MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cbf19a8dbaba0978d5a52447c9cac23918c4394e751e0cde159d6e8b65c408f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cbf19a8dbaba0978d5a52447c9cac23918c4394e751e0cde159d6e8b65c408f
SHA3-384 hash: 9dac7a2156dbb6896f9f47bd2bef3f954971c771daa9e609201be5c48b40e5338dac4f3a6e2ef50da1439092fa659f82
SHA1 hash: 610ac476a5279ebce1b9bbd1fa82ea4d6a6b76f6
MD5 hash: 06964489dfbd7a3395ed8d0e29479049
humanhash: ink-pennsylvania-fruit-oklahoma
File name:setup_x86_x64_install.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:8'130'785 bytes
First seen:2021-09-17 12:18:53 UTC
Last seen:2021-09-17 12:18:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:yQlmx8rURxnbzbOQXHnW4uGCESvx6184oXF1/Nz30uCq8:yQl6CUvbzbdXnW4rCfi8xXh30u6
Threatray 555 similar samples on MalwareBazaar
TLSH T1DB86335576C3B9F6FE6C8E362674091CCAC87818A9F64B002F315E8B0156E07D2FA65F
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe Loader RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188692/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61752bdfdb358dd15ed92b23/reports/264637a7-f61d-45ab-a3b7-ad39c1c8f944/overview
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/706b793e-62b0-47ab-bd17-cc95c25ddd42
Result
Threat name:
RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852683
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 485116 Sample: setup_x86_x64_install.exe Startdate: 17/09/2021 Architecture: WINDOWS Score: 100 58 ip-api.com 208.95.112.1, 49797, 80 TUT-ASUS United States 2->58 60 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->60 62 9 other IPs or domains 2->62 96 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->96 98 Multi AV Scanner detection for domain / URL 2->98 100 Antivirus detection for URL or domain 2->100 102 20 other signatures 2->102 10 setup_x86_x64_install.exe 10 2->10         started        13 svchost.exe 1 2->13         started        signatures3 process4 file5 48 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->48 dropped 15 setup_installer.exe 21 10->15         started        process6 file7 50 C:\Users\user\AppData\...\setup_install.exe, PE32 15->50 dropped 52 C:\Users\user\AppData\...\Fri10ffbef2690.exe, PE32 15->52 dropped 54 C:\Users\user\...\Fri10fd62730805c12ea.exe, PE32 15->54 dropped 56 16 other files (10 malicious) 15->56 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 64 hsiens.xyz 104.21.87.76, 49787, 80 CLOUDFLARENETUS United States 18->64 66 127.0.0.1 unknown unknown 18->66 104 Performs DNS queries to domains with low reputation 18->104 106 Adds a directory exclusion to Windows Defender 18->106 22 cmd.exe 1 18->22         started        24 cmd.exe 18->24         started        26 cmd.exe 1 18->26         started        28 4 other processes 18->28 signatures10 process11 signatures12 31 Fri10c42acddfd4.exe 22->31         started        36 Fri103f36827a77878.exe 24->36         started        38 Fri10e52d6fc02c369c.exe 2 26->38         started        108 Adds a directory exclusion to Windows Defender 28->108 40 Fri1012e74bbd563ab.exe 6 28->40         started        42 powershell.exe 26 28->42         started        process13 dnsIp14 68 45.144.225.236, 49773, 49781, 49793 DEDIPATH-LLCUS Netherlands 31->68 70 37.0.10.214, 49795, 49796, 80 WKD-ASIE Netherlands 31->70 78 3 other IPs or domains 31->78 44 C:\Users\...\iNxokUm7LO0MkuzGmWZNg_OQ.exe, PE32+ 31->44 dropped 46 C:\Users\user\...46iceProcessX64[1].bmp, PE32+ 31->46 dropped 80 Drops PE files to the document folder of the user 31->80 82 May check the online IP address of the machine 31->82 84 Tries to harvest and steal browser information (history, passwords, etc) 31->84 86 Disable Windows Defender real time protection (registry) 31->86 72 iplogger.org 88.99.66.31, 443, 49780 HETZNER-ASDE Germany 36->72 74 www.listincode.com 144.202.76.47, 443, 49778 AS-CHOOPAUS United States 36->74 88 Antivirus detection for dropped file 36->88 90 Multi AV Scanner detection for dropped file 36->90 92 Machine Learning detection for dropped file 36->92 76 193.53.127.10 ASBAXETNRU Russian Federation 38->76 94 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 38->94 file15 signatures16
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2cbf19a8dbaba0978d5a52447c9cac23918c4394e751e0cde159d6e8b65c408f/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 12:23:12 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fs7rtkg3voqjpdk2kjchzhfmeoiyyq4u45i6btpblhlorns4ichq._file
Verdict:
unknown
Similar samples:
3febf03463e0e65ef9d0fc4e8a38f01dd7c6dfee10258876981539b7a319a620
RedLineStealer
4f4c2c9bdfef8a8cfbe2c8f84bf12cc86f26f59d54c277dab39f4c5e92948708
RedLineStealer
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
RedLineStealer
6e67e541d5801d97cb6fc3ec483b7b9dc302506c0f3a1ef0942ea3f7126e9e87
RedLineStealer
80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e
RedLineStealer
941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
RedLineStealer
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
RedLineStealer
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
RedLineStealer
f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7
RedLineStealer
+ 545 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:ani botnet:pab123 aspackv2 backdoor evasion infostealer stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/210917-pg6z6aaecq/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/Tnega Activity (GET)
Malware Config
C2 Extraction:
45.14.49.169:22411
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
45.142.215.47:27643
Unpacked files
SH256 hash:
5f463952815ce4f763e9f4b3b72ed70ad82f74a69a271fc2b1588055c3fec4cc
MD5 hash:
21775ff041e7277d87aa8fdf1e09da6c
SHA1 hash:
6dd1d6716cb93adef6c9b39490a79e77fd5396c9
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
8d301f223f0cf0ef31b09409c1b027eb4041dce68ab3c154e1a18663c1d430ca
MD5 hash:
e039276dc6787c8dacda07281db43911
SHA1 hash:
0871e746d4f9f24ddf48c605936778f37ddc4add
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
62248dd1676adcfc39148ccab3d857637bee676917f9b05a1a295ac10e3d5375
MD5 hash:
c3d35a19a0effba430a7002601e693ae
SHA1 hash:
bae53bdb79a4f1282ff75a305480e5cbbd18a731
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
12b7a6c8ac3af7f82a5e301f2c4b4bf193fe680aedbeb8f120610962112f8a81
MD5 hash:
46b58ce2119e45effa9645a21430c216
SHA1 hash:
df1a065678c609a14be1a7fc38c766b3ff362399
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
0606c17b30a9c2434d9504b68a92a85ed22bc6d3d8a8ec214677ad11cfabcff6
MD5 hash:
01de02ba5651b8c07ab5ffe0418e7869
SHA1 hash:
cc04b73a4f76dda2b48eb44f46ea056f973a3960
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
e6e5b2713c1b9df55209d5e99101455543d4aa69d310efd0cdb9ea578b17eb09
MD5 hash:
dd061b670acbdcadbced01e078bbf9f9
SHA1 hash:
c816023f566a08d0d4f48f824c302f0214882cfa
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
fd8b53adf56e0925ea23e4a618ce3af86467980a7286e0855c06ecd05ec5cf2e
MD5 hash:
13acb0b5dd4f4ab4a7a3767a0812743a
SHA1 hash:
c4886c55b3dbe69d71e0da2da5d0503e002c147a
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
2e3dc4c71695137efa263df192fd2027013a143cc9ebb85a525b960862488ef6
MD5 hash:
83db312a953309124eecaed73823aed6
SHA1 hash:
c24413c468b251e1185ad90e65b1579f65459955
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
1aa9a18507b3714a61fb24bd0cec3dc99c0d6dbe03f1704ede4da1880b32493a
MD5 hash:
970b2ac2605be1d29e839229e4bcc6e6
SHA1 hash:
c07a9044f3d2d8329c0c6dbc303f05ff1d6edb9e
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
da6e2470414935131c3a094758be78605ec1c1ba8ddc755d175ac73763cc307a
MD5 hash:
03cd7541a32149209ecec14115466bc3
SHA1 hash:
bff67b407cffb1d3f3afbbcee15046e968204af3
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
3274005fc4effba965ad331a099fb01ef34218f7612512635cd178244ab3761c
MD5 hash:
ea7ae694330b551e0d282f1634737f1a
SHA1 hash:
b28eabbe05e93baee7b654b6c12b5665fed44db8
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
9246a374c90fad12aaa3d5565c37df50bc3b6be37dd1a5788c227177703cfff3
MD5 hash:
21a3d424103af8a5112e4f39249f0b2a
SHA1 hash:
9587f9c78dbcac0bb836a4a21e61bd4e4d323cb9
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
fad99d29e935cdf28de73eb3b93e0fcfcb80643430d49f72f90f9d5af3c690a8
MD5 hash:
6981b496608deb81ba552d4fbec7a339
SHA1 hash:
6996c3bb9964b3d84b3aedead4a003e41140a73d
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
cc7cc4444cbbeb1cfa6d88f8a601aa16845b4081071fe678f15f17ae6bd29091
MD5 hash:
43b7e35d4610052a2cc103f55ad1f326
SHA1 hash:
644a5cd65b0652f6139054c89bddddefe5e5d2c5
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
52701e2808de643baf6789222e4c2422cca70733222cd2e6d0b9f36a4f6eeabc
MD5 hash:
71a718d5f6f6a69ce1e844fec2a06f53
SHA1 hash:
5e3d339c99bb37e485eeadb71c9aa72a8e06fdab
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
588626e5e2d07844f2b59eb51dce36bc8f6c123ceff817813bf4c31aebdd1bf5
MD5 hash:
8ecea1e237042ecd057de60e97b89e7a
SHA1 hash:
fb1a226b3c324c49d88ac6a6726f90641dc93977
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
0fd897b1e74f50e47526f974bf4906ecbe4a331b1ae4e2ec309fbee57a032586
MD5 hash:
4c3423a6e5e3337c71c551358f1334c1
SHA1 hash:
e3f59c4781ab6b19adb9eb85054a060b34c3df73
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
c02d2c9ae0b587f9b7631c443ce5a7d6d409c0a5d09ff6b389ca1330d44a1149
MD5 hash:
a91a81780273bb279790c1fbb6fb3105
SHA1 hash:
4bedae163300009aac8afa2c2b42ea6c184ca9dd
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
e18140892978e000789ce06d1e0d3910e31ea7c1ff12a3dacacfc68259446389
MD5 hash:
4a6090afabf0975cdbaeaa562b5cab82
SHA1 hash:
b419f085ca6b359360f30a08fec7ec5f67cd0556
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
5430abb47806afd4eb9e88cf1d9ae7c0272dbbdc0ac9717bfa4a5f52c8d1dfd4
MD5 hash:
f0a6d4803a70ad18f4459226ece0b0fb
SHA1 hash:
43d24400ca4155a97ddc5bb1a68e24849c39cf26
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
9b269c2fab5330dc61bfd6fd6e3ef55e3d7415794ceda273447ce265b8bc2251
MD5 hash:
a6f3980516ff4fece2218761641faabd
SHA1 hash:
9225915762b505ca3930b24de9246f5551b1030c
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
678a62143ed1ccd585a499e89b6d5ac47f411a68cf0c2b02c1c7470b32a3d7fc
MD5 hash:
586a845c1eb8fbf73365dbbe7724348f
SHA1 hash:
0719399e93cf7c8dfd14017f7be7714a9797ab41
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
367930fb4c1a8b9b68b4c40a5f4662620a3388d99a415efab4ff14a718141226
MD5 hash:
f6fd7f0e169a18bf232355854b822cd3
SHA1 hash:
d41d7ee14f746d5acd36f43b9e7c54f0366b3c52
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
SH256 hash:
2cbf19a8dbaba0978d5a52447c9cac23918c4394e751e0cde159d6e8b65c408f
MD5 hash:
06964489dfbd7a3395ed8d0e29479049
SHA1 hash:
610ac476a5279ebce1b9bbd1fa82ea4d6a6b76f6
Link:
https://www.unpac.me/results/ddb8d4c6-8b84-48f8-91f6-0c9baaab8f0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cbf19a8dbaba0978d5a52447c9cac23918c4394e751e0cde159d6e8b65c408f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188692/

Comments