MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c4448ece87d915a3be7c71f4f6c99828849ae0aae5f26a3eb46ca5bd7dc7171. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs 2 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c4448ece87d915a3be7c71f4f6c99828849ae0aae5f26a3eb46ca5bd7dc7171
SHA3-384 hash: f48fd52ab3b132aee4bc10d6efcdbdeb1263a56ba04543a2c70072dbb80fa50f2f4eb29830f22fe89a76114113592653
SHA1 hash: ee20e014dd07a926f50e80fda2e8e9d657afce04
MD5 hash: 56334939ffc01e787bbbd4d1f112eda2
humanhash: mango-eighteen-bakerloo-earth
File name:3C4448ECE87D915A3BE7C71F4F6C99828849AE0AAE5F2.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:4'444'108 bytes
First seen:2022-10-04 20:40:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JcZlndcxBPesieiawSduvifCT7JsBxrWBck+ogHryTZ+4:JcZJdcJiaHtafJsTCWjHrMZ+4
TLSH T157263332B4E2D7B3C94B6379BD3744510BC8E652544B6896FC5B28F3287B606E04DCB9
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
94.140.115.234:81

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.140.115.234:81 https://threatfox.abuse.ch/ioc/870587/
http://64.44.102.116/ https://threatfox.abuse.ch/ioc/870588/

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316640/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Running batch commands
DNS request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41164/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
barys overlay packed raccoon shell32.dll
Link:
https://www.filescan.io/uploads/633c9a5f90cb824e9da01ff9/reports/2b9415b4-41c0-4e41-bfb0-ab986f230b0a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69ec6315-e14e-409f-a098-4f9b9eb7de9c
Result
Threat name:
MedusaHTTP, Nymaim, PrivateLoader, Racco
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083600
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Creates HTML files with .exe extension (expired dropper behavior)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found C&C like URL pattern
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Copy itself to suspicious location via type command
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected MedusaHTTP
Yara detected Nymaim
Yara detected onlyLogger
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 716154 Sample: 3C4448ECE87D915A3BE7C71F4F6... Startdate: 04/10/2022 Architecture: WINDOWS Score: 100 128 xv.yxzgamen.com 2->128 130 www.filifilm.com.br 2->130 132 16 other IPs or domains 2->132 148 Snort IDS alert for network traffic 2->148 150 Multi AV Scanner detection for domain / URL 2->150 152 Malicious sample detected (through community Yara rule) 2->152 154 29 other signatures 2->154 13 3C4448ECE87D915A3BE7C71F4F6C99828849AE0AAE5F2.exe 10 2->13         started        signatures3 process4 file5 112 C:\Users\user\AppData\...\setup_installer.exe, PE32 13->112 dropped 16 setup_installer.exe 22 13->16         started        process6 file7 78 C:\Users\user\AppData\...\setup_install.exe, PE32 16->78 dropped 80 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 16->80 dropped 82 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 16->82 dropped 84 17 other files (16 malicious) 16->84 dropped 144 Multi AV Scanner detection for dropped file 16->144 20 setup_install.exe 1 16->20         started        signatures8 process9 dnsIp10 134 127.0.0.1 unknown unknown 20->134 136 marianu.xyz 20->136 174 Multi AV Scanner detection for dropped file 20->174 176 Performs DNS queries to domains with low reputation 20->176 178 Adds a directory exclusion to Windows Defender 20->178 180 Disables Windows Defender (via service or powershell) 20->180 24 cmd.exe 20->24         started        26 cmd.exe 1 20->26         started        28 cmd.exe 20->28         started        30 15 other processes 20->30 signatures11 process12 signatures13 33 Mon036894b6d48ff5f.exe 24->33         started        38 Mon03d03855b9f79.exe 26->38         started        40 Mon03b269e8868.exe 28->40         started        182 Adds a directory exclusion to Windows Defender 30->182 184 Disables Windows Defender (via service or powershell) 30->184 42 Mon03379d13a2633.exe 30->42         started        44 Mon03023f5df7427c80a.exe 1 6 30->44         started        46 Mon03ad1a39db.exe 30->46         started        48 10 other processes 30->48 process14 dnsIp15 114 vk.com 93.186.225.194, 49774, 49775, 49780 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 33->114 120 13 other IPs or domains 33->120 90 C:\Users\...\ydtMezpInoLajzPgOuIiBLdI.exe, PE32 33->90 dropped 92 C:\Users\...\tv3ryrKVAsuh4Nuw22HmM8YR.exe, PE32 33->92 dropped 94 C:\Users\...\pk18ZhcNKWFd9e7VvRqQmE5_.exe, PE32 33->94 dropped 98 18 other malicious files 33->98 dropped 156 Antivirus detection for dropped file 33->156 158 Multi AV Scanner detection for dropped file 33->158 160 May check the online IP address of the machine 33->160 172 3 other signatures 33->172 96 C:\Users\user\...\Mon03d03855b9f79.tmp, PE32 38->96 dropped 162 Obfuscated command line found 38->162 50 Mon03d03855b9f79.tmp 38->50         started        164 Machine Learning detection for dropped file 40->164 166 Sample uses process hollowing technique 40->166 168 Injects a PE file into a foreign processes 40->168 122 5 other IPs or domains 42->122 53 WerFault.exe 42->53         started        116 artislife.top 44->116 124 7 other IPs or domains 44->124 118 212.193.30.115, 49732, 49735, 49759 SPD-NETTR Russian Federation 48->118 126 11 other IPs or domains 48->126 170 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 48->170 55 mshta.exe 48->55         started        57 Mon0360fe2e8b9975052.exe 48->57         started        60 WerFault.exe 48->60         started        62 explorer.exe 48->62 injected file16 signatures17 process18 dnsIp19 100 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 50->100 dropped 102 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 50->102 dropped 104 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 50->104 dropped 64 Mon03d03855b9f79.exe 50->64         started        68 cmd.exe 55->68         started        140 t.gogamec.com 75.2.18.233, 443, 49737, 49794 AMAZON-02US United States 57->140 70 conhost.exe 57->70         started        142 forwardstorage.biz 60->142 file20 process21 file22 86 C:\Users\user\...\Mon03d03855b9f79.tmp, PE32 64->86 dropped 146 Obfuscated command line found 64->146 72 Mon03d03855b9f79.tmp 64->72         started        88 C:\Users\user\AppData\Local\Temp\7BjXD.exe, PE32 68->88 dropped 76 conhost.exe 68->76         started        signatures23 process24 dnsIp25 138 ppgggb.com 45.130.41.9, 49769, 80 BEGET-ASRU Russian Federation 72->138 106 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 72->106 dropped 108 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 72->108 dropped 110 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 72->110 dropped file26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c4448ece87d915a3be7c71f4f6c99828849ae0aae5f26a3eb46ca5bd7dc7171/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-11-01 21:33:07 UTC
File Type:
PE (Exe)
Extracted files:
122
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hrcer3hipwivuo7hy4pu63ezqkeetlqkvzpsni7li3ffxv64ofyq._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:nullmixer family:onlylogger family:privateloader family:redline family:smokeloader family:socelars botnet:1 botnet:media0121 botnet:nam6.9 botnet:newjust botnet:premiumcloud#41 aspackv2 backdoor discovery dropper evasion infostealer loader main spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/221004-zgewsacdh8/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
OnlyLogger payload
Detect Fabookie payload
Detects Smokeloader packer
Fabookie
Modifies Windows Defender Real-time Protection settings
NullMixer
OnlyLogger
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine payload
SmokeLoader
Socelars
Socelars payload
Malware Config
C2 Extraction:
http://marianu.xyz/
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
91.121.67.60:23325
135.181.129.119:4805
103.89.90.61:34589
151.80.89.227:45878
79.110.62.196:35726
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3c188881-b621-48ce-ae3e-b966f2af031e
Unpacked files
SH256 hash:
3871610cad7e4063f4b1f85bbe3f860ba2222dd723b6fae101f43f7fc9c2aa49
MD5 hash:
37062dc2bcbab2fc132b4c22487ea0df
SHA1 hash:
af4950f0ea360817de60b14e9bbc2793a170f554
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
ce7e030f2bb5f0f236c130f48b2c98db580b26c86aac00b0d568b39c5e0fd3a8
MD5 hash:
47e29ee3fb7e8d10c2703e1992c55330
SHA1 hash:
9ffa449c95eee01a4cc96010f6f7992e3f3f572b
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
d2705a05866e60b14de0693a8bc7bb55094ee4babd9e8ef8605cb81eae2cd394
MD5 hash:
048a56b35b7dee9bd300c2f179386d72
SHA1 hash:
eb2100c1908db804f0c2cf7f39c240f68a363c70
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
0facb900882113d8f4a43a31b7ec80d6ff0daba53ac29ac58b889fadbace7f56
MD5 hash:
bd8892208ca1e7bb2ee66abfa9c2fff3
SHA1 hash:
e4aed5f1095a84a051109c33bec620ed5dd74cfd
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
9aede3e9c6d8bb27fb683c3be696cd6c5777731cb217627676cd5d497da45296
MD5 hash:
d2d04034f6804f1e23311ac6e4aecad5
SHA1 hash:
ae401931fb3e58de334433a316941b4e03431a9f
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
bb1f3e965a5a0adfde543a21f700a3f268108b71900625b0ef075e22a92f0bdf
MD5 hash:
45183023cbd4b995b110b654d6948487
SHA1 hash:
8fa7ba4605e90db86a1cd727f80d1febde9ca2f4
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
e300499ceea3809ce2a3ba4234c34b0a12d7a00df870ef06c968cfad58cf4dc6
MD5 hash:
dd47a14d05d687422a1519b58b53571f
SHA1 hash:
7e55f5d6b9366bf7e22ac96e6e230a183460de4c
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
047db45ede3e1ffdefcfc71829f8837bb9695620e557638b1182bd52f3ef107b
MD5 hash:
8e844020731fd4c3c9f3b15b8d3ef908
SHA1 hash:
581cbc10d7752f2c5a03a43e8e8aa6383e9e76f5
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
eee3051d737af11e5ba9496d6b7b2d158ad8e82bebf4dd0b2256d27f827565cc
MD5 hash:
3521be6f924ff7a3b8986bd4684c22e7
SHA1 hash:
551378f0cf312be0d3bcaa49bd7be6918dd0a9ff
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
87d520f8747676e367a3023d5248f916c4d3401840ca17ee021e2f30fd340848
MD5 hash:
7c771d2809c0517473f5f4eeb757d755
SHA1 hash:
43c0673fdafe60248b1e724bfde6b4148a02ef96
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
9a41a83912eddfdaa89a64ce6fa37c07a49668df2f303fd32e3562805bc56fe4
MD5 hash:
05302b4adf793985536cbc3852a270db
SHA1 hash:
37408b1f732870f81c594ecc5dab32be5b228938
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
0269d538631942b852139f62d2b342db5a0b9b318e1ac72f90c2dfef272e54f5
MD5 hash:
c2515e0f732a78954a3172dc4bc0d25f
SHA1 hash:
31b72541e5f983a9bb5b8bc1e0f380bf0e8364b4
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
177edae6042395b7b47c16d72d02b4daa29e2b70b7f834ecd0c8856d725c0ab0
MD5 hash:
43ef20c59d79258d90b3cd07f7bafdd0
SHA1 hash:
46ce494a299d29607358482ab4da47a716aedc52
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
83c6e5f937becb928c5a2e5bf475db8cc243d9ca4233a69dd70864f3a1faef11
MD5 hash:
12033e8b1b4b23ffb5897779f87ad37d
SHA1 hash:
dff3acd501a0fc4ab51c50e0a90e735c596fc2a0
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
4887918b59cd66475a12a9c512ec570e6f900c23ef69ff7513e2b5cd63fd2ef2
MD5 hash:
4d3446a7e14d3250e1030b67e202c8dd
SHA1 hash:
cd8fdfdfed34fcd05700293658bfcf8528e68802
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
Parent samples :
fc45728dcdf75985369c218c0386d8b5e3e49fcbce67bf41c02ba31c01300b0a
3f95733711b8f39ff7bc3458ff49ef57cd4411f3a813d648654e76c1ae7e8ea2
c3133fa0480d9bf0beff04059da58bbeae895196edba830ed00cae3c20391d10
SH256 hash:
b3876b198f3af16304669f0e9fc7ec8e5580c974d5fec1dd4d48c06cdc303275
MD5 hash:
bc7cc7df3af7687e4a1ace42e3ef6126
SHA1 hash:
7a82906aa1eae679d826a06db8a57fa84d5e4eef
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
77d6950d48f2481ceedcd98371505ed9c32fdcda6e4d54c65dccc851aaab9a15
MD5 hash:
609a3792e315d326e61345a386be3e5a
SHA1 hash:
b4d1ff31adc3f7116971c1952b07a48260ac16ba
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
ffed05df2a340376534d675c2ec91ae41243196341ef766ec9572280dc209bf7
MD5 hash:
0dc111ba7853f9ed3af08bb8eea2368b
SHA1 hash:
df08ab6b0ee725a576fe7fb0ba2dedc876d8ba69
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
7adbc5e3f81c487a733709fed3e00400756ddcdad1129dccd2ff625a27bcc941
MD5 hash:
46b58e8a63988ffa130d37296076cc0c
SHA1 hash:
219c827ca108e62bfa77190eab63375da4704873
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
88fd3e1e652d560006391a4b0d54642f92763aa91965f48079bf4223af2c70b5
MD5 hash:
4df6249a2004dd9542a4ce509f81b5f6
SHA1 hash:
e765306905efa97951cabd334a01aff1ca666474
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
SH256 hash:
3c4448ece87d915a3be7c71f4f6c99828849ae0aae5f26a3eb46ca5bd7dc7171
MD5 hash:
56334939ffc01e787bbbd4d1f112eda2
SHA1 hash:
ee20e014dd07a926f50e80fda2e8e9d657afce04
Link:
https://www.unpac.me/results/cbb7d869-157e-4525-b46b-61f8ce19d1cc/
Malware family:
RedLine.C
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3c4448ece87d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c4448ece87d915a3be7c71f4f6c99828849ae0aae5f26a3eb46ca5bd7dc7171

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316640/

Comments