MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
SHA3-384 hash: 1555e300d0fe741adcef803b49de27dcc10ad092a6fd9ca84f86716981dbcabff479aec94785d1ec7bd53761c77c1d02
SHA1 hash: 9270b9f48e2d14cc2cbed61ee2e2389d5f69ce05
MD5 hash: 26f28bf2dc2b6afc0dd99cb6ea3879b8
humanhash: hydrogen-oklahoma-crazy-tango
File name:setup_x86_x64_install.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:3'531'768 bytes
First seen:2021-10-11 21:04:04 UTC
Last seen:2021-10-11 21:09:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:Egt2s56svyN2jXEBd7L5wr25IUoEI2csF5eLH+wCkBEy882Ffa72hNLr7xup20ns:JuGy4QCqam5eLbCmEy8HFfacLY1ash4
Threatray 626 similar samples on MalwareBazaar
TLSH T1F7F533E66A5F65FBE2D997700C068274EA78EB303836193F4F5C562A3CEB316E441D81
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLInjector04
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196737/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Jaik-9901327-0
Create hunting rule

Win.Malware.Jaik-9901374-0
Create hunting rule

Win.Malware.Jaik-9901388-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed
Link:
https://www.filescan.io/uploads/6164a700fd35fe780c38eb63/reports/f325cfa0-26fa-4269-8a8d-d4c2ed3eead5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58a501ee-b7a3-455a-b8f5-17700d58480c
Result
Threat name:
RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867913
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files with a suspicious file extension
Found C&C like URL pattern
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 500338 Sample: setup_x86_x64_install.exe Startdate: 11/10/2021 Architecture: WINDOWS Score: 100 74 ip-api.com 208.95.112.1, 49764, 80 TUT-ASUS United States 2->74 76 staticimg.youtuuee.com 45.136.151.102, 49766, 49769, 80 ENZUINC-US Latvia 2->76 78 4 other IPs or domains 2->78 96 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->96 98 Multi AV Scanner detection for domain / URL 2->98 100 Antivirus detection for URL or domain 2->100 102 22 other signatures 2->102 10 setup_x86_x64_install.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 19 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\AppData\...\Mon20d3b8b752.exe, PE32 13->50 dropped 52 C:\Users\user\...\Mon20b6f9d5bd03a305.exe, PE32+ 13->52 dropped 54 14 other files (9 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 70 hsiens.xyz 104.21.87.76, 49755, 80 CLOUDFLARENETUS United States 16->70 72 127.0.0.1 unknown unknown 16->72 92 Performs DNS queries to domains with low reputation 16->92 94 Adds a directory exclusion to Windows Defender 16->94 20 cmd.exe 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 16->24         started        26 9 other processes 16->26 signatures10 process11 signatures12 29 Mon20d3b8b752.exe 20->29         started        34 Mon20927aab1e5.exe 22->34         started        36 Mon204014f13870f5e.exe 24->36         started        104 Adds a directory exclusion to Windows Defender 26->104 38 Mon206b909958ed4.exe 2 26->38         started        40 Mon206d48916f93c5.exe 26->40         started        42 Mon203f01ac7e6.exe 26->42         started        44 3 other processes 26->44 process13 dnsIp14 80 37.0.8.119, 49757, 49767, 80 WKD-ASIE Netherlands 29->80 82 103.155.93.196 TWIDC-AS-APTWIDCLimitedHK unknown 29->82 90 9 other IPs or domains 29->90 56 C:\Users\user\AppData\Local\...\file[1].exe, PE32 29->56 dropped 58 C:\Users\user\AppData\...\askinstall59[1].exe, PE32 29->58 dropped 60 C:\Users\user\...\UnpackChrome2009[1].exe, PE32 29->60 dropped 68 10 other files (4 malicious) 29->68 dropped 106 May check the online IP address of the machine 29->106 108 Tries to harvest and steal browser information (history, passwords, etc) 29->108 110 Disable Windows Defender real time protection (registry) 29->110 112 Antivirus detection for dropped file 34->112 114 Machine Learning detection for dropped file 34->114 116 Sample uses process hollowing technique 34->116 118 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 36->118 120 Checks if the current machine is a virtual machine (disk enumeration) 36->120 84 190.211.254.178 PLI-ASCH Panama 38->84 122 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 38->122 86 172.67.221.103 CLOUDFLARENETUS United States 40->86 62 C:\Users\user\AppData\Roaming\7383268.scr, PE32 40->62 dropped 64 C:\Users\user\AppData\Roaming\7143093.scr, PE32 40->64 dropped 124 Drops PE files with a suspicious file extension 40->124 126 Multi AV Scanner detection for dropped file 42->126 88 t.gogamec.com 104.21.85.99, 443, 49750, 49762 CLOUDFLARENETUS United States 44->88 66 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 44->66 dropped 128 Creates processes via WMI 44->128 file15 signatures16
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa/
Threat name:
Win32.Trojan.Cryprar
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 21:05:06 UTC
AV detection:
26 of 45 (57.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l4yovzy4dmgqrz7mllp4tig4tadylfkqfnqklbfi35on7dfm675a._file
Verdict:
unknown
Similar samples:
08dcc0cd8aa90a04708aab25c7de5b66d62b4218ef0c5d2654a24b3cef83e534
RedLineStealer
3eaed1d4442ddd5cb4691a9cfd5aef6f374be2a3489b934d9043bb6e980a4841
RedLineStealer
80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e
RedLineStealer
91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5
RedLineStealer
941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
RedLineStealer
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
RedLineStealer
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
RedLineStealer
f5f477d945634e37e1abca7c1390e03a7535005c9ff071a191f4d24274bdf075
RedLineStealer
f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7
RedLineStealer
+ 616 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar botnet:921 botnet:933 botnet:937 botnet:ani botnet:media12 botnet:she aspackv2 backdoor evasion infostealer persistence spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211011-zwlb4sabek/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Vidar Stealer
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Zbot Generic URI/Header Struct .bin
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
135.181.129.119:4805
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
45.142.215.47:27643
91.121.67.60:2151
https://mas.to/@serg4325
https://mas.to/@oleg98
Unpacked files
SH256 hash:
551731fe108616c053434fbbfb7a27a06f8c600001ea773beb13f58f181fabf2
MD5 hash:
1444d5cebdff96894df6bed3611ac47c
SHA1 hash:
d8d5b22a923e30f54ab4f156fdf853fda611b3b9
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
0e2e68dc9724fc97647db64d367e7eed6ecf41b6cfe23fef257260607f86445d
MD5 hash:
91220afa4a880b7fb2d1b6a5117bf30d
SHA1 hash:
486b03728efe58dfbe19078bceb412e43eb153dd
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
f7ee5b08b5a9dcfd9e59225cc0d8816d1fa27f2b6a56064761a272b0ba807b57
MD5 hash:
2e1257523e2b034489f3aa3725fce7fe
SHA1 hash:
becee886e34121c595da484b46500cb03fc04abe
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
35f7590f4b3dbf667fc7f46ea1db84777709b59ab2a2581b1654386eda9a1010
MD5 hash:
432a8e0434b0419eeb8bca51318969bd
SHA1 hash:
ae94cf7192996090f2aa69b0158230e2af3dc182
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
63e4a9190f750a3fa1dbf46d1f34b53d1f353f879f7fba8750b69f3edd069802
MD5 hash:
e43ac241ea055452651171b423565beb
SHA1 hash:
869dde6bb5afc4dcbf862efae8ee5238ec4b11ae
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
e35dece79379cdcec131c5d9011866938026a92491d487718024e8d546369614
MD5 hash:
972b3349353926321177ae9bbaaa9755
SHA1 hash:
1ff31fe503e0c3464e8854e9a8d6fa68d2b87160
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
8ce6732b81ca15ad75bd3914540296907e4c9a6c3ebb3e40928bc0478711742f
MD5 hash:
e87d5dbf42cab97691a5ccd9f10eb3e7
SHA1 hash:
1f9578677be3b9b4745234717cb9d8fe0a8cc904
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
875f718432bd4e5251aedd591c0bb04769a434d72c6874cfc442cc839ce44481
MD5 hash:
d387545e73f0b6d523a89c5592746cbf
SHA1 hash:
1b6bac0e2958f649fdc844aa7099f1af4a800293
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
44ab1292f660f663bc90122db12892764e6fe2f412532af91f5b7b0e4e344677
MD5 hash:
dab421a33e79a56bc252523364f44abd
SHA1 hash:
1175ab285ebe8c6d47de5c73950b344d0a63dd14
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
cb923d9f9c01437bb325dcdc662e6cd15079866be6e45fa245dbd2ab79fd2dd6
MD5 hash:
cb640f9eee0acdb0fad6d8b6316ac720
SHA1 hash:
0f19dbea729cb8b00de736db53ae03f7123a0f8f
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
66144865f445e638ae5239ec4ba2ab0fd8bde8d0cd1821b2aeba1b879e5f2983
MD5 hash:
67ac5a568764fa5c7d95bd9efa732997
SHA1 hash:
0aeb4e8f6ecf24f610569befa1177bab1eeecaeb
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
51083f1071cc6c67bc643417a0be92c3190a044f6cb0d913bb8afb01adc08f3f
MD5 hash:
59073d016866002414aa2c915f8d1f6e
SHA1 hash:
dc285bc11154c5d4b932514934bd16c71b2a3938
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
d95b8e2d8bf52369a369cf6ee5366297a8984380210d7eea29a82cf53b8501fa
MD5 hash:
4da644a647b164089629ff894110d9cf
SHA1 hash:
8f29d97853790d852203c0921c39609ee8c6b27e
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
642f5d31e9797e4509429807009ee2871ac9826b5b513ff229956a3d87ed1f8e
MD5 hash:
488029d7287523022a3a3c0fad808e36
SHA1 hash:
1f28a900f11d99b0f6e65cf3b1e63b0bd22f45db
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
04ef2fa5bad20cf169e10a490388cc7776c639b3fc597e97e6cd0152145812a4
MD5 hash:
6a40020d9f351c50c8f18172e88fa072
SHA1 hash:
099335082aee9d2029fd4f96fbfb9b60e61b68c0
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
f736ea01212ef85902a070e6b73a597d818458834b60f036a5ca08336b49d4b0
MD5 hash:
5b050e2dc4c2a026c0df9a1880458696
SHA1 hash:
7edf1ad12ef0192b3e7e27aedada11ddeb33e5be
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
dbe067f34e7bdfd2763f346ed00683e880f4e2d916d69238671f24fcefecd414
MD5 hash:
8814130db59d30dd87096a7f27c2764e
SHA1 hash:
844399876dfed1412ef19711b251396a5bac8386
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
SH256 hash:
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
MD5 hash:
26f28bf2dc2b6afc0dd99cb6ea3879b8
SHA1 hash:
9270b9f48e2d14cc2cbed61ee2e2389d5f69ce05
Link:
https://www.unpac.me/results/a8a81401-b8cd-4d46-a8b2-aa0b0f49b153/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/196737/

Comments