MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36c1f3654cff0f52dbf25a437622ade0b2be6c6176f6b793fa5cf53d0802c335. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36c1f3654cff0f52dbf25a437622ade0b2be6c6176f6b793fa5cf53d0802c335
SHA3-384 hash: a6fa668fc383ba7f8c916032daee1af8c8efb27f759645a87cdcdadc222b621732bda172247ba9659bf45db63a9d9277
SHA1 hash: 0ef15ce7655542b2486714b2e439a73bb5138b7f
MD5 hash: 15cefc23ed5d14bb3027323ac5888aa2
humanhash: mobile-cold-orange-montana
File name:15cefc23ed5d14bb3027323ac5888aa2.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:223'716 bytes
First seen:2025-12-19 20:50:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d20241135260a6283527b95f11fc551 (3 x Amadey, 2 x Stealc, 2 x SVCStealer)
ssdeep 3072:BXkar/0FrzaBRdbOOQsiSCvUVZU3MFK9GKHrZIeOb+5g/+d0PWA+lS:BXkar/a/BOQetZU3MsGkZIpbJ+d4q
Threatray 18 similar samples on MalwareBazaar
TLSH T1EE249C203781C0B1E5B302B54A3CAB26457DBE610B751ACBF7EC0D9D4AB46C26B357A7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
196.251.107.104:8808

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.107.104:8808 https://threatfox.abuse.ch/ioc/1683539/

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
amadey
Create hunting rule
ID:
1
File name:
15cefc23ed5d14bb3027323ac5888aa2.exe
Verdict:
Malicious activity
Analysis date:
2025-12-19 20:51:58 UTC
Tags:
loader stealer stealc auto auto-reg crypto-regex clipper diamotrix amadey botnet auto-sch arch-doc powershell rdp offloader svc rat asyncrat remote
Link:
https://app.any.run/tasks/a6690fd4-bedc-4115-802f-3dcdbb32452a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45541/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6945ba92ee899ae4567f132b
Tags:
asyncrat autorun emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug autorun crypt fingerprint lolbin microsoft_visual_cc update xpack
Link:
https://www.filescan.io/uploads/6945ba90e126b9ff438956c3/reports/dd966c11-c13b-40be-9378-2fa08248e29f/overview
Verdict:
Malicious
Labled as:
Worm/SillyShareCopy
Link:
https://www.hybrid-analysis.com/sample/36c1f3654cff0f52dbf25a437622ade0b2be6c6176f6b793fa5cf53d0802c335
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-14T20:04:00Z UTC
Last seen:
2025-12-21T04:43:00Z UTC
Hits:
~100
Detections:
Trojan-Dropper.Win32.Injector.sb Trojan-Banker.Win32.ClipBanker.aglj Trojan.Scar.HTTP.C&C VHO:Trojan-PSW.Win32.Lumma.gen Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Shellcode.jat Packed.Win32.Redpill.sb HEUR:Worm.Win32.Generic Trojan.Win32.Inject.sb Trojan.Gatak.TCP.C&C HEUR:Backdoor.MSIL.SheetRat.gen Trojan-Downloader.Agent.HTTP.C&C Backdoor.Win32.Mokes.c HEUR:Backdoor.MSIL.Crysan.gen Backdoor.Win32.Zegost.sb VHO:Backdoor.Win32.Androm.gen Trojan-PSW.Lumma.HTTP.C&C Trojan-Dropper.Win32.Dapato.sb Trojan-PSW.Win32.Lumma.ynu Trojan-PSW.Win32.Lumma.yiu Trojan.Win32.Gatak.gmt Trojan.Win32.Agent.sb HEUR:Trojan-PSW.Win32.Lumma.gen Backdoor.MSIL.Crysan.b Trojan-Banker.Win32.ClipBanker.sba Trojan.Win32.Pakes.Redpill.sb VHO:Trojan-Banker.Win32.ClipBanker.gen Trojan.Patched.HTTP.ServerRequest Backdoor.MSIL.Crysan.sb Backdoor.MSIL.Crysan.fb Trojan-Banker.Win32.ClipBanker.agfq Trojan.Win64.Agent.sb Trojan-PSW.Win32.Pycoon.sb Trojan.Agentb.TCP.C&C Backdoor.Win32.Mokes.sb Backdoor.MSIL.Crysan.d Trojan-PSW.Win32.Lumma.yxp Trojan.Win32.Vimditator.sb Trojan.Agent.HTTP.C&C MEM:Trojan.Win32.Cometer.gen Backdoor.Win32.Androm Trojan-PSW.Win64.StealC.sb Trojan-PSW.Win32.Lumma.yiv Trojan-Banker.Win32.ClipBanker.sb Trojan.Win32.Yakes Trojan.Win32.Gatak.gnm Trojan-Downloader.Win32.Dapato Trojan-PSW.Win32.Lumma.yhz HEUR:Trojan-Banker.Win32.ClipBanker.gen HEUR:Trojan.Win32.Generic Trojan.Win32.Shellcode.sb HEUR:HackTool.Win32.Inject.heur Trojan.Snojan.HTTP.C&C Trojan-PSW.Lumma.HTTP.Download Trojan-Downloader.Win32.Inject.sb Trojan-Downloader.Win32.Agent.sb PDM:Trojan.Win32.Generic VHO:Trojan-PSW.Win32.Convagent.gen VHO:Trojan-Downloader.Win32.Deyma.gen
Link:
https://opentip.kaspersky.com/36c1f3654cff0f52dbf25a437622ade0b2be6c6176f6b793fa5cf53d0802c335/results?tab=lookup
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca81caf5-e8de-4311-b366-70f1801c9121
Result
Threat name:
Amadey, AsyncRAT, Clipboard Hijacker, St
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1836521
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Potentially malicious time measurement code found
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AsyncRAT
Yara detected Clipboard Hijacker
Yara detected Stealc v2
Yara detected SvcStealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1836521 Sample: 66O3WcE3k6.exe Startdate: 19/12/2025 Architecture: WINDOWS Score: 100 173 Suricata IDS alerts for network traffic 2->173 175 Found malware configuration 2->175 177 Malicious sample detected (through community Yara rule) 2->177 179 21 other signatures 2->179 10 66O3WcE3k6.exe 97 2->10         started        15 5_4431265.exe 2->15         started        17 syshost.exe 2->17         started        process3 dnsIp4 157 62.60.226.159, 27015, 49713, 49726 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 10->157 141 C:\Users\user\Videos\Update.exe, PE32 10->141 dropped 143 C:\Users\user\Update.exe, PE32 10->143 dropped 145 C:\Users\user\Searches\Update.exe, PE32 10->145 dropped 147 44 other malicious files 10->147 dropped 247 Drops PE files to the document folder of the user 10->247 249 Drops PE files to the user root directory 10->249 19 1_4416125.exe 2 1 10->19         started        23 4_4428343.exe 10->23         started        25 3_4423421.exe 26 10->25         started        30 4 other processes 10->30 251 Early bird code injection technique detected 15->251 253 Injects code into the Windows Explorer (explorer.exe) 15->253 255 Writes to foreign memory regions 15->255 261 3 other signatures 15->261 28 schtasks.exe 15->28         started        257 Contains functionality to start a terminal service 17->257 259 Found direct / indirect Syscall (likely to bypass EDR) 17->259 file5 signatures6 process7 dnsIp8 109 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 19->109 dropped 181 Antivirus detection for dropped file 19->181 183 Multi AV Scanner detection for dropped file 19->183 185 Creates autostart registry keys with suspicious names 19->185 201 5 other signatures 19->201 32 explorer.exe 79 24 19->32 injected 111 C:\Users\user\AppData\Roaming\syshost.exe, PE32+ 23->111 dropped 36 syshost.exe 23->36         started        155 196.251.107.23, 49719, 49734, 80 ANGANI-ASKE Seychelles 25->155 113 C:\Users\user\AppData\...\ROAAYVvBWw9f.exe, PE32 25->113 dropped 115 C:\Users\user\AppData\...\OEi848nXo3se.exe, PE32+ 25->115 dropped 117 C:\Users\user\AppData\Local\...\ustool[1].exe, PE32 25->117 dropped 121 3 other malicious files 25->121 dropped 187 Early bird code injection technique detected 25->187 189 Found many strings related to Crypto-Wallets (likely being stolen) 25->189 191 Tries to harvest and steal browser information (history, passwords, etc) 25->191 203 3 other signatures 25->203 39 chrome.exe 25->39         started        41 chrome.exe 25->41         started        43 conhost.exe 28->43         started        119 C:\Users\user\AppData\Local\...\6_4435953.tmp, PE32 30->119 dropped 193 Found evasive API chain (may stop execution after checking mutex) 30->193 195 Creates multiple autostart registry keys 30->195 197 Injects code into the Windows Explorer (explorer.exe) 30->197 199 Uses schtasks.exe or at.exe to add and modify task schedules 30->199 45 6_4435953.tmp 30->45         started        47 schtasks.exe 30->47         started        49 schtasks.exe 30->49         started        file9 signatures10 process11 dnsIp12 91 C:\Users\user\AppData\Roaming\rurttvj, PE32 32->91 dropped 93 C:\Users\user\AppData\Local\Temp\D1E3.exe, PE32+ 32->93 dropped 95 C:\Users\user\AppData\Local\...\6117.tmp.exe, PE32 32->95 dropped 105 3 other malicious files 32->105 dropped 159 System process connects to network (likely due to code injection or exploit) 32->159 161 Benign windows process drops PE files 32->161 163 Unusual module load detection (module proxying) 32->163 51 275C.tmp.exe 32->51         started        55 2809.tmp.exe 32->55         started        57 6117.tmp.exe 32->57         started        67 3 other processes 32->67 149 158.94.208.102, 49729, 49735, 49741 JANETJiscServicesLimitedGB United Kingdom 36->149 151 178.16.53.7, 49730, 49736, 49742 DUSNET-ASDE Germany 36->151 153 196.251.107.104 ANGANI-ASKE Seychelles 36->153 97 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 36->97 dropped 99 C:\Users\user\AppData\Local\Temp\...\ac.exe, PE32 36->99 dropped 107 4 other malicious files 36->107 dropped 165 Multi AV Scanner detection for dropped file 36->165 167 Contains functionality to start a terminal service 36->167 169 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->169 59 smk.exe 36->59         started        61 rundll32.exe 36->61         started        63 rundll32.exe 36->63         started        101 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 45->101 dropped 103 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 45->103 dropped 171 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 47->171 69 2 other processes 47->69 65 conhost.exe 49->65         started        file13 signatures14 process15 file16 123 C:\Users\user\AppData\...\temp_31597.exe, PE32+ 51->123 dropped 125 C:\Users\user\AppData\...\temp_31593.exe, PE32 51->125 dropped 127 C:\Users\user\AppData\...\temp_31580.exe, PE32+ 51->127 dropped 129 5 other malicious files 51->129 dropped 205 Multi AV Scanner detection for dropped file 51->205 207 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 51->207 209 Tries to harvest and steal browser information (history, passwords, etc) 51->209 211 Tries to steal Crypto Currency Wallets 51->211 71 temp_31580.exe 51->71         started        75 temp_31574.exe 51->75         started        77 temp_31593.exe 51->77         started        213 Hijacks the control flow in another process 55->213 215 Writes to foreign memory regions 55->215 225 3 other signatures 55->225 79 HelpPane.exe 55->79         started        227 3 other signatures 57->227 217 Antivirus detection for dropped file 59->217 229 3 other signatures 59->229 81 rundll32.exe 61->81         started        83 rundll32.exe 63->83         started        219 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 67->219 221 Injects code into the Windows Explorer (explorer.exe) 67->221 223 Injects a PE file into a foreign processes 67->223 85 schtasks.exe 67->85         started        87 conhost.exe 69->87         started        signatures17 process18 file19 131 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 71->131 dropped 133 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 71->133 dropped 135 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 71->135 dropped 139 47 other malicious files 71->139 dropped 231 Multi AV Scanner detection for dropped file 71->231 233 Creates multiple autostart registry keys 75->233 235 Injects code into the Windows Explorer (explorer.exe) 75->235 237 Writes to foreign memory regions 75->237 245 3 other signatures 75->245 137 C:\Users\user\AppData\...\appsglobals.txt, ASCII 77->137 dropped 239 Writes a notice file (html or txt) to demand a ransom 77->239 241 Tries to harvest and steal browser information (history, passwords, etc) 77->241 243 System process connects to network (likely due to code injection or exploit) 81->243 89 conhost.exe 85->89         started        signatures20 process21
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/36c1f3654cff0f52dbf25a437622ade0b2be6c6176f6b793fa5cf53d0802c335
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/15cefc23ed5d14bb3027323ac5888aa2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36c1f3654cff0f52dbf25a437622ade0b2be6c6176f6b793fa5cf53d0802c335/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/36c1f3654cff0f52dbf25a437622ade0b2be6c6176f6b793fa5cf53d0802c335
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2025-12-18 09:45:47 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3a7gzkm74hvfw7sljbxmivn4czl43dbo33lpe72lt2t2cacym2q._file
Verdict:
malicious
Label(s):
unc_loader_073
Create hunting rule
amadey
Create hunting rule
stealc
Create hunting rule
Similar samples:
60acc48765bbe492e56f8e1665bf041973f23501422a73fd87dd2b79922246b6
Stealc
79b120acdb37fd5b5fa927a6ffb370d5a7cbc8039f2e9b31831029d0f16bc38b
Stealc
811471a5b0b641fb1f8e9e077f54f9f631022cb1f8372f2daca3323c7e7128d6
Stealc
aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb
Stealc
bfb6c67ed33c29f4c37e8d749b73c88ea9469e22952d75d1cc9906054ac47773
Stealc
error
Stealc
f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90
Stealc
+ 8 additional samples on MalwareBazaar
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:stealc family:svcstealer botnet:a3dacb botnet:crypted botnet:vvc discovery downloader execution installer persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/251223-qeznqszpc1/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Inno Setup is an open-source installation builder for Windows applications.
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops autorun.inf file
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Amadey
Amadey family
Detects Amadey x86-bit Payload
Detects SvcStealer Payload
Stealc
Stealc family
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
http://62.60.226.159/zbuyowgn/data.php
http://158.94.208.102/diamo/data.php
http://196.251.107.23/diamo/data.php
http://178.16.53.7/diamo/data.php
http://196.251.107.61/diamo/data.php
http://196.251.107.23
http://158.94.208.102
http://178.16.53.7
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d99234bd-3eea-46bf-84bd-cd2d77781712
Unpacked files
SH256 hash:
36c1f3654cff0f52dbf25a437622ade0b2be6c6176f6b793fa5cf53d0802c335
MD5 hash:
15cefc23ed5d14bb3027323ac5888aa2
SHA1 hash:
0ef15ce7655542b2486714b2e439a73bb5138b7f
Link:
https://www.unpac.me/results/c033299f-3ba5-41b8-b1ee-8ee3959833a2/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/36c1f3654cff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36c1f3654cff0f52dbf25a437622ade0b2be6c6176f6b793fa5cf53d0802c335

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:bumblebee_win_generic
Create hunting rule
Author:_kphi
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:INDICATOR_SUSPICIOUS_ReflectiveLoader
Create hunting rule
Author:ditekSHen
Description:Detects Reflective DLL injection artifacts
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/45541/

Comments