MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22ba4262d93379de524029dafc7528e431e56a22cb293af708c671d7db801c31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs 5 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22ba4262d93379de524029dafc7528e431e56a22cb293af708c671d7db801c31
SHA3-384 hash: fde92b0155f373a42a5e39663c9a0973e739caca7a3ce1e191bf76f97bb418916ef98eb8b98409407911af2181521924
SHA1 hash: ec6a95ef49713e2b024cc0b77168381dd2d3f056
MD5 hash: f108ef2b7fb1d0cf3b03ac8c720ef2f5
humanhash: william-one-princess-california
File name:22BA4262D93379DE524029DAFC7528E431E56A22CB293.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:7'667'623 bytes
First seen:2021-11-23 13:32:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:yMFqEB/7SQiRSfjpXABgy0Mbg8pkGwkRS3gkYZjn9O:yMFXjJhflggy0EpkRivpO
TLSH T10D763317308E80FAEA340AFD21324573F8D8F593546A661BCFA678117DDB96368073DA
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
49.12.219.50:4846

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.215.113.29:26828 https://threatfox.abuse.ch/ioc/252087/
49.12.219.50:4846 https://threatfox.abuse.ch/ioc/253505/
176.122.25.128:49897 https://threatfox.abuse.ch/ioc/253519/
45.14.49.184:40979 https://threatfox.abuse.ch/ioc/253520/
194.26.232.163:5739 https://threatfox.abuse.ch/ioc/253521/

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
22BA4262D93379DE524029DAFC7528E431E56A22CB293.exe
Verdict:
No threats detected
Analysis date:
2021-11-23 13:44:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4c5f6482-cdbd-44c3-a7ed-8d6537dcce08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

Win.Packed.Socelars-9901323-1
Create hunting rule

Win.Packed.Socelars-9901373-1
Create hunting rule

Win.Packed.Socelars-9901382-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Query of malicious DNS domain
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/619ced9302c80febc2a71ba0/reports/9d32b624-5aac-4ab7-b285-36dc25f4e10f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2ff86fc-a77b-4a7f-915f-d3ad8539036a
Result
Threat name:
RedLine SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894747
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 527222 Sample: 22BA4262D93379DE524029DAFC7... Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 70 208.95.112.1 TUT-ASUS United States 2->70 72 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->72 74 7 other IPs or domains 2->74 92 Antivirus detection for URL or domain 2->92 94 Antivirus detection for dropped file 2->94 96 Antivirus / Scanner detection for submitted sample 2->96 98 21 other signatures 2->98 10 22BA4262D93379DE524029DAFC7528E431E56A22CB293.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 21 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\AppData\...\Fri14fd46b68bd.exe, PE32+ 13->50 dropped 52 C:\Users\user\...\Fri14e5a04914b596.exe, PE32 13->52 dropped 54 16 other files (10 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 68 127.0.0.1 unknown unknown 16->68 90 Adds a directory exclusion to Windows Defender 16->90 20 cmd.exe 16->20         started        22 cmd.exe 16->22         started        24 cmd.exe 16->24         started        26 8 other processes 16->26 signatures10 process11 signatures12 29 Fri144fc72ae8ff3.exe 20->29         started        34 Fri14cd6206e935a5.exe 22->34         started        36 Fri146b97e676608e.exe 24->36         started        100 Adds a directory exclusion to Windows Defender 26->100 38 Fri1477cbb75ea13f.exe 2 26->38         started        40 Fri14cceb42198d72.exe 26->40         started        42 Fri1486dbd994.exe 2 26->42         started        44 3 other processes 26->44 process13 dnsIp14 76 136.144.41.58 WORLDSTREAMNL Netherlands 29->76 78 103.155.93.165 TWIDC-AS-APTWIDCLimitedHK unknown 29->78 86 16 other IPs or domains 29->86 56 C:\Users\...\qNqCmjhyQ12WJoz1Nctv8NQh.exe, PE32 29->56 dropped 58 C:\Users\user\AppData\Local\...\file3[1].exe, PE32 29->58 dropped 60 C:\Users\user\AppData\...\udptest[1].exe, PE32 29->60 dropped 66 38 other files (13 malicious) 29->66 dropped 102 Antivirus detection for dropped file 29->102 104 Machine Learning detection for dropped file 29->104 106 Tries to harvest and steal browser information (history, passwords, etc) 29->106 108 Disable Windows Defender real time protection (registry) 29->108 80 91.121.67.60 OVHFR France 34->80 110 Detected unpacking (changes PE section rights) 34->110 112 Query firmware table information (likely to detect VMs) 34->112 114 Tries to detect sandboxes and other dynamic analysis tools (window names) 34->114 124 2 other signatures 34->124 116 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->116 126 2 other signatures 36->126 118 Injects a PE file into a foreign processes 38->118 82 172.67.204.112 CLOUDFLARENETUS United States 40->82 62 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 40->62 dropped 120 Creates processes via WMI 40->120 64 C:\Users\user\AppData\...\Fri1486dbd994.tmp, PE32 42->64 dropped 122 Obfuscated command line found 42->122 84 8.8.8.8 GOOGLEUS United States 44->84 88 2 other IPs or domains 44->88 file15 signatures16
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/22ba4262d93379de524029dafc7528e431e56a22cb293af708c671d7db801c31/
Threat name:
Win32.Trojan.SmallDownloader
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 07:32:42 UTC
File Type:
PE (Exe)
Extracted files:
414
AV detection:
37 of 45 (82.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ek5eeywzgn454usafhnpy5ji4qy6k2rczmutv5yiyzy5pw4adqyq._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars botnet:ani botnet:jamesfuck aspackv2 backdoor discovery evasion infostealer spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211123-qtjaasabhn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
65.108.20.195:6774
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
45.142.215.47:27643
Unpacked files
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
078b80b059f5db99874557c13a13f9916674fef20eaac89337cb9f14ee97405e
MD5 hash:
a8bc5553733d6e68753d63747eed87d6
SHA1 hash:
f9210ad415b8d1a0c4a88b62ff6f05d0128df05e
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
9253c070a4a5ce357909556505b49ccd25b5a21789064621393a61df2dbfc515
MD5 hash:
1b0354c000633a8862638f65a19442dc
SHA1 hash:
ea04a876808c63b899895383d5dfe9c026a36853
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
d5896f8d00c6688b5b2a6f84d8ae3f3d1e136512624cb96054ca0db51af53dff
MD5 hash:
6e1cf5a21e2cbfab1a3fad4e5ff360c2
SHA1 hash:
c37f14af2efba855033d2221bbec13d436427ccd
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
9dcf478e78a1ab8f8ea35f853bce86c198e1f2e08e4121079e3b6f13055455c3
MD5 hash:
0272d1265e6a0ebe9dc2af58b9005b7f
SHA1 hash:
98efa29fdc8a73acde9064348761d87ccedf8cfc
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
393447aa843f148cd22e887d1eda74062785f0b4a6f098fbcb0d024b5aa23e4e
MD5 hash:
07f99f9e2df157ae78339603186ac280
SHA1 hash:
cb295687ae130d85061676471abcaa5f60df4198
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
MD5 hash:
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1 hash:
eb9a4185ddf39c48c6731bf7fedcba4592c67994
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
bffb5e0da99f01972d746d4bf68765ca7db0fb32e598f8fd9a92e8389f321c1f
MD5 hash:
417411e71de543ffbe76242943ba5b90
SHA1 hash:
e50f45218c6d01cb67787add25491acfead007fa
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee
MD5 hash:
57e3a53d7576635f94c0b7ea6b9fad43
SHA1 hash:
a43b28cd48d9efcbccc12ad2a644d6186acbd968
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
70f246fd61a27a4e2ffde2357e6c8ebe554a79811a35e7141f747090d05ff7e1
MD5 hash:
51b73b4d3041eb2d32a29dca61059549
SHA1 hash:
9845a8e5716e5e16ffc33ceccae9abf52872a2b5
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
084b69db467568f37bf702d96427506ddf8d21c103f77acedc12cb481c328adc
MD5 hash:
6c68b41adeb8206d6fa0558d1eec565b
SHA1 hash:
928994fcbd01cb08ed04139d6a55856e761affa0
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
655979cb929aec2baa28806f523bd9f8311092cbdf22c04122f5bf91beb3adc3
MD5 hash:
c68dcf1b3ac869a354526de6b0312296
SHA1 hash:
78a559d04afcd6e985e69f3a6c4ca038864a3629
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
d1b9c71f3299e9c6824f47485a1d142a4ca61608b174949bfdc6aa12dcf2fcf1
MD5 hash:
ee38d051cf471c05645517f6b90745d4
SHA1 hash:
66b639304cfe3a3a90ec860348587b1a8789e408
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
162eea41fce8685027d4c02642ea772b5505afa58107b0637062b9893b07804a
MD5 hash:
f324ab2101d56fd9aaf7e16845ff05da
SHA1 hash:
1a99c5939e5b4c041848e29b9e06d8f4dd5bcd66
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
4e432b50574a21645fa581ab0fe0c32320d386662aed2445957f2297738bbc6a
MD5 hash:
efe42699a191d2238980632c67473a94
SHA1 hash:
bc56eb8d42f859a7bba923b38b2571d9bfab71fa
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
a424e187a1087c41d850e10918b83f2b277fdc370bb0a45291eb5ba658a8c595
MD5 hash:
fd0ab77f7b2ddccf7db09b91d247d29e
SHA1 hash:
453fe9dc80769a8807af994cbc6eb7517336ba50
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
c7bbf2331fd785a89ab20fc534fe48c620eb99c03fe9690dfacae44dae39c580
MD5 hash:
dc3fff93ffb0a6d39edcae84b5f5e508
SHA1 hash:
6e1dfda8f040620c417a46a205562b58a1a971f3
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
f66b5cbb0a2e11b00cc54b649477d658353c2e0a7ba7dd0d818ae459b93c98cf
MD5 hash:
a7e4aed93c86a0bd9fb05ddbb74939fc
SHA1 hash:
803a2e003c1160cbf68805a1c058d4153a9a0289
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
SH256 hash:
22ba4262d93379de524029dafc7528e431e56a22cb293af708c671d7db801c31
MD5 hash:
f108ef2b7fb1d0cf3b03ac8c720ef2f5
SHA1 hash:
ec6a95ef49713e2b024cc0b77168381dd2d3f056
Link:
https://www.unpac.me/results/0663199e-97b3-4706-9cbe-ea7eed093cb1/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/22ba4262d933/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22ba4262d93379de524029dafc7528e431e56a22cb293af708c671d7db801c31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208698/

Comments