MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
SHA3-384 hash: d40171ed4ebe0228a32b84bcbfb57cbe062d28dd68453f6ea6d0f5426325825a3b20af3665f78225a547bf2ab850f696
SHA1 hash: 64257c787846db476c4cd71464af58fae87b26a9
MD5 hash: 23b40478a61a00df0473d1f56cc4ff62
humanhash: romeo-high-green-failed
File name:55F22AA33B837E543E8A58408ED843E41515292DEAD43.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'608'666 bytes
First seen:2022-11-04 10:30:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBIPkZVi7iKiF8cUvFyPZGf5S8wK82iXCgEwJ84vLRaBtIl9mTcNFpaEjoLQKo5:x6ri7ixZUvFyPZu4IiXC3CvLUBsKcNFZ
TLSH T189C53352BFB784F7E6012430D8143BF9A1B9D399273005D33B60EF4B0F699E5912A6AD
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://79.137.197.212/

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
55F22AA33B837E543E8A58408ED843E41515292DEAD43.exe
Verdict:
Malicious activity
Analysis date:
2022-11-04 10:32:32 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/3bffd717-14db-4761-bf4d-a56ab6e6a10d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fabookie Infostealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/328427/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Packed.SmokeLoader-9880490-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Moving a file to the %temp% subdirectory
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Creating a file
Sending an HTTP GET request
Launching a process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6364e9e8775605b3a4f392a1/reports/177b5625-7bb7-4acc-9674-b1372dd12d97/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/29cb9e43-7d3c-4481-9832-902b1d843aed
Result
Threat name:
Amadey, Fabookie, Nitol, RedLine, SmokeL
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1105321
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected Nitol
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 737982 Sample: 55F22AA33B837E543E8A58408ED... Startdate: 04/11/2022 Architecture: WINDOWS Score: 100 135 google.vrthcobj.com 2->135 137 www.facebook.com 2->137 139 12 other IPs or domains 2->139 193 Snort IDS alert for network traffic 2->193 195 Multi AV Scanner detection for domain / URL 2->195 197 Malicious sample detected (through community Yara rule) 2->197 201 21 other signatures 2->201 12 55F22AA33B837E543E8A58408ED843E41515292DEAD43.exe 15 2->12         started        16 rundll32.exe 2->16         started        signatures3 199 System process connects to network (likely due to code injection or exploit) 135->199 process4 file5 101 C:\Users\user\AppData\Local\...\sonia_7.txt, PE32+ 12->101 dropped 103 C:\Users\user\AppData\Local\...\sonia_6.txt, PE32 12->103 dropped 105 C:\Users\user\AppData\Local\...\sonia_5.txt, PE32 12->105 dropped 107 10 other files (9 malicious) 12->107 dropped 217 Writes a notice file (html or txt) to demand a ransom 12->217 18 setup_install.exe 1 12->18         started        23 rundll32.exe 16->23         started        signatures6 process7 dnsIp8 141 127.0.0.1 unknown unknown 18->141 143 sokiran.xyz 18->143 145 google.vrthcobj.com 18->145 93 C:\Users\user\AppData\...\sonia_7.exe (copy), PE32+ 18->93 dropped 95 C:\Users\user\AppData\...\sonia_6.exe (copy), PE32 18->95 dropped 97 C:\Users\user\AppData\...\sonia_5.exe (copy), PE32 18->97 dropped 99 4 other malicious files 18->99 dropped 203 Antivirus detection for dropped file 18->203 205 Multi AV Scanner detection for dropped file 18->205 207 Performs DNS queries to domains with low reputation 18->207 209 Machine Learning detection for dropped file 18->209 25 cmd.exe 1 18->25         started        27 cmd.exe 1 18->27         started        29 cmd.exe 1 18->29         started        38 7 other processes 18->38 211 Writes to foreign memory regions 23->211 213 Allocates memory in foreign processes 23->213 215 Creates a thread in another existing process (thread injection) 23->215 31 svchost.exe 23->31 injected 34 svchost.exe 23->34 injected 36 svchost.exe 23->36 injected 41 2 other processes 23->41 file9 signatures10 process11 dnsIp12 43 sonia_6.exe 25->43         started        48 sonia_2.exe 1 27->48         started        50 sonia_5.exe 29->50         started        239 System process connects to network (likely due to code injection or exploit) 31->239 241 Sets debug register (to hijack the execution of another thread) 31->241 243 Modifies the context of a thread in another process (thread injection) 31->243 52 svchost.exe 31->52         started        147 192.168.2.1 unknown unknown 38->147 54 sonia_1.exe 2 38->54         started        56 sonia_3.exe 12 38->56         started        58 sonia_7.exe 38->58         started        60 sonia_4.exe 14 2 38->60         started        signatures13 process14 dnsIp15 155 22 other IPs or domains 43->155 109 C:\Users\...\zvjj4qExuyLwUljXLqbJlb75.exe, PE32 43->109 dropped 111 C:\Users\...\xXdvEcLRWspxCCTF0YnbzjQi.exe, PE32 43->111 dropped 113 C:\Users\...\t3VHxmPio9PzIBIML8wRp2Ae.exe, PE32 43->113 dropped 117 18 other malicious files 43->117 dropped 219 Drops PE files to the document folder of the user 43->219 221 May check the online IP address of the machine 43->221 223 Disable Windows Defender real time protection (registry) 43->223 62 UZp3vU6GD92P0eq2rcoCcRTt.exe 43->62         started        67 WGC4ZK1TyyUvg8NXeSlu6LqT.exe 43->67         started        69 fMgMQW1IDVocLt7nAtv5sMqm.exe 43->69         started        81 8 other processes 43->81 115 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 48->115 dropped 225 DLL reload attack detected 48->225 227 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 48->227 229 Renames NTDLL to bypass HIPS 48->229 237 2 other signatures 48->237 71 explorer.exe 48->71 injected 157 3 other IPs or domains 50->157 231 Performs DNS queries to domains with low reputation 50->231 149 google.vrthcobj.com 52->149 159 2 other IPs or domains 52->159 233 Query firmware table information (likely to detect VMs) 52->233 235 Creates processes via WMI 54->235 73 sonia_1.exe 54->73         started        75 Conhost.exe 54->75         started        151 sslamlssa1.tumblr.com 74.114.154.22, 443, 49705 AUTOMATTICUS Canada 56->151 77 WerFault.exe 56->77         started        153 s.lletlee.com 58->153 79 WerFault.exe 58->79         started        161 2 other IPs or domains 60->161 file16 signatures17 process18 dnsIp19 163 t.me 149.154.167.99 TELEGRAMRU United Kingdom 62->163 165 95.217.245.254 HETZNER-ASDE Germany 62->165 119 C:\ProgramData\sqlite3.dll, PE32 62->119 dropped 173 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 62->173 175 Tries to harvest and steal browser information (history, passwords, etc) 62->175 177 Tries to steal Crypto Currency Wallets 62->177 179 Writes to foreign memory regions 67->179 181 Allocates memory in foreign processes 67->181 183 Injects a PE file into a foreign processes 67->183 83 conhost.exe 67->83         started        85 conhost.exe 69->85         started        121 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 73->121 dropped 123 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 73->123 dropped 125 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 73->125 dropped 87 conhost.exe 73->87         started        167 star-mini.c10r.facebook.com 185.60.216.35 FACEBOOKUS Ireland 81->167 169 aaa.apiaaaeg.com 45.66.159.18 ENZUINC-US Russian Federation 81->169 171 2 other IPs or domains 81->171 127 C:\Users\user\AppData\Local\...\is-N4PJC.tmp, PE32 81->127 dropped 129 C:\Users\user\AppData\Local\...\rovwer.exe, PE32 81->129 dropped 131 C:\Users\user\AppData\Local\...\B6peJmEU.r6, PE32 81->131 dropped 133 2 other malicious files 81->133 dropped 185 Detected unpacking (changes PE section rights) 81->185 187 Detected unpacking (overwrites its own PE header) 81->187 189 Uses schtasks.exe or at.exe to add and modify task schedules 81->189 191 3 other signatures 81->191 89 schtasks.exe 81->89         started        file20 signatures21 process22 process23 91 conhost.exe 89->91         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11/
Threat name:
Win32.Downloader.ShortLoader
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 03:44:04 UTC
File Type:
PE (Exe)
Extracted files:
136
AV detection:
22 of 26 (84.62%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kxzcviz3qn7fipuklbai5wcd4qkrkkjn5lkdwv5svzblonodj4iq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:nullmixer family:privateloader family:smokeloader family:vidar botnet:933 aspackv2 backdoor dropper evasion loader stealer trojan
Link:
https://tria.ge/reports/221104-mkc55secf7/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Detects Smokeloader packer
Modifies Windows Defender Real-time Protection settings
NullMixer
PrivateLoader
Process spawned unexpected child process
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://sokiran.xyz/
https://sslamlssa1.tumblr.com/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/52e0eb5c-a65e-4551-a96a-2a63500fd5ef
Unpacked files
SH256 hash:
fef028c6eca2d0addeb19dacedcc97cd34f73a4ab8056ddc287dd86551b5c707
MD5 hash:
cfcd04cb50a5d48b368c76a353a8b58a
SHA1 hash:
7d76e8474b4b70d4f8e62653361c7b451a8f2fd2
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
Parent samples :
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
70e50de48c85c25259cf5247205792b0eb339ca700867c2a9a3ecfa7c4fca156
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
67cd381d1702cb66cc450e13b1e8a27a3ff8c6713af8a925945b1cb449247578
ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
SH256 hash:
c7b04fbcec4fb07d04eb36f20866ac6d95709281a96db8ea2b8266ae40361818
MD5 hash:
911a3105c863639fb5310046dd547221
SHA1 hash:
da492d8c31a760318513da006c8f4f8b766ae724
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
SH256 hash:
2a90c166dfdd8c515ae4138a0c8b30b4011ace0b83c229ce291e3b592edd2802
MD5 hash:
61cf41057c09bd7b801e18ac34bb2862
SHA1 hash:
c9a3ad6be1e2f85a9afc4c918e141b771512224a
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
SH256 hash:
ef83a2c9f244da974619a0acd227cbe73541970196f8a1b48955d7f434c53568
MD5 hash:
f29a39b4b679a526b5bc9e66ae65be19
SHA1 hash:
a52ee9a8722ec74091c5c2c559703f7c677530d6
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
SH256 hash:
89a0227ef833a2742f7dd46be36e61b178a8b47846fd3cf557c8b9991b7cfb67
MD5 hash:
55bf2bbdd87ec3ac709c6a247f4a28b4
SHA1 hash:
6df7d9af3a7b2da1c91aff955a4c5aadbe2d13cb
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
Parent samples :
5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
d0037be72720bb05c0207342411a883b883c8f4a371c6c7e6bacd9cff5615df7
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
e026bc9a0b7ac31a86cdbbd88e2b2be5236ba81b469723007c8b3c1d9461198f
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
8f8b341230323b995c1cde1d534031092bfddb56411dac43d155e5366681e1c7
SH256 hash:
0d500513511aca1ee591f7915c067fe9fd1a3759fa83ee9b6adf7cba98d1d011
MD5 hash:
d77e6d309bfdb7bfce9522ba9532bff3
SHA1 hash:
7ec3894cf4656328343901c2d5e208bdf524890e
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
SH256 hash:
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60
MD5 hash:
6765fe4e4be8c4daf3763706a58f42d0
SHA1 hash:
cebb504bfc3097a95d40016f01123b275c97d58c
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
SH256 hash:
c9299dda70cf1f902c56a507d79e4a34d9e8ad6d1a5b436bf15dd451d30a2bf4
MD5 hash:
5025f51f20fdf72746354072363b4a55
SHA1 hash:
997d932032d2400b32db7bd4edb432942073f3ea
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
SH256 hash:
038cac723655d95edd5708f7904b60d199a3c8234e502007973760ac2d664bdd
MD5 hash:
c281e19bd02faa84354fd0403ee04c2f
SHA1 hash:
941545ac22ec58778535c33ebc0ee817aa20d733
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
SH256 hash:
53379b36716f384e530dae9ec883c459d0c12f0260116614a0482ded7d9b5ba9
MD5 hash:
ec149486075982428b9d394c1a5375fd
SHA1 hash:
63c94ed4abc8aff9001293045bc4d8ce549a47b8
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
Parent samples :
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
SH256 hash:
3cc783b19a6e41f88b20602723b62a482e65ff53b6155d22c31552f2d5504a50
MD5 hash:
581c5fea78aae454679ac3e50c3c8feb
SHA1 hash:
97ca239d5bcefaac53f0742921ab02f9a5effe95
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
SH256 hash:
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
MD5 hash:
23b40478a61a00df0473d1f56cc4ff62
SHA1 hash:
64257c787846db476c4cd71464af58fae87b26a9
Link:
https://www.unpac.me/results/901adb6e-40f6-4917-98d9-0808e60aa6e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Windows_Trojan_Generic_a681f24a
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Vidar_114258d5
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Vidar_9007feb2
Create hunting rule
Author:Elastic Security
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/328427/

Comments