MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27187e1f1917f183a153031046ed0eb140ba0c89ab9d8637081bf10743c41e18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 14


Intelligence 14 IOCs 4 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27187e1f1917f183a153031046ed0eb140ba0c89ab9d8637081bf10743c41e18
SHA3-384 hash: 59ba1b0056e21a74beacb4c8b28d6dd71af2817aaad1d1ba7624a121ed66d2bf277dea0216a5785e81fc049af56f54b3
SHA1 hash: e2b42857c56a289303f0f347e0026acda4f249ae
MD5 hash: ac64a47120757eae812a79d0dc42c983
humanhash: carpet-william-wisconsin-indigo
File name:ac64a47120757eae812a79d0dc42c983.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:4'505'191 bytes
First seen:2021-11-29 03:15:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:yncNiyJXtMs6y/KIbxh3sAgRDpn71T+MHotnFq:yQiGtMsx/JL3NIn71VI7q
Threatray 1'835 similar samples on MalwareBazaar
TLSH T182263359B6FAC833D5928B34B30FBD9A79D5C49755C1839C1BD00E2C2B528A24F2F726
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
185.223.92.157:44160

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.223.92.157:44160 https://threatfox.abuse.ch/ioc/255750/
46.3.199.41:53924 https://threatfox.abuse.ch/ioc/255859/
65.21.226.115:60392 https://threatfox.abuse.ch/ioc/255911/
185.215.113.109:62951 https://threatfox.abuse.ch/ioc/255912/

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ac64a47120757eae812a79d0dc42c983.exe
Verdict:
No threats detected
Analysis date:
2021-11-29 03:19:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c1bc276d-108f-4fbf-a626-6a56fe32f85f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Socelars-9897110-1
Create hunting rule

Win.Packed.Socelars-9898166-1
Create hunting rule

Win.Packed.Jaik-9899450-0
Create hunting rule

Win.Packed.Socelars-9901378-1
Create hunting rule

Win.Malware.Socelars-9901385-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
DNS request
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Sending an HTTP GET request
Reading critical registry keys
Query of malicious DNS domain
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
arkeistealer barys overlay packed
Link:
https://www.filescan.io/uploads/61a445f5c4c53141482117c9/reports/3ad0d298-2e78-4814-ba07-396ce479c637/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/adcb9c50-baf4-45f4-8805-ea1e70843350
Result
Threat name:
RedLine SmokeLoader Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/897672
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 530150 Sample: PilHb37Gmt.exe Startdate: 29/11/2021 Architecture: WINDOWS Score: 100 66 people4jan.com 2->66 68 c.goatgameh.com 2->68 70 9 other IPs or domains 2->70 90 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->90 92 Multi AV Scanner detection for domain / URL 2->92 94 Antivirus detection for URL or domain 2->94 98 23 other signatures 2->98 10 PilHb37Gmt.exe 10 2->10         started        signatures3 96 Tries to resolve many domain names, but no domain seems valid 68->96 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 21 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\...\Sun06f8fab02c670.exe, PE32 13->50 dropped 52 C:\Users\user\...\Sun06f7438cb6efed5.exe, PE32 13->52 dropped 54 16 other files (11 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 60 127.0.0.1 unknown unknown 16->60 62 hsiens.xyz 16->62 64 c.goatgameh.com 16->64 86 Performs DNS queries to domains with low reputation 16->86 88 Adds a directory exclusion to Windows Defender 16->88 20 cmd.exe 16->20         started        22 cmd.exe 16->22         started        24 cmd.exe 16->24         started        26 11 other processes 16->26 signatures10 process11 signatures12 29 Sun069960c6f7.exe 20->29         started        34 Sun0613218d4b52f3.exe 22->34         started        36 Sun06038ca0d2c8d6.exe 24->36         started        100 Adds a directory exclusion to Windows Defender 26->100 38 Sun06964bbec839856df.exe 12 26->38         started        40 Sun0645518ad2e7e5e9c.exe 26->40         started        42 Sun06a034a45f6864.exe 26->42         started        44 6 other processes 26->44 process13 dnsIp14 74 7 other IPs or domains 29->74 56 C:\Users\...\T028CrH4cOMruerKOq6GTuEg.exe, PE32+ 29->56 dropped 58 C:\Users\user\...58iceProcessX64[1].bmp, PE32+ 29->58 dropped 102 Antivirus detection for dropped file 29->102 104 Multi AV Scanner detection for dropped file 29->104 106 Detected unpacking (creates a PE file in dynamic memory) 29->106 108 Disable Windows Defender real time protection (registry) 29->108 76 5 other IPs or domains 34->76 110 Detected unpacking (changes PE section rights) 34->110 112 May check the online IP address of the machine 34->112 114 Machine Learning detection for dropped file 34->114 78 2 other IPs or domains 36->78 72 petrenko96.tumblr.com 74.114.154.22, 443, 49772 AUTOMATTICUS Canada 38->72 80 3 other IPs or domains 40->80 82 4 other IPs or domains 42->82 116 Tries to harvest and steal browser information (history, passwords, etc) 42->116 84 5 other IPs or domains 44->84 118 Injects a PE file into a foreign processes 44->118 120 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 44->120 file15 signatures16
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/27187e1f1917f183a153031046ed0eb140ba0c89ab9d8637081bf10743c41e18/
Threat name:
Win32.Trojan.Antiloadr
Create hunting rule
Status:
Malicious
First seen:
2021-11-27 03:43:52 UTC
File Type:
PE (Exe)
Extracted files:
171
AV detection:
34 of 45 (75.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e4mh4hyzc7yyhiktamien3iowfaludejvooymnyidpyqoq6edyma._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
3a227b8e84722b577247b94618314f2ff02a48a2f984c32391717a68df894586
CoinMiner
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
CoinMiner
77012c024869ba2639b54b959fab1e10ebaaf8ebb9bfcc2a11db4c71a2b9fa59
CoinMiner
c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0
CoinMiner
e1917f133b3838845a0611ae4e9ac5db1479461c18644d1739f058c2adc4d9cb
CoinMiner
ee96df216161f048ee9c50853b018f779d71bce1498f28a4d1b1bc3d797f14ac
CoinMiner
f1b2cc9a9fed9992129c1673d423647dd8307aada8ccff1b3d0fea35c2c3e741
CoinMiner
+ 1'825 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:ani botnet:pab123 aspackv2 backdoor discovery evasion infostealer spyware stealer themida trojan
Link:
https://tria.ge/reports/211129-dsgnvsech5/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.znsjis.top/
https://petrenko96.tumblr.com/
45.14.49.169:22411
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
45.142.215.47:27643
Unpacked files
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
0fbd853a669d4590b44cda0525f41aa99175133be439db7ca9cd575a2af2636b
MD5 hash:
bb4e4f419dbe419d5cdca7e8534ac023
SHA1 hash:
cdacd0ad82dcefa585734e751b1cea42161a9033
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
588626e5e2d07844f2b59eb51dce36bc8f6c123ceff817813bf4c31aebdd1bf5
MD5 hash:
8ecea1e237042ecd057de60e97b89e7a
SHA1 hash:
fb1a226b3c324c49d88ac6a6726f90641dc93977
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
0fd897b1e74f50e47526f974bf4906ecbe4a331b1ae4e2ec309fbee57a032586
MD5 hash:
4c3423a6e5e3337c71c551358f1334c1
SHA1 hash:
e3f59c4781ab6b19adb9eb85054a060b34c3df73
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
c02d2c9ae0b587f9b7631c443ce5a7d6d409c0a5d09ff6b389ca1330d44a1149
MD5 hash:
a91a81780273bb279790c1fbb6fb3105
SHA1 hash:
4bedae163300009aac8afa2c2b42ea6c184ca9dd
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
292053032a642a271b5fbaa64578c1a578936e3b0157f8fe103a42a541feb1c4
MD5 hash:
7b3e59fb9804a036ee80fcbda014bc26
SHA1 hash:
f04e4becee6a2bc3df6b36e1c402da70fabd3ffc
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
6ef5fc678b06a0c795a3a01b52993780005e896e66ec50de94d0d28b47d114df
MD5 hash:
2b757bca733c9b037b29e22fe8a3f94c
SHA1 hash:
ed621aa83c0d605c746239b34ec5d55b02088b58
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
a0b105907f5f5d0b5f3aafe22cb23e86ae37566d973c0903e1065825d1981397
MD5 hash:
52480333d188d9132d99e24cf99b11db
SHA1 hash:
e9780bde2d4fbba6cee682d23f6870abfa9e582f
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
21bf46a6b6e4a8728842909059cdd4429e894720ceeab5fef8ceb5a15f339f26
MD5 hash:
7765e3ece24e5f6963a50aaac4fa1b77
SHA1 hash:
cd6c9726704a0988d756741df7886e5271a7b5f6
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
83664d9745f1f75b770b960a253e5efc0ff4ee06b72083fa8be2bbf801328d3e
MD5 hash:
63846f6a2c15fb8d0bd80c63d8406aec
SHA1 hash:
c566c716ed8c3c69f63d866d2c7a041bdf00b4e5
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
9ca7dd73d1023f11563a8b627d2854d79aec322aeb4d737c0adf348edd2b8573
MD5 hash:
080489962858914e610e67ff25a7ef8f
SHA1 hash:
baa0094e8ff92978dc26a19e0cfc7ce1de23ab14
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
b2b2bae05e6a6de45c42f8b48624472e1d2ec48d4637651e9f5681cb83d5ada9
MD5 hash:
1f15c5b1210d30173309cf054dbd9e30
SHA1 hash:
b6dc33e7822da7180d9836210890d52869cbf7a5
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
1d04bbabdb6da4db379ca057ac0d63fb27d8891b01cf3ffcb94573be1853ecaf
MD5 hash:
d58b4be4f3dec4843801511def20ae7d
SHA1 hash:
90be9caf1efa58d6ea70ae6783bfc8e05bd9ea16
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
b2b56b58405941bcc5565c1378108239abe9296cf7e194bf08943aceb9822684
MD5 hash:
3bb090fab0db73cd8aed870d3278bb99
SHA1 hash:
41b210d3e8815ee5853c9e3e4cdeb58a2f36f379
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
092bea590204765646a241904a4ac3a5e62e7030677aadd534e2a6649180f9cb
MD5 hash:
867f9ce8bc2e055fabbe2f11fce3f13f
SHA1 hash:
418d20c7d50a00825c1817bf84c17d6dbcad0f01
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
85f0da38b7745220db51db64f4245b7cd86e1890fa7788f0034c7c17df10bd93
MD5 hash:
1c134e7f3457810c847b1f9d740529b2
SHA1 hash:
0c7100bf8e5b1fcab8d7ceff0ade42942a98ef4a
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
3fc47c586d46108bc293d260575c80182397629e56e8573f971e79882f162ee9
MD5 hash:
62800146856db6b09389b0a82aad83b5
SHA1 hash:
1a52ab89bdf4ca55cb52d0f9660fc03dc86a8bd3
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
db10b98a66f4c89cdaef233bb1965a58b3657fd05c59b258eaa25ad54557b97f
MD5 hash:
2d59969873b0f741aa1fbff0c32525a1
SHA1 hash:
795482ec9e7e11c160c5e8af7eb4fce6377f5ec4
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
c5f1bd5b44521ec087de7aba80a81225ef629627f9923b940bf822b8efecf0dc
MD5 hash:
a7332e5f806a54d0b9ee2d80418a7677
SHA1 hash:
4a7bbf0cdade1d530e9ee48ca20377e8b99ae721
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
31aa11cd47f0725fd64728bbb4f69ceb2c22f18346c2ad340d54132ac696e7d2
MD5 hash:
0f262618b24fc71b4de6ec6865e29582
SHA1 hash:
829492a1d244e447551f8cb7f091328564b89d03
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
61c2ddfc6e28e4f64b27f48c992379b84940de0f265e5b111fc7548eec0ac116
MD5 hash:
5558b9980c44a3f1c6ed3b024fc6eda3
SHA1 hash:
466424f32c1ed48815ae1cc9d8fb349db897af2e
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
bc888168bf434325e92927a0b794eee889303a92e78cee3524ac95eb0edd83cd
MD5 hash:
a3d97a96c2765a67eaae4f3c9c4c57fc
SHA1 hash:
e6317e29b1cf06ecdb8dc99fe167c57154d28eed
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
7c26b06cc0d843f152f9fa7e2d4f064514d2d402fe2c72fa4a1afb9cd0aa322c
MD5 hash:
37dc25cc57157f562094fa6ddb2a8bba
SHA1 hash:
4f8b36788838a4d7c3d3e04e674deba4bdfcb26c
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
SH256 hash:
27187e1f1917f183a153031046ed0eb140ba0c89ab9d8637081bf10743c41e18
MD5 hash:
ac64a47120757eae812a79d0dc42c983
SHA1 hash:
e2b42857c56a289303f0f347e0026acda4f249ae
Link:
https://www.unpac.me/results/9a7ef031-f62c-450d-8fb8-ee1ae9a74925/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/27187e1f1917/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27187e1f1917f183a153031046ed0eb140ba0c89ab9d8637081bf10743c41e18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments