MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a227b8e84722b577247b94618314f2ff02a48a2f984c32391717a68df894586. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs 3 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a227b8e84722b577247b94618314f2ff02a48a2f984c32391717a68df894586
SHA3-384 hash: 78468d54638c46de79b84daa153aeea601272d20316c216ffad392115348dd3a11591da01de7d9aa90ec425f8243e117
SHA1 hash: 89a1629bfdc1cbbc52432c463aa9b6a1bbb443cd
MD5 hash: 590f1f37bd82f3e99c0fbd0667b07dc6
humanhash: island-march-pasta-island
File name:3A227B8E84722B577247B94618314F2FF02A48A2F984C.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:5'890'059 bytes
First seen:2021-11-26 18:26:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xHCvLUBsgkc+5i51ilISSHHEunrhkhc1f0CnzcM8sOsTwvwZZXfVCbNwsc0nSW:xkLUCgBjW3KEimhm5nwMZOsTWwcnJ
Threatray 1'686 similar samples on MalwareBazaar
TLSH T1855633007D906679D803A376876CFFB6A2BE53B6063149971790DF8FC730A16922D29F
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
65.21.226.115:27660

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.21.226.115:27660 https://threatfox.abuse.ch/ioc/254928/
http://94.158.245.199/ https://threatfox.abuse.ch/ioc/254998/
168.119.104.184:22192 https://threatfox.abuse.ch/ioc/254999/

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3A227B8E84722B577247B94618314F2FF02A48A2F984C.exe
Verdict:
No threats detected
Analysis date:
2021-11-26 18:28:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/98cb6142-c135-4ab4-8c33-3dba88580c2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
DNS request
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Query of malicious DNS domain
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys exploit mokes overlay packed
Link:
https://www.filescan.io/uploads/61a126f902c80febc2aa741e/reports/3a2644a3-2a43-463f-be65-8e074c27ff20/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6d882ff-f2da-4394-9631-04ed910ab1e3
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896928
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 529405 Sample: 3A227B8E84722B577247B946183... Startdate: 26/11/2021 Architecture: WINDOWS Score: 100 65 niemannbest.me 104.21.51.48, 443, 49782 CLOUDFLARENETUS United States 2->65 67 162.159.135.233 CLOUDFLARENETUS United States 2->67 69 topniemannpickshop.cc 2->69 89 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->89 91 Antivirus detection for URL or domain 2->91 93 Antivirus detection for dropped file 2->93 95 22 other signatures 2->95 10 3A227B8E84722B577247B94618314F2FF02A48A2F984C.exe 23 2->10         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\setup_install.exe, PE32 10->45 dropped 47 C:\Users\user\AppData\...\Sat15e8c63216.exe, PE32 10->47 dropped 49 C:\Users\user\...\Sat15b8b2f72d066.exe, PE32 10->49 dropped 51 18 other files (12 malicious) 10->51 dropped 13 setup_install.exe 1 10->13         started        process6 dnsIp7 85 127.0.0.1 unknown unknown 13->85 87 hsiens.xyz 13->87 119 Performs DNS queries to domains with low reputation 13->119 121 Adds a directory exclusion to Windows Defender 13->121 17 cmd.exe 13->17         started        19 cmd.exe 13->19         started        21 cmd.exe 13->21         started        23 10 other processes 13->23 signatures8 process9 signatures10 26 Sat15e8c63216.exe 4 66 17->26         started        31 Sat151c26af4f.exe 19->31         started        33 Sat1530f0c335f3e12.exe 21->33         started        97 Adds a directory exclusion to Windows Defender 23->97 35 Sat151f9d1b3d.exe 23->35         started        37 Sat153090de0aa35900.exe 23->37         started        39 Sat15b8b2f72d066.exe 12 23->39         started        41 5 other processes 23->41 process11 dnsIp12 71 136.144.41.58, 49775, 49788, 80 WORLDSTREAMNL Netherlands 26->71 79 13 other IPs or domains 26->79 53 C:\Users\...\I8e42LS2qWReeJBbaUbExNn6.exe, PE32 26->53 dropped 55 C:\Users\user\AppData\...\search1001[1].exe, PE32 26->55 dropped 57 C:\Users\user\AppData\Local\...\file1[1].exe, PE32 26->57 dropped 63 41 other files (12 malicious) 26->63 dropped 99 Antivirus detection for dropped file 26->99 101 May check the online IP address of the machine 26->101 103 Creates HTML files with .exe extension (expired dropper behavior) 26->103 105 Disable Windows Defender real time protection (registry) 26->105 107 Machine Learning detection for dropped file 31->107 109 Sample uses process hollowing technique 31->109 111 Injects a PE file into a foreign processes 31->111 81 3 other IPs or domains 33->81 113 Tries to harvest and steal browser information (history, passwords, etc) 33->113 83 2 other IPs or domains 35->83 73 t.gogamec.com 104.21.85.99, 443, 49772, 49780 CLOUDFLARENETUS United States 37->73 59 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 37->59 dropped 115 Creates processes via WMI 37->115 75 mas.to 88.99.75.82, 443, 49764 HETZNER-ASDE Germany 39->75 77 cdn.discordapp.com 162.159.134.233, 443, 49766, 49776 CLOUDFLARENETUS United States 41->77 61 C:\Users\user\...\Sat154eed0f3ef689d35.tmp, PE32 41->61 dropped 117 Obfuscated command line found 41->117 43 mshta.exe 41->43         started        file13 signatures14 process15
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3a227b8e84722b577247b94618314f2ff02a48a2f984c32391717a68df894586/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 03:13:00 UTC
File Type:
PE (Exe)
Extracted files:
167
AV detection:
32 of 45 (71.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hirhxdueoivvo4shxfdbqmkpf7ycusfc7gcmgi4rof5grx4jiwda._file
Verdict:
malicious
Similar samples:
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
GCleaner
59716b314ba0d53b7e8de32a73af01b7b383834bf038c3bcaa8f7d07afc8b280
GCleaner
77012c024869ba2639b54b959fab1e10ebaaf8ebb9bfcc2a11db4c71a2b9fa59
GCleaner
7e890b0ee04f14d8989db2a0a853c06741112c432030b63457fe866600b44749
GCleaner
a5e44dd81280a7fbef17c18e528c9df4b1289144fbc107d011af282a69cc3062
GCleaner
b4a1afa93c65eba3ab6efeb4624dcc8d65dbdefefe682bb26a1e2d9aa94415bd
GCleaner
c9de02209482359466292be7bc0464fc65037698b38c1566cd331720e65f8ea0
GCleaner
ee96df216161f048ee9c50853b018f779d71bce1498f28a4d1b1bc3d797f14ac
GCleaner
+ 1'676 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:916 botnet:ani botnet:she aspackv2 backdoor discovery evasion infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211126-w3rkxseacr/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
https://mas.to/@sslam
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
135.181.129.119:4805
194.104.136.5:46013
Unpacked files
SH256 hash:
a96e486b8fce8777c47b8cb34e7cc24708b3728c785775a0f3ce73b4045b690d
MD5 hash:
d02319bd2818d7362ff9e83282cbd7bc
SHA1 hash:
2729e315497fce193fe9f8045ad6a133bd8fd87f
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
630a641bebd6ded36fb1c42520e4c7ddc5ace49436dede6c255d8f12ddbfbe54
MD5 hash:
cbbdd5a549a37602019203e20a21866a
SHA1 hash:
50c80b98548b24565decfa94c034b43b753a197a
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
a2c509a815f5e12c65d62f59f4be2507b706a1a826c3f6e977e8db6e198fab41
MD5 hash:
a681d41d994a9ed82d2f698d9f7a03e0
SHA1 hash:
13150985052230295133060d4548a31702059890
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
c1247651addf7c99d539ad3fccd6011e9f984bcaea0611e8dad09e8f6894e130
MD5 hash:
d2ddcfee6999b3aeea0a9ea339deccf1
SHA1 hash:
fb4f6bcf4f0d4830eaa526dfce12e5ee2ef77dcd
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
8887613f5ceb136a7e516f3e8f4c0c9b149218efb7b721a59c9c5438cb342b3e
MD5 hash:
e67f325f360946aac003217f57682bef
SHA1 hash:
ea3d0f586f38ed848351f1a75ce6ca83eeaa3ece
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
4fb996a70ae4f8f65ce2e6c5bca22e494baf425afa9939b07aff5069e15f85ca
MD5 hash:
26fb224869cdc340397c8d1cc19ebb79
SHA1 hash:
5bf62e8ddcc62301d9af246825fae3a5f4834d85
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
e72d4712c78044976a85b48b7de8ad8bccff6c5f1e1b79d83ef33279ecb7f854
MD5 hash:
72511d38fc92cb6bd1399f9ac4ff719d
SHA1 hash:
3e762ae357092e57e75be1e26008f84d2d18936e
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
f7bd20f20b99c00dc5a59cd715dadc81febb6e3966f49da21fda7c1b08a84ad4
MD5 hash:
8f54c1adeae8ee1f05f9e4b69726de9b
SHA1 hash:
3525571bc3a4b55493ea309594e080b1c6905868
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
ea84259fb5073383ccda85807e78d9c6c4b6c48e59d8b53e066d52eab037b762
MD5 hash:
90c215968f9cb5e511b9d4bc5a56b031
SHA1 hash:
3099242cbc4e9a491b298c74d7e13cde25e1162f
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
174f4f8146a8998395b38774f52063130304ab214257d10badc37464578c8c1d
MD5 hash:
7dc5f09dde69421bd8581b40d994ccd7
SHA1 hash:
23788ae65ec05a9e542636c6c4e1d9d6be26d05c
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
61511de708c2fdd981a679db0b7f26c962f3dce6bb7ae2fac33cfb1e10656b61
MD5 hash:
dc9dffa44428e1e42638a7f23d099d72
SHA1 hash:
0b20f6c6d43b402335006a91f75bb029771370d0
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
51083f1071cc6c67bc643417a0be92c3190a044f6cb0d913bb8afb01adc08f3f
MD5 hash:
59073d016866002414aa2c915f8d1f6e
SHA1 hash:
dc285bc11154c5d4b932514934bd16c71b2a3938
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
d95b8e2d8bf52369a369cf6ee5366297a8984380210d7eea29a82cf53b8501fa
MD5 hash:
4da644a647b164089629ff894110d9cf
SHA1 hash:
8f29d97853790d852203c0921c39609ee8c6b27e
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
642f5d31e9797e4509429807009ee2871ac9826b5b513ff229956a3d87ed1f8e
MD5 hash:
488029d7287523022a3a3c0fad808e36
SHA1 hash:
1f28a900f11d99b0f6e65cf3b1e63b0bd22f45db
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
b7400825df4e2e22e14b51b60809bb7706cd5f8c0c758c08dbb7f97ef3bd0597
MD5 hash:
1651d2eee32c15f79fd5f2e42551f4dc
SHA1 hash:
f254b220184e991792401f4818bcae33ac37ad4f
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
9b431fc3cb254c2b515b60eed1d2f594fb6031cfbf55785050068f998889b5db
MD5 hash:
181979e2e7928cd531a1bbc111b3c044
SHA1 hash:
79f5a7941007069a48e3abb255dbb4dfbd4bd3ce
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
bd64d6669501b148a47432ebea1d8fd5b46d9cc8db8d054e5b9fd3e7d6b14398
MD5 hash:
be68d9aadef0417ddb28f3458029032a
SHA1 hash:
cb6e7baeaa270c2ecc89aef1bd21b07866956ad5
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
1e74940a9e1f35c456e728feec7a431391eddd53e1d7827de6357a7fad938738
MD5 hash:
3e678b8bea9741d0baa8a4189449a1be
SHA1 hash:
dd34d3d253195e7d3a76993937f7ef3990d3e3b2
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
SH256 hash:
3a227b8e84722b577247b94618314f2ff02a48a2f984c32391717a68df894586
MD5 hash:
590f1f37bd82f3e99c0fbd0667b07dc6
SHA1 hash:
89a1629bfdc1cbbc52432c463aa9b6a1bbb443cd
Link:
https://www.unpac.me/results/0c19c103-e545-488f-83ae-dc5ed4f4648b/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3a227b8e8472/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a227b8e84722b577247b94618314f2ff02a48a2f984c32391717a68df894586

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments