MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47a55e678c1c05d11445beebb73e5822625663c107214e874ca75a87694164dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47a55e678c1c05d11445beebb73e5822625663c107214e874ca75a87694164dc
SHA3-384 hash: 78f8e9fec9f2c04948ef1b3a3f0dc6cb5ec77fdbac3d74f4d00761f7926ceb19e84895b08de641f4783b00f414481ac4
SHA1 hash: 81940f1b2acacee299690e584425def665ed3253
MD5 hash: 30c824ba3f1422a9ab19c83a853b92ee
humanhash: november-winter-lima-oranges
File name:47A55E678C1C05D11445BEEBB73E5822625663C107214.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'631'612 bytes
First seen:2021-09-16 17:51:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBRPkZVi7iKiF8cUvFyPVxf3zC/tehR+L1ugU4/bpEwJ84vLRaBtIl9mTzY+0md:xdri7ixZUvFyPV59R+Lr/bGCvLUBsKz5
Threatray 548 similar samples on MalwareBazaar
TLSH T1E7C533513FD680FFDB52123459083FBA94FEC398072409DB3BA09B4F5B39C54D2269AA
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
185.195.79.212:5656

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.195.79.212:5656 https://threatfox.abuse.ch/ioc/222597/

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
47A55E678C1C05D11445BEEBB73E5822625663C107214.exe
Verdict:
No threats detected
Analysis date:
2021-09-16 17:51:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4207a834-42b1-446c-9f38-7006af9ecd54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188494/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Packed.SmokeLoader-9880484-1
Create hunting rule

Win.Packed.SmokeLoader-9880490-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/617524f6a9d585e6d537126c/reports/4ec89c38-7f08-45ab-b611-db51fc5722c2/overview
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b337d80-9f19-4c1e-a73b-7efd539ffcf1
Result
Threat name:
Backstage Stealer RedLine SmokeLoader So
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852303
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 484732 Sample: 47A55E678C1C05D11445BEEBB73... Startdate: 16/09/2021 Architecture: WINDOWS Score: 100 109 google.vrthcobj.com 2->109 141 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->141 143 Antivirus detection for URL or domain 2->143 145 Antivirus detection for dropped file 2->145 147 14 other signatures 2->147 11 47A55E678C1C05D11445BEEBB73E5822625663C107214.exe 15 2->11         started        signatures3 process4 file5 63 C:\Users\user\AppData\...\setup_install.exe, PE32 11->63 dropped 65 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 11->65 dropped 67 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 11->67 dropped 69 10 other files (none is malicious) 11->69 dropped 14 setup_install.exe 1 11->14         started        process6 dnsIp7 133 motiwa.xyz 104.21.12.59, 49745, 80 CLOUDFLARENETUS United States 14->133 135 127.0.0.1 unknown unknown 14->135 101 C:\Users\user\...\arnatic_7.exe (copy), PE32+ 14->101 dropped 103 C:\Users\user\...\arnatic_6.exe (copy), PE32 14->103 dropped 105 C:\Users\user\...\arnatic_5.exe (copy), PE32 14->105 dropped 107 4 other files (3 malicious) 14->107 dropped 137 Detected unpacking (changes PE section rights) 14->137 139 Performs DNS queries to domains with low reputation 14->139 19 cmd.exe 1 14->19         started        21 cmd.exe 1 14->21         started        23 cmd.exe 14->23         started        25 5 other processes 14->25 file8 signatures9 process10 process11 27 arnatic_5.exe 4 75 19->27         started        32 arnatic_2.exe 1 21->32         started        34 arnatic_7.exe 23->34         started        36 arnatic_6.exe 25->36         started        38 arnatic_1.exe 2 25->38         started        40 arnatic_4.exe 14 2 25->40         started        42 arnatic_3.exe 12 25->42         started        dnsIp12 119 17 other IPs or domains 27->119 71 C:\Users\...\zx9FKn3ozkra0djge2EiRqtQ.exe, PE32+ 27->71 dropped 73 C:\Users\...\yj8Z0_PWBPlk03uf7GBJ7c_B.exe, PE32 27->73 dropped 75 C:\Users\...\tTgH4qNRa1zqyURnUXFgY1d5.exe, PE32 27->75 dropped 87 57 other files (50 malicious) 27->87 dropped 149 Drops PE files to the document folder of the user 27->149 151 May check the online IP address of the machine 27->151 153 Disable Windows Defender real time protection (registry) 27->153 77 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 32->77 dropped 155 DLL reload attack detected 32->155 157 Detected unpacking (changes PE section rights) 32->157 159 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 32->159 167 4 other signatures 32->167 44 explorer.exe 32->44 injected 121 5 other IPs or domains 34->121 79 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 34->79 dropped 81 C:\Users\user\Pictures\background.png, DOS 34->81 dropped 83 C:\Users\user\AppData\Local\Temp\22222.exe, PE32 34->83 dropped 85 C:\Users\user\AppData\...\aaa_v003[1].dll, DOS 34->85 dropped 49 11111.exe 34->49         started        51 11111.exe 34->51         started        53 22222.exe 34->53         started        59 2 other processes 34->59 111 music-s.xyz 36->111 113 iplogger.org 36->113 115 iplogger.org 88.99.66.31, 443, 49753, 49754 HETZNER-ASDE Germany 36->115 161 Performs DNS queries to domains with low reputation 36->161 163 Creates processes via WMI 38->163 55 arnatic_1.exe 38->55         started        123 2 other IPs or domains 40->123 165 Detected unpacking (overwrites its own PE header) 40->165 117 sslamlssa1.tumblr.com 74.114.154.22, 443, 49750 AUTOMATTICUS Canada 42->117 57 WerFault.exe 42->57         started        file13 signatures14 process15 dnsIp16 125 103.169.90.205 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 44->125 127 186.212.153.51 TELEFONICABRASILSABR Brazil 44->127 131 4 other IPs or domains 44->131 89 C:\Users\user\AppData\Roaming\dthatde, PE32 44->89 dropped 91 C:\Users\user\AppData\Local\TempFF0.exe, PE32 44->91 dropped 93 C:\Users\user\AppData\Local\Temp\496B.exe, PE32 44->93 dropped 169 System process connects to network (likely due to code injection or exploit) 44->169 171 Benign windows process drops PE files 44->171 173 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->173 175 Tries to harvest and steal browser information (history, passwords, etc) 49->175 95 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 55->95 dropped 97 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 55->97 dropped 99 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 55->99 dropped 61 conhost.exe 55->61         started        129 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 57->129 file17 signatures18 process19
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/47a55e678c1c05d11445beebb73e5822625663c107214e874ca75a87694164dc/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 23:17:42 UTC
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i6sv4z4mdqc5cfcfx3v3opsyejrfmy6ba4qu5b2mu5nio2kbmtoa._file
Verdict:
malicious
Similar samples:
079e8468f9e6f11a839e931ab04d45036acb2574aa37a4f749d6db98a61509cc
RaccoonStealer
1a263b2603212ff1e492d9e0c718f12601789e27eaaba9a7a7048b4080c08bcb
RaccoonStealer
2aafe51ed875d14265117e71337eaf72d2d22f8055ad43356062efbde0eb6f4a
RaccoonStealer
2cb7b724ba108cfab0f07348997e32c7c531084ffd2c9326e6ba51ad8f4ed656
RaccoonStealer
52b7284b1615a30f3e8e6049f2d3501efe88334fb837c10dc5e86881ae55a5b7
RaccoonStealer
5d0215d15cc28fd783808e7fe1103cff029e1a1caa1370057c6e5cf9c00d1b2a
RaccoonStealer
6430e35390b94f25e609d8dc2edadd8f6b0b30bec768ce894c67028de438ab13
RaccoonStealer
76089e8324bd822d80061ba57f1c5b0a473e9e5f80e05953d0e6de9e77b501e4
RaccoonStealer
+ 538 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:16.09 botnet:933 botnet:a16e26e8e3bbf05aad922e6691134b0795801b32 botnet:dawn214 botnet:sewpalpadin aspackv2 backdoor discovery evasion infostealer ransomware stealer themida trojan
Link:
https://tria.ge/reports/210916-wfqp4sdhc5/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Modifies file permissions
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://sslamlssa1.tumblr.com/
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
185.215.113.29:18087
45.144.225.92:45269
193.188.21.209:41939
Unpacked files
SH256 hash:
c7b04fbcec4fb07d04eb36f20866ac6d95709281a96db8ea2b8266ae40361818
MD5 hash:
911a3105c863639fb5310046dd547221
SHA1 hash:
da492d8c31a760318513da006c8f4f8b766ae724
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
SH256 hash:
2a90c166dfdd8c515ae4138a0c8b30b4011ace0b83c229ce291e3b592edd2802
MD5 hash:
61cf41057c09bd7b801e18ac34bb2862
SHA1 hash:
c9a3ad6be1e2f85a9afc4c918e141b771512224a
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
SH256 hash:
ef83a2c9f244da974619a0acd227cbe73541970196f8a1b48955d7f434c53568
MD5 hash:
f29a39b4b679a526b5bc9e66ae65be19
SHA1 hash:
a52ee9a8722ec74091c5c2c559703f7c677530d6
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
SH256 hash:
fef028c6eca2d0addeb19dacedcc97cd34f73a4ab8056ddc287dd86551b5c707
MD5 hash:
cfcd04cb50a5d48b368c76a353a8b58a
SHA1 hash:
7d76e8474b4b70d4f8e62653361c7b451a8f2fd2
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
Parent samples :
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
70e50de48c85c25259cf5247205792b0eb339ca700867c2a9a3ecfa7c4fca156
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
67cd381d1702cb66cc450e13b1e8a27a3ff8c6713af8a925945b1cb449247578
ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
SH256 hash:
5da0d850941091855ce3a6f48447d2873452443282751fe376c104ef65a45efa
MD5 hash:
5df4d842ec44f8e63168ecb7cafd7e42
SHA1 hash:
cba084a866650d9a06d7dd1873f26ad3ba483163
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
Parent samples :
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
6ace541e53b337773108bd7bd3c84fbb02d2da5a4b94d3e382d7773f6767a5fe
MD5 hash:
68e679e430a8a3bf2a66356e998562fd
SHA1 hash:
42d729a6149b96fd8aee0fc93d5ba063166bf10c
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
SH256 hash:
3c33e130ffc0a583909982f29c38bffb518ae0fd0ef7397855906beef3cd993d
MD5 hash:
4a1a271c67b98c9cfc4c6efa7411b1dd
SHA1 hash:
e2325cb6f55d5fea29ce0d31cad487f2b4e6f891
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
SH256 hash:
a0a30765d8de60813e2afee8d8045c6ef32ebdd81edd20e9b4d16cd7e470d24f
MD5 hash:
1c6c5449a374e1d3acecbf374dfcbb03
SHA1 hash:
3af9b2a06e52c6eaa666b3b28df942097f16b078
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
SH256 hash:
b683f2a5aaff97195699fd1062df696d61228f12a61781aca3dcd0edb79b3654
MD5 hash:
01c5b4765c7a409dce09a17bdfb9fe9d
SHA1 hash:
315b4dd49ad8b7ae46ff5f7bb0a934d9542fbbfd
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
SH256 hash:
9717f526bf9c56a5d06ccd0fb71eef0579d26b7100d01665b76d8fdd211b48bd
MD5 hash:
dbc3e1e93fe6f9e1806448cd19e703f7
SHA1 hash:
061119a118197ca93f69045abd657aa3627fc2c5
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
SH256 hash:
8b127d92412994c313c5783a76689129731f28fb1fe0202ee8569460c22ad65c
MD5 hash:
00bef7b324de7d3597cce2b7a85acd5c
SHA1 hash:
fac52c694320a9beebdfa298fca3821343120e8c
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
SH256 hash:
47a55e678c1c05d11445beebb73e5822625663c107214e874ca75a87694164dc
MD5 hash:
30c824ba3f1422a9ab19c83a853b92ee
SHA1 hash:
81940f1b2acacee299690e584425def665ed3253
Link:
https://www.unpac.me/results/a17e8832-a52b-4475-8d01-13399e127200/
Malware family:
Raccoon v1.7.2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/47a55e678c1c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47a55e678c1c05d11445beebb73e5822625663c107214e874ca75a87694164dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188494/

Comments