493418b36e821e48bd0bd803f26ce938328a873eb1488f7029516
MD5 hash:
0a070ca1fa670452fc87ff3db5f86234
SHA1 hash:
daff6d7ded3e4853fad4cfc00b9adc283c65a676
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
76b11a80271e491ae44b918a9a9d49bbcf9ac0c12f68f997b3106e98e7234278
MD5 hash:
f001bcee40e8eebd48e946cf2b6e0ae8
SHA1 hash:
7af1a3d8f20612790655f18bcf17d9101142ee84
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
61777a2c01a1ff195687e9d781ced77651f32c8e8c1a6ce9a874b63b77792602
MD5 hash:
46c663674156c85ce95e7cc475666b43
SHA1 hash:
77a155e5ec86a5cd55a1b299a8488cb80b651a8a
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
SH256 hash:
21aba879ca90e3d4b3b58f61316b6b42c97d31f62dea2a0992460eece4bc0566
MD5 hash:
8d5617cc370d4b5f5a128b798bd7b184
SHA1 hash:
4857f024aba6f14074d21d2870fb3c77aa42b1d6
Link:
https://www.unpac.me/results/065caa2e-c214-494c-b8bf-2c9efe618ec5/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/21aba879ca90/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21aba879ca90e3d4b3b58f61316b6b42c97d31f62dea2a0992460eece4bc0566

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_onlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects onlyLogger loader variants
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/211126/

Comments