MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N-W0rm


Vendor detections: 17


Intelligence 17 IOCs 3 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
SHA3-384 hash: caaea72775ddd0caaf6dbc914c8ff11fe61394b0d50a634650c3eb745da37e42f18e5a13ecbfae960510f0e97b4971ae
SHA1 hash: 3020acf6e6493d6387e60bdbb6a3d6d895c85726
MD5 hash: 4792058ffed5c341273deda070de0805
humanhash: maine-vegan-romeo-lion
File name:2C3382E9EB5BBBFE86A88F9D8A75557C3F60707AF088C.exe
Download: download sample
Signature N-W0rm
Create hunting rule
File size:7'362'074 bytes
First seen:2022-09-16 15:05:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xXLUCgOYr1yYDb8Irpd6lT9smQeJtegm5diN4vQ4KQcubAGI:xbdgVsoIDzX3JtTMdiWvRKlu5I
Threatray 1'301 similar samples on MalwareBazaar
TLSH T1D57633117EC181F1C99201B58BA84EB63A6696C087341DD33B7E874EA97CC47E3694EF
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe N-W0rm


Avatar
abuse_ch
N-W0rm C2:
162.19.158.30:81

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
162.19.158.30:81 https://threatfox.abuse.ch/ioc/850051/
http://195.201.253.5/ https://threatfox.abuse.ch/ioc/850075/
77.73.134.27:8163 https://threatfox.abuse.ch/ioc/850076/

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
2C3382E9EB5BBBFE86A88F9D8A75557C3F60707AF088C.exe
Verdict:
Malicious activity
Analysis date:
2022-09-16 15:06:58 UTC
Tags:
trojan rat redline evasion arkei
Link:
https://app.any.run/tasks/6c67d9a7-0bdf-4b74-a538-f44d14f05770

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310586/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Socelars-9895020-1
Create hunting rule

Win.Packed.Socelars-9895021-1
Create hunting rule

Win.Malware.Bulz-9955173-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Sending an HTTP GET request
DNS request
Creating a file
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37901/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6324916cb564f001cc8e5d85/reports/227a8e03-b383-451a-a4fa-92b454d94339/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea2d1924-41e5-47b0-84e1-9b0a748edb2f
Result
Threat name:
BitCoin Miner, Nymaim, RedLine, Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1071706
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
DNS related to crypt mining pools
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Yara detected BitCoin Miner
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 704248 Sample: 2C3382E9EB5BBBFE86A88F9D8A7... Startdate: 16/09/2022 Architecture: WINDOWS Score: 100 109 best-supply-link.xyz 2->109 111 a.goatgame.co 2->111 113 12 other IPs or domains 2->113 127 Multi AV Scanner detection for domain / URL 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 Antivirus detection for URL or domain 2->131 135 25 other signatures 2->135 11 2C3382E9EB5BBBFE86A88F9D8A75557C3F60707AF088C.exe 22 2->11         started        signatures3 133 Tries to resolve many domain names, but no domain seems valid 111->133 process4 file5 75 C:\Users\user\AppData\...\setup_install.exe, PE32 11->75 dropped 77 C:\Users\user\AppData\...\Thu17f345ae61.exe, PE32 11->77 dropped 79 C:\Users\user\AppData\...\Thu17d49e15c544.exe, PE32 11->79 dropped 81 17 other files (12 malicious) 11->81 dropped 14 setup_install.exe 1 11->14         started        process6 dnsIp7 123 hsiens.xyz 14->123 125 127.0.0.1 unknown unknown 14->125 167 Multi AV Scanner detection for dropped file 14->167 169 Performs DNS queries to domains with low reputation 14->169 171 Adds a directory exclusion to Windows Defender 14->171 18 cmd.exe 14->18         started        20 cmd.exe 14->20         started        22 cmd.exe 14->22         started        24 15 other processes 14->24 signatures8 process9 signatures10 27 Thu17719018fd25e31b.exe 18->27         started        31 Thu174bef2c1775.exe 4 20->31         started        33 Thu17f345ae61.exe 22->33         started        137 Adds a directory exclusion to Windows Defender 24->137 36 Thu1757015d821.exe 24->36         started        38 Thu17ac77ffccd913.exe 24->38         started        40 Thu17b45f47be2f.exe 24->40         started        42 9 other processes 24->42 process11 dnsIp12 83 C:\Users\user\AppData\Local\Temp\2.exe, PE32 27->83 dropped 85 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 27->85 dropped 87 C:\Users\user\...\PublicDwlBrowser1100.exe, PE32 27->87 dropped 93 2 other files (none is malicious) 27->93 dropped 139 Antivirus detection for dropped file 27->139 141 Multi AV Scanner detection for dropped file 27->141 143 Machine Learning detection for dropped file 27->143 44 2.exe 27->44         started        48 PublicDwlBrowser1100.exe 27->48         started        50 setup.exe 27->50         started        52 Chrome 5.exe 27->52         started        89 C:\Users\user\AppData\...\sampason12345.exe, PE32 31->89 dropped 145 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->145 55 sampason12345.exe 31->55         started        95 software-services.bar 33->95 97 inhibitionclothing.bar 33->97 99 dependstar.bar 33->99 147 Detected unpacking (changes PE section rights) 33->147 149 May check the online IP address of the machine 33->149 101 ip-api.com 208.95.112.1, 49738, 80 TUT-ASUS United States 36->101 151 Tries to detect virtualization through RDTSC time measurements 36->151 153 Sample uses process hollowing technique 38->153 155 Injects a PE file into a foreign processes 38->155 105 5 other IPs or domains 40->105 63 2 other processes 40->63 103 a.goatgame.co 42->103 107 13 other IPs or domains 42->107 91 C:\Users\user\...\Thu17c2616fc2b6c.tmp, PE32 42->91 dropped 157 Obfuscated command line found 42->157 57 Thu17c2616fc2b6c.tmp 42->57         started        59 explorer.exe 42->59 injected 61 Thu1775e22982baa.exe 42->61         started        file13 159 Tries to resolve many domain names, but no domain seems valid 103->159 signatures14 process15 dnsIp16 115 tytstys.info 188.114.96.3, 443, 49801, 49947 CLOUDFLARENETUS European Union 44->115 161 Antivirus detection for dropped file 44->161 163 Multi AV Scanner detection for dropped file 44->163 165 Machine Learning detection for dropped file 44->165 67 C:\Users\user\AppData\...\services64.exe, PE32+ 52->67 dropped 65 conhost.exe 55->65         started        117 safialinks.com 57->117 119 best-link-app.com 57->119 121 192.168.2.1 unknown unknown 57->121 69 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 57->69 dropped 71 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 57->71 dropped 73 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 57->73 dropped file17 signatures18 process19
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-18 09:54:00 UTC
File Type:
PE (Exe)
Extracted files:
143
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fqzyf2pllo575bvir6oyu5kvpq7wa4d26cem4xysqpxhum6mh67q._file
Verdict:
malicious
Similar samples:
3d41425daa1e1844be0539723042dc532a640e5ba9ef9cdd09e22176c960098b
N-W0rm
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
N-W0rm
6dfd902231e6aa1301c11eca21f5a29456aa020bfe1eb19d05541ab32316a326
N-W0rm
be2a74bc76e5429010ce7741e58aecc253a33e1dbd713d8b6f02a20545469502
N-W0rm
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
N-W0rm
cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0
N-W0rm
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
N-W0rm
+ 1'291 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:onlylogger family:privateloader family:redline family:smokeloader family:socelars family:vidar family:xmrig botnet:706 botnet:ani botnet:install123 botnet:medianew aspackv2 backdoor infostealer loader miner spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/220916-sgqjysbgdr/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Executes dropped EXE
VMProtect packed file
OnlyLogger payload
Vidar Stealer
XMRig Miner payload
Detect Fabookie payload
Detects Smokeloader packer
Fabookie
OnlyLogger
PrivateLoader
RedLine
RedLine payload
SmokeLoader
Socelars
Socelars payload
Vidar
xmrig
Malware Config
C2 Extraction:
http://37.0.10.244/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
185.204.109.42:80
91.121.67.60:62102
https://dimonbk83.tumblr.com/
45.142.215.47:27643
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1df02087-915c-4f6e-8623-02c22c9e7dcf
Unpacked files
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
3e81ab1c3d9d5295d6835cb657387c13aa0fbfb7ebbe8dcd37986c08b162070a
MD5 hash:
45cee3df1b41e7d8fd2edd322cbceb22
SHA1 hash:
eb66d63dd614da98f1c2e5692be0665fa6aa2d3f
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
c598a971f1d8bc58362396b10df4359654354e6c7b1b56741cea2a532e9bdd94
MD5 hash:
3367116dc59fc2b806bb5ec8c36bf2b6
SHA1 hash:
f4fb01a1efff6c7969383ccf7f64e4ac8cfc2c6f
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
Parent samples :
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
SH256 hash:
1c25cf63ef5ab14f293ea29c88f1aa4be0423de32c588d18e8bc1d2e3b940144
MD5 hash:
0e0a60c252f2ca0b5621d61fe9ffdf43
SHA1 hash:
b191d77d9af5213360960496516a8355c52dcfe5
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
fbfde66279ae1e4aabb4e59fb763097cb0f1368472e31d174db10c81a26fd7c2
MD5 hash:
2be942a0f8baef765c00965326379f1d
SHA1 hash:
7c7b71710aca8e19fc5f49d925a0e7e9214c8934
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
944321e2cb8d7988c839d69e538b66abe29c2f4e7517876df534cb0289d23002
MD5 hash:
c5f04a2b6fc9c0eb62ad6220bfe3ca71
SHA1 hash:
da4ac71ef77734c526be51d41fcea0fc5cf8a10a
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
05408f82b4d21a8fd7b2c509209d3e971faaf83a714ec69a1e7630788b5efa8b
MD5 hash:
438127e43c5681ab0c871a24f25d5f85
SHA1 hash:
cd31fbdc5c05a1bac7019d9ed19f4fc2f7c69c82
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
da6e2470414935131c3a094758be78605ec1c1ba8ddc755d175ac73763cc307a
MD5 hash:
03cd7541a32149209ecec14115466bc3
SHA1 hash:
bff67b407cffb1d3f3afbbcee15046e968204af3
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
6421351d6d55cb2d1ee2d6b009020e4d0f0a5817d152088beb096c462efa904a
MD5 hash:
7e4cc370db6ce2bfa3ffc39e9b939cf8
SHA1 hash:
aa02fbef07c9c12bee1602725e1b8b785d6c7faa
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
664de41bcae96fd26c460b9d5b08a23bb1da0daa8a91aac1d34d6cb0cc110934
MD5 hash:
d81ef383621321b9a9738ad70a30eef7
SHA1 hash:
9d939541cda19df17401cb083f49037d56ef7519
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
5cdb0d98dec4a41f6a4311e5c0369cbefce5c8ed00628631f931dd4c2d700dcd
MD5 hash:
088b2ab23e9d70d2fe494fd27238db8e
SHA1 hash:
7f150a63bedb6d5338754d4abcd3e8876646806b
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
00a2314fc727b7c40bea4ab3c3c5a200d46633df6bbf0b9462647287347d8c1e
MD5 hash:
80a74c2caf931ffc80fa153e839a231e
SHA1 hash:
6d7d366268f57c03d8f40153f31ee19e800875e1
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
650ca18800aa5e65a77be7bb27d1bd1b451726d533ffe77e1a4c95879ea76852
MD5 hash:
ea6b09a8981be18adb90fe8d49d04b94
SHA1 hash:
5f4740db565cd71d9091c5c1f7d3f669b5474ace
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
52701e2808de643baf6789222e4c2422cca70733222cd2e6d0b9f36a4f6eeabc
MD5 hash:
71a718d5f6f6a69ce1e844fec2a06f53
SHA1 hash:
5e3d339c99bb37e485eeadb71c9aa72a8e06fdab
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
59f4a0fe094e49036faf5bd236b95803abcc3ae0627724eeacd61297bb36700f
MD5 hash:
b1a3f081a237c235f3eba88838627879
SHA1 hash:
47269833ee79064f3a9d26bd59577f3ac147d30b
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
10c09d7e07ecf506047dd1424e74c672233b5ca062953ebb3efc9e3165012ed6
MD5 hash:
216771e5b88bc8fd8f9fb633152b2685
SHA1 hash:
02318588ad0ebaa07233167b7707cd1e26d08ee4
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
46447973b31e096bbc2a75fbac775e4d968e0441700bfc4f2ea96870924e943b
MD5 hash:
c53091e74c69ce94ca7e12167f21cd54
SHA1 hash:
4f41505a4af5678c9ae05903a88ce502c201cdf8
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
687b8bcd19a3d919e5e19b4a25ee8dc30bb375c4cebf4eaf1d191a514319b013
MD5 hash:
d02d3c8bbab39097b155cd818e2f9b24
SHA1 hash:
f53b2f8d07fd2c3322c6eab3e1a39312454ca483
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
4a8122bfbdd6f7594a0e467ba5ce4003505888a1d7dd08aba23ff7b85fa11a0a
MD5 hash:
1de03abb2566ab5ed23df8a679612756
SHA1 hash:
153f6178f1fdd05a4056c6a0f9c255d7db624412
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
3e681b5fde17b66a2101d4a95a1235f99ff7c145e1179668cbe74e0c7fe91814
MD5 hash:
8b8c19fe8cf15123b01cc2f403bd35d1
SHA1 hash:
0e70ab22937a243acb5ef89166f8da03c5f6ab7a
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
7fb44ce89c25e215b29d265cb112f426375d466df025a38790a834510f0071ab
MD5 hash:
dda81823e6cf941a465b144168bc1bec
SHA1 hash:
3512ae948e5e39340ed64e6b401ffa4f5eb21e51
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
SH256 hash:
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
MD5 hash:
4792058ffed5c341273deda070de0805
SHA1 hash:
3020acf6e6493d6387e60bdbb6a3d6d895c85726
Link:
https://www.unpac.me/results/91afcef7-15ab-41f1-a12d-a6ef7572bcbf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Record_Breaker_Similarities
Create hunting rule
Author:DigitalPanda
Rule name:Redline32
Create hunting rule
Author:Muffin
Description:This rule detects Redline Stealer
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/310586/

Comments