MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52b7284b1615a30f3e8e6049f2d3501efe88334fb837c10dc5e86881ae55a5b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52b7284b1615a30f3e8e6049f2d3501efe88334fb837c10dc5e86881ae55a5b7
SHA3-384 hash: ed8853d2f8a9625359d14d15ea70f707d5511be076b1d99f6af22a90275bd4ac837469488e8dad1a18b0944cb3c81e52
SHA1 hash: c82621792167559c80b2e3ab6bc61ccda77ead41
MD5 hash: 5d6adaa6f556bb8d75e1a6a35cd50f09
humanhash: cold-winner-floor-crazy
File name:52B7284B1615A30F3E8E6049F2D3501EFE88334FB837C.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:2'824'042 bytes
First seen:2021-08-30 00:10:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:EgiZdTzC/FHvK1o3sbmcWBLBKE57H+Pd1L5yVQel4iAr6upOB+QIwN93ss5nsR6B:JM2wwcWBddxePd13e/2sB+mdss5sRa7
Threatray 440 similar samples on MalwareBazaar
TLSH T158D533696781E7E6D5B97D306FA93027F932A81ED3214BD203A09E6564E73F1E80D70C
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RaccoonStealer


Avatar
abuse_ch
RaccoonStealer C2:
http://5.181.156.252/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.181.156.252/ https://threatfox.abuse.ch/ioc/201911/

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
52B7284B1615A30F3E8E6049F2D3501EFE88334FB837C.exe
Verdict:
No threats detected
Analysis date:
2021-08-30 00:12:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/519620ad-30c2-4ae9-bb7c-a39451016bbb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183342/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Packed.SmokeLoader-9880484-1
Create hunting rule

Win.Malware.Malwarex-9880489-0
Create hunting rule

Win.Packed.SmokeLoader-9880490-1
Create hunting rule

Win.Packed.SmokeLoader-9880492-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for the window
Moving a recently created file
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Sending a UDP request
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4c26d1e-ae10-4455-841c-baf7521b3b0a
Result
Threat name:
Backstage Stealer RedLine SmokeLoader Vi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841166
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473597 Sample: 52B7284B1615A30F3E8E6049F2D... Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 123 google.vrthcobj.com 2->123 167 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->167 169 Antivirus detection for URL or domain 2->169 171 Multi AV Scanner detection for dropped file 2->171 173 13 other signatures 2->173 12 52B7284B1615A30F3E8E6049F2D3501EFE88334FB837C.exe 10 2->12         started        signatures3 process4 file5 105 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->105 dropped 15 setup_installer.exe 16 12->15         started        process6 file7 107 C:\Users\user\AppData\...\setup_install.exe, PE32 15->107 dropped 109 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 15->109 dropped 111 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 15->111 dropped 113 11 other files (none is malicious) 15->113 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 125 motiwa.xyz 172.67.193.180, 49735, 80 CLOUDFLARENETUS United States 18->125 127 127.0.0.1 unknown unknown 18->127 97 C:\Users\user\...\arnatic_8.exe (copy), PE32 18->97 dropped 99 C:\Users\user\...\arnatic_7.exe (copy), PE32+ 18->99 dropped 101 C:\Users\user\...\arnatic_5.exe (copy), PE32 18->101 dropped 103 5 other files (3 malicious) 18->103 dropped 175 Detected unpacking (changes PE section rights) 18->175 177 Performs DNS queries to domains with low reputation 18->177 23 cmd.exe 1 18->23         started        25 cmd.exe 1 18->25         started        27 cmd.exe 18->27         started        29 6 other processes 18->29 file10 signatures11 process12 process13 31 arnatic_5.exe 4 55 23->31         started        36 arnatic_2.exe 1 25->36         started        38 arnatic_7.exe 27->38         started        40 arnatic_1.exe 2 29->40         started        42 arnatic_8.exe 29->42         started        44 arnatic_3.exe 12 29->44         started        46 2 other processes 29->46 dnsIp14 129 136.144.41.201 WORLDSTREAMNL Netherlands 31->129 131 37.0.10.214 WKD-ASIE Netherlands 31->131 137 11 other IPs or domains 31->137 63 C:\Users\...\yNbwzfNtLlufcTgl7WvBlo1Y.exe, PE32 31->63 dropped 65 C:\Users\...\y1DGY7_lAvnvmjahWeuEr7by.exe, PE32 31->65 dropped 67 C:\Users\...\pdkucmgutHKIeM3oGU9lYHTi.exe, PE32 31->67 dropped 79 36 other files (33 malicious) 31->79 dropped 143 Drops PE files to the document folder of the user 31->143 145 May check the online IP address of the machine 31->145 147 Disable Windows Defender real time protection (registry) 31->147 69 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 36->69 dropped 149 DLL reload attack detected 36->149 151 Detected unpacking (changes PE section rights) 36->151 153 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->153 157 4 other signatures 36->157 48 explorer.exe 36->48 injected 139 5 other IPs or domains 38->139 71 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 38->71 dropped 73 C:\Users\user\Pictures\background.png, DOS 38->73 dropped 75 C:\Users\user\AppData\Local\Temp\22222.exe, PE32 38->75 dropped 77 C:\Users\user\AppData\...\aaa_v002[1].dll, DOS 38->77 dropped 53 11111.exe 38->53         started        55 22222.exe 38->55         started        155 Creates processes via WMI 40->155 57 arnatic_1.exe 40->57         started        133 176.111.174.254 WILWAWPL Russian Federation 42->133 135 sslamlssa1.tumblr.com 74.114.154.22, 443, 49739 AUTOMATTICUS Canada 44->135 59 WerFault.exe 44->59         started        141 3 other IPs or domains 46->141 file15 signatures16 process17 dnsIp18 115 193.142.59.152 HOSTSLICK-GERMANYNL Netherlands 48->115 117 222.236.49.124 SKB-ASSKBroadbandCoLtdKR Korea Republic of 48->117 121 2 other IPs or domains 48->121 81 C:\Users\user\AppData\Roaming\gutdvwh, PE32 48->81 dropped 83 C:\Users\user\AppData\Local\Temp\2463.exe, PE32 48->83 dropped 85 C:\Users\user\AppData\Local\Temp44B.exe, PE32 48->85 dropped 87 C:\Users\user\AppData\Local\Temp\9994.exe, PE32 48->87 dropped 159 System process connects to network (likely due to code injection or exploit) 48->159 161 Benign windows process drops PE files 48->161 163 Hides that the sample has been downloaded from the Internet (zone.identifier) 48->163 165 Tries to harvest and steal browser information (history, passwords, etc) 53->165 89 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 57->89 dropped 91 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 57->91 dropped 93 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 57->93 dropped 61 conhost.exe 57->61         started        119 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 59->119 95 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 59->95 dropped file19 signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52b7284b1615a30f3e8e6049f2d3501efe88334fb837c10dc5e86881ae55a5b7/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 20:08:12 UTC
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kk3sqsywcwrq6puombe7fu2qd37iqm2pxa34cdof5buidlsvuw3q._file
Verdict:
unknown
Similar samples:
208660089575dbef9e473ae2b2556e5492e8739376d39e1f5575ca65d33892f7
RaccoonStealer
2120d92e96ad3e11b8e35cd6cf867e95c31b64d4d4e43c661560b6ab281bd306
RaccoonStealer
2aafe51ed875d14265117e71337eaf72d2d22f8055ad43356062efbde0eb6f4a
RaccoonStealer
4927f0b88f61a54fb9c8d14081cd5a80c6c6f358e8431af76fda5a5366d81aa8
RaccoonStealer
5d10fa7657f41f17d508c1dbb3f63b5b2ad6deea2f47e747b118345a56ab6cdc
RaccoonStealer
a80595d5777175cd4da514edb06d38676888daf62608369b816b2f11b6aa9cc2
RaccoonStealer
+ 430 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:smokeloader family:vidar botnet:292.08 botnet:933 botnet:afansdo botnet:cana01 botnet:hello aspackv2 backdoor discovery evasion infostealer stealer themida trojan
Link:
https://tria.ge/reports/210830-e6axzsel6e/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Vidar Stealer
Amadey
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://sslamlssa1.tumblr.com/
176.111.174.254:56328
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
95.181.152.47:15089
80.66.87.33:36976
77.232.38.156:35454
185.215.113.206/k8FppT/index.php
Unpacked files
SH256 hash:
fef028c6eca2d0addeb19dacedcc97cd34f73a4ab8056ddc287dd86551b5c707
MD5 hash:
cfcd04cb50a5d48b368c76a353a8b58a
SHA1 hash:
7d76e8474b4b70d4f8e62653361c7b451a8f2fd2
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
Parent samples :
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
70e50de48c85c25259cf5247205792b0eb339ca700867c2a9a3ecfa7c4fca156
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
67cd381d1702cb66cc450e13b1e8a27a3ff8c6713af8a925945b1cb449247578
ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
SH256 hash:
5da0d850941091855ce3a6f48447d2873452443282751fe376c104ef65a45efa
MD5 hash:
5df4d842ec44f8e63168ecb7cafd7e42
SHA1 hash:
cba084a866650d9a06d7dd1873f26ad3ba483163
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
Parent samples :
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
009a646d7947ad7d9050657f133bc8082d0624115ee1bf65b45770603a16d873
MD5 hash:
6d1c9ca9a35c85c5b6e64c765072633b
SHA1 hash:
d4f98c3ad7c02752d0d2c1eea622f67dd86c0e61
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
3c33e130ffc0a583909982f29c38bffb518ae0fd0ef7397855906beef3cd993d
MD5 hash:
4a1a271c67b98c9cfc4c6efa7411b1dd
SHA1 hash:
e2325cb6f55d5fea29ce0d31cad487f2b4e6f891
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
6f224c710a5362f9f7a83c9f4e2333019ebc807927fbd50efbc4407c0e820540
MD5 hash:
3f3b3883dcbde2d0cf4d5a7ac731627f
SHA1 hash:
c362de5f7def6ec5987ee4f9c089f00a3792a5c0
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
0a2301539894fb2e9ffdec484922e6219880a83805bba5df14773739c91db58b
MD5 hash:
e53f2c2ec52a2766c92d21369a0ecaad
SHA1 hash:
6f3b1ca94bcbecbafb7e833e90b10df5eb36df59
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
a0a30765d8de60813e2afee8d8045c6ef32ebdd81edd20e9b4d16cd7e470d24f
MD5 hash:
1c6c5449a374e1d3acecbf374dfcbb03
SHA1 hash:
3af9b2a06e52c6eaa666b3b28df942097f16b078
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
9717f526bf9c56a5d06ccd0fb71eef0579d26b7100d01665b76d8fdd211b48bd
MD5 hash:
dbc3e1e93fe6f9e1806448cd19e703f7
SHA1 hash:
061119a118197ca93f69045abd657aa3627fc2c5
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
5a580d590efe50a4072580e030ff03a2bdc9cb5bb6424c8167e6cdc106662d80
MD5 hash:
9b8888a96bb81b13d824f42811dd73e4
SHA1 hash:
7a15193d26b0e2fb5f1894fee476aeb6987b2d5f
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
65e857b77577451c4894c0e9b8f3acc64906472b9bf980d76cb209b5b17a6e04
MD5 hash:
385b2e02d14579a16a0f73d48d266191
SHA1 hash:
248abbcee3367b48a98002560f521472b78d51e4
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
140687c607a8adee38572a2b5b5b12dcf4c5eecfa5d2428d34f09b627a71e6bd
MD5 hash:
0b1df2ab5308c2e8927f9adeac08c657
SHA1 hash:
10212be3c4b01016525039786e3f28909be1b96a
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
55e9a570f195e846308180eaecae9a6155685f8fdfdc2fd06a04dd2d27a5b3cc
MD5 hash:
e7a51852abb1e460c985402a78cda9a4
SHA1 hash:
8d942e23a478f8618dfa512b27ec02b1f72639bf
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
e2161df79c5e389adf3375e55734a6f84304ed6952b02763d862a7cdd85f16da
MD5 hash:
33fdf544700724a3a5beb401c7c783da
SHA1 hash:
0cc988fa227111ef190d5a7f1e006bb64a58091e
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
SH256 hash:
52b7284b1615a30f3e8e6049f2d3501efe88334fb837c10dc5e86881ae55a5b7
MD5 hash:
5d6adaa6f556bb8d75e1a6a35cd50f09
SHA1 hash:
c82621792167559c80b2e3ab6bc61ccda77ead41
Link:
https://www.unpac.me/results/d3790feb-908a-4d4e-81ec-efbdcab4fa7a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/52b7284b1615/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52b7284b1615a30f3e8e6049f2d3501efe88334fb837c10dc5e86881ae55a5b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183342/

Comments