MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6369f6e4a8398cccbbebef2ae7078834d3f92d499257a59b4f9142bd5b079057. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 17


Intelligence 17 IOCs YARA 43 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6369f6e4a8398cccbbebef2ae7078834d3f92d499257a59b4f9142bd5b079057
SHA3-384 hash: e2959224093bb2f788e2c3bbb98602490d07a79765e91a4fbfa781b099175813af922a1d46a5e1512e50d293f24fcca4
SHA1 hash: 928084a70bffb6eb474658dcf062d74f5ca84f68
MD5 hash: 0518d9c6db9a614769bf43fbff180167
humanhash: sixteen-sixteen-quebec-robert
File name:latestrocki.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:6'787'584 bytes
First seen:2024-01-20 06:11:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 196608:21qELhrUIpNiSF4B3ri+e7UDV2BnIuaR:shRpNPcrrDVgnIH
TLSH T16466F146F4E963E153280D7785B3F8D98ECF370B3FA24B789487533105658BACE2A658
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adm1n_usa32
Tags:exe Stealc

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe
Verdict:
Malicious activity
Analysis date:
2024-01-20 18:49:29 UTC
Tags:
amadey botnet stealer redline loader stealc fabookie risepro evasion
Link:
https://app.any.run/tasks/0e4f437e-80e5-4802-8e8b-27e99e1193b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471820/
Detection(s):
Win.Packed.Msilzilla-10018301-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Searching for the window
Searching for synchronization primitives
Connecting to a non-recommended domain
Sending an HTTP GET request
DNS request
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Reading critical registry keys
Changing a file
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/65ab64343a0cf312d517b500/reports/afe2c513-f00d-4004-b9aa-c444cc15274b/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/6369f6e4a8398cccbbebef2ae7078834d3f92d499257a59b4f9142bd5b079057
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2528e678-54be-42ee-8975-2aef94164de7
Result
Threat name:
LummaC, Fabookie, Glupteba, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1377905
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries the IP of a very long domain name
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Fabookie
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1377905 Sample: latestrocki.exe Startdate: 20/01/2024 Architecture: WINDOWS Score: 100 140 dev-download-file-5d253051-96bd-4ebd-9a2d-fd4a6upstream.pantheonsite.io 2->140 142 trad-einmyus.com 2->142 144 58 other IPs or domains 2->144 220 Snort IDS alert for network traffic 2->220 222 Multi AV Scanner detection for domain / URL 2->222 224 Found malware configuration 2->224 228 21 other signatures 2->228 10 latestrocki.exe 6 2->10         started        13 HostFile.exe 2->13         started        16 rvbsfce 2->16         started        signatures3 226 Queries the IP of a very long domain name 140->226 process4 file5 132 C:\Users\user\AppData\Local\...\toolspub1.exe, PE32 10->132 dropped 134 C:\Users\user\AppData\Local\Temp\rty25.exe, PE32+ 10->134 dropped 136 C:\Users\user\AppData\...\InstallSetup7.exe, PE32 10->136 dropped 138 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 10->138 dropped 18 toolspub1.exe 10->18         started        21 InstallSetup7.exe 1 34 10->21         started        25 31839b57a4f11171d6abc8bbc4451ee4.exe 13 10->25         started        27 rty25.exe 15 10->27         started        240 Multi AV Scanner detection for dropped file 13->240 242 Machine Learning detection for dropped file 13->242 244 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->244 252 2 other signatures 13->252 29 HostFile.exe 13->29         started        246 Detected unpacking (changes PE section rights) 16->246 248 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->248 250 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 16->250 254 3 other signatures 16->254 signatures6 process7 dnsIp8 200 Multi AV Scanner detection for dropped file 18->200 202 Detected unpacking (changes PE section rights) 18->202 204 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->204 218 4 other signatures 18->218 31 explorer.exe 18->31 injected 164 185.172.128.53, 49706, 80 NADYMSS-ASRU Russian Federation 21->164 166 185.172.128.90, 49704, 80 NADYMSS-ASRU Russian Federation 21->166 122 C:\Users\user\AppData\Local\...\nso1859.tmp, PE32 21->122 dropped 124 C:\Users\user\AppData\Local\...\INetC.dll, PE32 21->124 dropped 126 C:\Users\user\AppData\...\BroomSetup.exe, PE32 21->126 dropped 128 C:\Users\user\AppData\...\syncUpd[1].exe, PE32 21->128 dropped 36 nso1859.tmp 21->36         started        38 BroomSetup.exe 2 5 21->38         started        206 Found Tor onion address 25->206 40 31839b57a4f11171d6abc8bbc4451ee4.exe 25->40         started        42 powershell.exe 24 25->42         started        168 i.alie3ksgaa.com 154.92.15.189, 443, 49705, 49708 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 27->168 130 C:\Users\...\90cf914754583d994022b06accd6e721, SQLite 27->130 dropped 208 Tries to harvest and steal browser information (history, passwords, etc) 27->208 210 Writes to foreign memory regions 29->210 212 Modifies the context of a thread in another process (thread injection) 29->212 214 Sample uses process hollowing technique 29->214 216 Injects a PE file into a foreign processes 29->216 44 InstallUtil.exe 29->44         started        file9 signatures10 process11 dnsIp12 170 109.107.182.3 TELEPORT-TV-ASRU Russian Federation 31->170 172 brusuax.com 175.119.10.231, 49727, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 31->172 176 8 other IPs or domains 31->176 88 C:\Users\user\AppData\Roaming\rvbsfce, PE32 31->88 dropped 90 C:\Users\user\AppData\Local\Temp\D23C.exe, PE32 31->90 dropped 92 C:\Users\user\AppData\Local\Temp\CCB3.exe, PE32 31->92 dropped 100 5 other malicious files 31->100 dropped 178 System process connects to network (likely due to code injection or exploit) 31->178 180 Benign windows process drops PE files 31->180 182 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->182 46 D23C.exe 31->46         started        49 9314.exe 31->49         started        52 CCB3.exe 31->52         started        63 4 other processes 31->63 174 185.172.128.79, 49707, 80 NADYMSS-ASRU Russian Federation 36->174 94 C:\Users\user\AppData\...\softokn3[1].dll, PE32 36->94 dropped 96 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 36->96 dropped 98 C:\Users\user\AppData\...\mozglue[1].dll, PE32 36->98 dropped 102 9 other files (5 malicious) 36->102 dropped 184 Multi AV Scanner detection for dropped file 36->184 186 Detected unpacking (changes PE section rights) 36->186 188 Detected unpacking (overwrites its own PE header) 36->188 198 5 other signatures 36->198 65 2 other processes 36->65 55 cmd.exe 38->55         started        190 Found Tor onion address 40->190 57 powershell.exe 40->57         started        59 conhost.exe 42->59         started        192 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->192 194 Modifies the context of a thread in another process (thread injection) 44->194 196 Injects a PE file into a foreign processes 44->196 61 InstallUtil.exe 44->61         started        file13 signatures14 process15 dnsIp16 256 Multi AV Scanner detection for dropped file 46->256 278 2 other signatures 46->278 67 RegAsm.exe 46->67         started        104 C:\Users\user\qaUTkaQlgUPTzxp.pdf, PE32 49->104 dropped 106 C:\Users\user\eNAAYwHxSsLrxke.pdf, PE32 49->106 dropped 258 Drops PE files to the user root directory 49->258 260 Injects a PE file into a foreign processes 49->260 72 jsc.exe 49->72         started        158 fleetconsciousnessjuiw.site 104.21.95.65 CLOUDFLARENETUS United States 52->158 262 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 52->262 264 Query firmware table information (likely to detect VMs) 52->264 266 Found many strings related to Crypto-Wallets (likely being stolen) 52->266 280 3 other signatures 52->280 268 Uses schtasks.exe or at.exe to add and modify task schedules 55->268 74 conhost.exe 55->74         started        82 2 other processes 55->82 76 conhost.exe 57->76         started        160 80.85.241.193 MEDIAL-ASRU Russian Federation 61->160 108 C:\Users\user\AppData\Local\...\zbugzpr.exe, PE32+ 61->108 dropped 110 C:\Users\user\AppData\Local\...\ygdfemu.exe, PE32 61->110 dropped 162 20.51.223.7 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 63->162 270 Detected unpacking (changes PE section rights) 63->270 272 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 63->272 274 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 63->274 276 Modifies the context of a thread in another process (thread injection) 63->276 78 RegAsm.exe 63->78         started        80 3F1.exe 63->80         started        84 2 other processes 63->84 86 2 other processes 65->86 file17 signatures18 process19 dnsIp20 146 185.215.113.68 WHOLESALECONNECTIONSNL Portugal 67->146 148 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 67->148 150 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 67->150 112 C:\Users\user\...\zdmDCrGBoLrIpcEnI4du.exe, PE32 67->112 dropped 114 C:\Users\user\...\r_wrvUZHahFyULIKAoAN.exe, PE32 67->114 dropped 116 C:\Users\user\...\egEOvBnjXEZI99lYwQ5N.exe, PE32 67->116 dropped 120 10 other files (6 malicious) 67->120 dropped 230 Tries to steal Mail credentials (via file / registry access) 67->230 232 Creates multiple autostart registry keys 67->232 234 Tries to harvest and steal browser information (history, passwords, etc) 67->234 152 185.172.128.33 NADYMSS-ASRU Russian Federation 72->152 236 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 72->236 238 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 72->238 154 45.15.156.60 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 78->154 156 cdn.discordapp.com 162.159.130.233 CLOUDFLARENETUS United States 78->156 118 C:\Users\user\AppData\Local\...\HostFile.exe, PE32+ 80->118 dropped file21 signatures22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6369f6e4a8398cccbbebef2ae7078834d3f92d499257a59b4f9142bd5b079057
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6369f6e4a8398cccbbebef2ae7078834d3f92d499257a59b4f9142bd5b079057/
Threat name:
ByteCode-MSIL.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-19 21:28:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mnu7nzfihggmzo7l54voob4igtj7slkjsjl2lg2psfbl2wyhsblq._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:djvu family:fabookie family:glupteba family:smokeloader family:stealc family:vidar family:zgrat botnet:pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/240120-gx7mmadacp/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
DcRat
Detect Fabookie payload
Detect Vidar Stealer
Detect ZGRat V1
Detected Djvu ransomware
Djvu Ransomware
Fabookie
Glupteba
Glupteba payload
SmokeLoader
Stealc
Vidar
Windows security bypass
ZGRat
Malware Config
C2 Extraction:
http://185.172.128.79
http://app.alie3ksgaa.com/check/safe
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
http://habrafa.com/test1/get.php
Unpacked files
SH256 hash:
e720b7e5cefd9c3f1d20eccb2d3d2b5fe1c98aa8375ac5261d3ff68f1a1828f0
MD5 hash:
67bb7d3277231cc403b6e32801088d38
SHA1 hash:
64fe7e8b4168ce02bd164e24ea02c4b3cd56a671
Detections:
Glupteba
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Link:
https://www.unpac.me/results/63b94048-1848-405e-83c7-91cd006dc902/
Parent samples :
60861a072ffc6b404ae640f7270e6d36afd5f4b0911866598be0800da4c16ab8
0d56a6315fa87dedf33b91c34e70ace7cf2913fc4f30976dc9b34a974d30ca31
3fb42de7bef728db9db776ce892a5893f84b24c433253988d849c514a4008b67
ca3040a40850c986cb8461a90f6b43bcffa783d9cc0446d4641a7c95d47258fa
39eda85740817da8e123ed2c96fbe131356b31a6a98231a522e271cd35748829
997585dddb2b230656f708be5add526f5e9322d4af25d85bb2982b7a280f98a9
c646664de8fc9fee5af83d716642be363f0965fa3d95958b433719bd3e73a778
6a1dbe2bdacdbe77a94de61ffc0001e87adcfb51f85d1a3066e1f1924bb2f496
8559eef75d44d48a5987571139ce0f791879fe3a7a21761a68f5f9dbac1ff216
19ed8a06e27e50c441bb3b3e0c743ea9f0263b43154e323a93e5b78953162e32
9d8ca0ed84c5b3a858c2230000f28d9326ceeefc8a8a603e9af3c6c1bc65ba67
8c5a38887768a98da1ba757c359a2f24b137ef9b78c7b5ba8383d999582d1b2b
a8fcef9a9b81e5db11f0ed6444943f8540d3875cdb8b1c0862abcebcf648e5ea
57e6d08c8b17fb8b5d0774e7faca77c094c565239e0abdbfb7a3592521c97c65
6323df37636b64da89c7033177953281b72a376b7e5375eb09dce46fc087ffd7
5f8189c278f4bdb8bd8be6e198a4a1b1d79e38261f299d1f2c8c7d3d00354ef4
c8790db260cf26290bbafcd3d17d3e33e6bc3e5fa65bbc248a9e03cde96d8f8e
3f79351f496df9b1433f5875b6901f06f2c7a3490038b8a346ea40e0a7801e59
4d51e1dc59c149003604bbd8ddaa425ef767789c19e2d3d3d7db2b4e530f8b4a
7ef4fce93908840ce8083e0a717e82f80720e5fa5d3b7820f3d6ceb9c23bfbbd
debb5be5017de832cef391e9ff463c19a0bb5394b86453b1c28ba75be7d70f04
aaff5874dba82f4723fcfb408da376c7fbdeb6deaa2bf6b8b0581fb6cf6d3ea4
aba120f99b42da4ccf327d0afdadb2bffe624c13f071cf2820d7262439109ee6
3648e16fc4cff692d591d0074ce50481a5a3451153a875ddde85ee82dea63614
0889831e4c97e94979a7cbafe87f3dcd3106f0be34e85487055bd47df1ca0a57
8817cbb6de1446a920401a072df1453459aa95684ffc7da9c05ca759b1836c0c
4abd157267e0e423d698f49a60011c7d0c9fc30e21585ff42f974909e37bde4d
121a9ea644073f820645f34c67bd159aff5a29cec51269cdc07bf4dad0249f30
fae531687cc458d8d7e504b81776514eec3cd9700891a1b873afa3748c84cc78
e340efd16c8fc3ed295ec674e97bed2ec4bc1e2a14a8089537b03da23f0f47ff
6f735da34e90dce7418f49a7d25fa183650fd9fe681804a9ab5f80d3005b1c5d
08cc8cfcabf0fe26de3d9bdfd6e705eb1e70f1b3e9f880f8a50cb1aee051cee0
55bdcc2b5a25a711fb46e9ac4fd88da91c65f799f9faec3273f818b5a65c20fa
bccddbc2947cf297abd7f6d7d8414130b127aae72fb141f3090a4948878d2cc1
464c7ab944886103d617e334c94320344761a543de5395c6b541ae386b448ea0
9172b881a60c8d5a220257ae6c7d3618af3e9cb77d68c13cdb71fb85bbbdb04b
31d7d289f6d86cdbb78a89b8195692d22a5a32ef579de1538e2f1977ca744ae6
937718c8ec3130dbc6e18bcdadf1f29bdfbd1af42306b2e834bcac526800a4f8
4ae4a97418a6ecc4008b02ab78f61b5506fdaf1a4fda2ca0e1bd83c156a58584
a64fdea9f683a415083e8c53d0b460a553c04fad9f812332bf816919c2dd0bcd
a44c86d66d73625631213ade970c34ae88a53035c1b8ccad151cc620f4e72083
369b75f745c94a9a0e13bd830274c1e2f0c3ed324b5cfe0ffd4c268ef3437618
46fefe2bca9ce336ce42a8686787623cb392b6a4e081c745eb6429fda54fd7f7
d81d6c25570cb1bc79991743c1ad941a301fb1166a145227a5bd3596dc21abdd
6a8cae284a0b9b70969fe60d1109727ccd8fbe13da3ff42a9263ff4709569741
a31c8c9f9dea9f56c00828dd8db774166dca4060bdf850cab1b3f2b57834c9b8
cd043858d76fb153f754c0a07ecd2b364efbab05e9d3ec950cb684ce0cccefd8
5589a1f99aceba40978d7ffe314909985e0639c60cabcd893020f10f2f7cadeb
92532133195f37037f6697a032a5188a6a0c881aa5b6d5a85571d4dcf37e3b93
f7d62723cec9b458f677710b3f2a4e935812676b62bd4e2e3ef3f7b29be87420
1aa7193bbb01beafb0c15358d24d0642685bec304bfe65a2938542fa5fc9e46f
8c887835f3b1861776b4d88a9c47dbe945dcadfd881b4ae9909488c022924cf6
94df05071cad9595820a5132137d060b0d2d3cd122e5cad35a014d80a6bde02a
b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15
f5ef6f1272125d6166ac834f0dc7d9b3a180376842d2f77364b8f9d148161fa2
d77a59decea0b458372ccc3ace96fcf3726346ef030fb6dd35e0ba64ba734f0b
7da786b32ec861208fc6a01b94d4eee4867b26dabfe214b66c9009b2f0222050
b549699feb7101de2a3895a291a9034053b5c8b2e3b369cf947ae467e9239ab7
1ca559e6b5928c568fbb4f8de0bcb564f687774cbc1e1963ba9af862497f82eb
3226ce9c6d5c3aceebb20be390bd5442c0c0debcc021b1dca934768d8ce85820
7307d795569537cef259606c48234c9db61ed7786eefe8151e89d369408308a1
6369f6e4a8398cccbbebef2ae7078834d3f92d499257a59b4f9142bd5b079057
9b4a5cefb0d2e754687744c2790d57f776272810d6137fe763fd80daa22345d4
648166dff73b5133f600a6011138ad19d01667fa7202b3050dfa627f96b89d0a
1cf4a4b0f9432f78cd76b30cf8e6070d2d49b70d42ec4e2192da86d09a0a02fa
a60c272105b2802b30743ba02681632fc5edf538222cc31bce6cdb815df5a097
9587bda655a2dc730e4bdbd7de5ab39bc37de697fe22f449a6b2f851adaedfb8
4b1c72673244af7242bc28bb3f7c874d3682c66e2d5fb13fb6faf5be118042cb
452c2fae1cf93f933ef30e73cd3ae5d8afc14286b0aa58a512c40f3e81e5a922
ccc1b08a35d280181bc0bc35b33a28424528b2fd26bf1cd108d12bbbb028f40c
7d6a7be45399fb81c56803b796547877518fc2a508107863ebfd8712d0788833
24ca31f5b2c38b141f0c22d7f6fdf6cf558c24840cf215fafab0f337afa4bac2
d417dda25c445b4f32254db15bf04622813f79a7a4ac7a278184d7c14383e021
4641ab967c008d73785d344dd5cc99279da5d7271d9fe73a805ea2c218027b1a
92e4602f85cc9714e48613d178b5dc8ec55bd78474c73c69de3678e94f7f0921
036fc2001553cd4b3e6105febc6f6dcef40b5ba169816f4a32b48ae06f9bf930
84d011e18cec6190e2c79b270e9d2d575bfaa63998f50d13d3f9da147f49b799
d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76
55d461b862ed8006d2cbda9fdbf73e6789c9ae62dab94fc8f4bc0e6a0cce11f3
a2e56b293874962f8ccf1fc3d1a6f96b01222f470a6891d7cad95b70bc3e99c4
1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922
0b710fb1aa1e2269d5ecb446a292e81bc2c609122f194907d9d7b30b9b5d78e9
62c49d50a2108096e5372fdda55b6159b6dca98614f4a3338ef1221eea264370
55dfea3ff8cf6fd2c133dc53b415c12b8e5921951776d559b6fbde136924141d
0a5731f9d5584fe693c78b03d7a9dce42272f7e8d90993dba05591f0eda39c2e
231db005bf29ea596c7af4c264c0cca57271bb67d2208dfb8e320a4462767327
04fa155376790acfdf519d9dffa4027af4f0e6702ccc30ef012623f3e950a599
887ee8b0f7c4f46b4bc8f19019625b5bf14f4d404d869ffdb9832c27abc57d38
1803f7596ff7888850cef5139e767e036cc4b05036b162561b85c882bc353b22
67a20859e5bbdc1d14e676411102e429e3bef682b98c0482fbd8f531c1ff417c
68d3f9a99b088216e7825a88db2d5ff0ccc669050abd9574ad101b8a2c536581
99c1c3d791b1224d504c5e4e86aca05acc1cea4f1e3e08d499be8a1df2dcb69e
c6c0b46b99ca7a4e1bc4d7969fc055721c1f3be10b618db6b1427f1e6b8f65be
8ad20c4b4c312feb468a58d1748c0d7abba3dd2d0fb8e6bfbee837c47a0e8c5a
6667e1ab4f79b6ed3869ccfa9cce86551d54cbfa4661a2350eee40e6a7a8faf5
6110c7a02fe334fd3cfda9a7be565b4bd3ce59661fba7b744fec1c5a8d46a229
e1f34d829af2d8a889df3c978822415d95373d057412e4becf48b655e00ff431
1e750e4de75ed0e592725b1e03c2bfdef0e62eaee04cdc4dd139edde2148e551
aa6b00a8870f3ed1ee8b64aa5eaff7cd2e080218ceba9299b1b5279ce388d0b4
c50b307c9a919289e33291fa515f789077c7dd021cea4b2b2a5078993d2b6aab
72a837998880c69dd67cc7a3fadeb410994b521021e31c832c4196c2487a95bd
f96c472e92984d1391d5177f4bc9512116a3c6b59305c908beced9b6f5b8d5bd
b79c2d817b0ced7a0f16ebbb1a91defae311debe95bf3e54b8194003bb9985c5
5d60502a5cb4d285aa1292f7d1fd6297e07e310babf6fc52bcdc86ef0c9e06bb
a4ef46bf17c78822d82a317f3cf75c961e1723b5f1724f01254dca1cd24d7b42
3b7272d0f31250926d9fd53b7c46830bc9fa9a2d750380ed92739b7883191798
b29b6f1b6a2d7f6d8b63ac749bdc991892970c7e7643221cf6087d75e4f17c41
e2e37e160be44c58891cf9df768618943349e6a4514d755773449cbd04670dcb
5e1ce6d369344dbf6fd85919665660489c2ba7190b90140d05ff082951b96595
f9cdd30348c05d501c6b1408d1332819954d3300653577308a03ef25eb539309
61b0b285e4e111e959317e8abd5ba9ab82e531ec6358952c64bb8fa20e8e3a94
862ed80d3e0c6b928f47be177a23d2bd733c92373e284692c8044c85bcf24b27
fdfc254cf83ffbfd643d799b843c535b794b3116e2d9d1122513be8bf787a4b3
245baaa35e80f5112045326002260255ea9900f20e7220c7c01b4b03691900d1
7f8662074f283378c7da08b747daf967a050fe2caa1f9f761845475ab2e8a501
e70dcf3f915087251224a7db3850669c000a6da68ef2b55e3e2eda196cb01fc3
0ec9dbde5d3aa5b362ca3f4932b391a8355af8c53706eb22ef8490ec03c0e2af
f349a03a2c8709c06d4434720abb398893b103670b03ee018938b48db0e6eaf2
bfb49b198bec40507f48ae692234f001c7b0daf41c5efd93bbce37c3f9082e60
d929ec2b3bf189ca53df994430a83d3ea2c4a222e882226f586f5522c79aaa2b
8d1f1605046b4f5989903aeb1970cab44da9b1e974e957e2459f0603f628b6f5
52a39ad858c97ff0fd70f58eb0efbd6bd41e27f19872cd585370e5e2583c2a78
1ad9131850474561beb17f304b1264ca9a73fc9a53355a153c43bbdfa920e642
f61ea31ba042cb4b9640ed853b792cf3a5984c56bac9f937fd638bb6e1efbe30
942893be9543258a4290f15162e51847b081f46aad850c902cb5ace6244af9f6
693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda
ec045ab4c0957a1930d5effe265d30a1624713ea2897b78b7fddb5322d9960f1
e31eca26eebc6c55841ba9012aef2e64af914e13d85be5eed4cfee7d18b7cc44
0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
328af6e2b02c62db3b533a84e0b403d1c99f682bdff7ef0941d711d4d607501d
dd093b7ac1890eb8847181a375c99d4e97a0acf00180017cc4ef279a285bd24c
845b6a3db4889461e89e3dbfdae360f63d506dd8e029dc033ce0745489041ee8
780b1ff0c005269630be0aa4234842367b8d310810ce79a1df6b1c11c2d637ed
5edd03b5ddbf162a0e63c16d7d579433d11f34e199fcbdcb7fbeb581ff3af86d
SH256 hash:
5dff847558ac96a1d2f6394aa2efe65440a8b945335b20ccddaeea0a5b1792ba
MD5 hash:
40ea2c256d9186368a97931a1bd13ad9
SHA1 hash:
662fec4182fbc8b871ccb135c00dd2f8b6e8457b
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/63b94048-1848-405e-83c7-91cd006dc902/
Parent samples :
1eeeb5aa7dcd72a9912e8f54c60b07915d4c7fb4180c2e497483357ab9ac8640
d59c4d4d2c2ed517f36a87a29bdb6a9450b3afbfc1b7a07b8af2dca276291d50
531292f4b404a53a700330fa4d622d80b3b72ca2c2f525d7fe0009381fb471c0
233d4d5cdc04c36621a8bc12ea1a5716912ff7576eedfec12bb7aaf03ba57911
c1a94b4836ce341261dafddcdd0b7f2fb0d8974418cfe37bfe4edac452966dcf
6207b75fcdf5bc8bcc175059439eddddb37fe1c2e40b73a680a4374b8a495e9b
6369f6e4a8398cccbbebef2ae7078834d3f92d499257a59b4f9142bd5b079057
0457b012cd995bb807ddba8cca13f5fca914cc05a4466725028dd184776d7b03
5dee4356ac787ee4f83cfe7268df01b8b6c77ef42cfcd98ed3773745780fcdd2
75bcc7144c36d2931b31364db4d3b3fc44b1ad803790ea1077f228efc715bb6d
1cf4a4b0f9432f78cd76b30cf8e6070d2d49b70d42ec4e2192da86d09a0a02fa
9317179dc2c7aabc5092f39efeb13614de247aed1a11e9c9530ded9eaf75c6c3
b6d7d2ab6d7e66ba154aac8266fd5e0f6667c11d3cc682b241da586a5577581a
d55397282fd5a56d06fae62f5e18237ecd28dc53caeb5e993b66ed81ce6e7881
9587bda655a2dc730e4bdbd7de5ab39bc37de697fe22f449a6b2f851adaedfb8
0f4d1e6a36a2f6fc4e29b9134a49a081b305501bb6394367f2f48a0387b02c68
a07112e236e0136b43294b31a43fb4456072941a135853e761680d04315841c3
84d011e18cec6190e2c79b270e9d2d575bfaa63998f50d13d3f9da147f49b799
9f5447dd37ee7e006c9978bde29ed18d51a29af6fa7cc1fcfc6cfe5f32de6b8b
944e3da5cf2cebf1ae8c127a66def8d245911b3ae51b78120fafecac59499a9c
ea73f95c11dc2dee2df70f6cdf91f2283ed93f02e7d374e1ced51adb1e8aa2c2
d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76
212cf81edf3cd280350b9dc6770ac93ecc254c2f54f8066bf37e2725c410389c
4a954105df7501e0e0bc0d5100ad6a0c1ed82a000aff31b04f149f488b616ed2
386efae477c0c3eee5b7612441bb66a5d064738059a621ff1c711c1c20023534
ad09e6469ff6f776f4dda5c3bfd3ef3bda8d3e66a0f3656c19a003428ee43db7
a578ab8f490d32d4ec916f02ce6ed22ef4572bf21db481dcce5b1b2ccf228d92
cc153440791a534326d7c57871f9443b533b4cbeb4b693df58ce9b6ef137cc62
453ad5e59a308d52a95de63a0932c1b391494a38febde5c88682b146fe6be6a6
6bb852f4b68e8a72cf0096ced722d59bd3a243e41ab052e9955602f38d0a35e8
2aa5a9c9059070191dcf750e2db3860dfd4803b5d50c8d71edc17fe3c3ef2994
bdbd0ee82dc7acfb5fafe10561dddd6b6b11c1d55f2f96bc6a1c8eb5dce167e1
c6d317e1eb756b3577414068ac20fc445921f4edd86bef21dbab2d89920e4649
9054b3a8ccbd32166bd31d65a1998b83a0d3c8f080ac70db2c50cfee3b9f4ae1
a95bc0eeb6c005214eed09c7a26a9b148bea237838cc3544ea2070076b8e893b
1c438814841e344b1635d6948fd04345ae23657b4bda93750bfd8055245ba09e
f09dbd237c0b7f9024adefec0d677cd2ddf6fa709021bb7c4efabc2a94fc788c
a6bda3b1e990cdc4da5b889f8c4d5a717ac32107a22720e81c9268d0af553e9c
fd38ddb6bff146de06ede73faf49301e258cab9b7d189175fd356928901961ae
30845b56fd4b84afa4212a7c5130b4ee2c07924524c357ea21d4b79ef21fd2f5
101da1fc6c2b5289bca646cabead73af514b63c341e7572a071b26cd649e42e1
8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0
50a6f0570275eb30db27eee0f78bcb07a48dcfd2ce9a9399b258114dc23c68a1
6d22ba4779752e3cc313f404b9ed0ef664b5b775f97c310149a2b1aceea302a1
ce46c89555525a74ecc82cd2291e6f93427558887c18923eaca699be08a090de
336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69
cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6
29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee
129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a
6ba1032624069a6bd1ff582c5e83832976fb693dd8814c4ac14e94dbbdf4c00d
f584c0dc428d386f37a2101967aa274b9337db982ff65d44e52ddd201933358c
50c5fa2b2078b52d54657e174f05dcc98bd3e409eeef19baf60b65f041bfe5d2
c0db80c802efadad423ac6db9d62d1b6a67c593a177774524658ec91e8f9910e
23e793eb5359e5934565840665798105435c69d7534e547204f5566486d75bfb
7e58fdd635ef291b98c8c9e6c317fc4f6699dfb8580d95159fdb8f39e9ba9ea6
2feee675a296f24476606968e2669d0efda3c14b2c56e8507bc22efbbb54ce6b
abc5152266564f883ab915f2a1eec762cd98920e5e315974c926632942e31976
20bade08687a1356c343a70a124e7441aa3f2c1824f50b77e552421ee61c3ba3
b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c
b0f1d6defb63ca51dce41219e35f97ab8d89ec19c863f5b659fb8b05c1c92248
b1637a25a2959c9a6da241d94d8ddac92f3e542d86dbebdc47c1a06a4f6190a0
6610e3f433a1a54fff1dcb16ca8d08137481d19cd706d1cd73e75030be8ff720
e9839a31cca5038608b57f6e13e75f43aa845a2f892c917a77b3c4f0bcc35c7e
91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a
968ac4fee13725e122fd677c971dfada4e73d77e367be94cbf59af97872afaeb
6fa97a6a4e30020152022b39c091bc92430a79ed38be3f27bf6df140ec9d61fa
a78b39de8c05456e93a88136f9caaee35e9b5149acf072acd3214b28293c7910
261fdc86bd8ccc62299a6f57194d59167a751f3b8b8649f8a252d39ca3a31226
8a2abd6e386df2a7e44e4bfa90a327b92eccdf343341ef7a984b3b2bd796c1fa
7755538e0afd5973ebc9e8766a817b5b562addfdde5fc3950f4bbffba9790ca9
1d5fe89aae579ea253d121deb90c9a61f94ddab13ff51f58f939a57f0edab73e
843ad82984513d049fcbf1258c0a2cf71fd519ad98a272e54ea95d42422a24bb
0d3928bbe9db17a0bd0ce3454c39362b60f26c1613cc8d488f69f81fbf2868c1
71480fc81a1e0eb85d94e08b31fa257204200371c01fbc3cbf7c45a622e66da3
6f480d8bf96773150f0939254a71eb20e447d30580aab7abf171ecb0e0094698
4f367a58544f96f8d0dd19d323acf0db1437d2cd8ef96324a37ea7be20cabf36
f83f1ebe5606b21f5e67bdd4eac29db81ec8de29d3eebf8f4ae7298361ffe5d9
SH256 hash:
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
MD5 hash:
40d7eca32b2f4d29db98715dd45bfac5
SHA1 hash:
124df3f617f562e46095776454e1c0c7bb791cc7
Link:
https://www.unpac.me/results/63b94048-1848-405e-83c7-91cd006dc902/
SH256 hash:
53ec215e4257273dcfa009526355af4e6c296613296217821be6e829236aeb68
MD5 hash:
66fbfba72310fb436a54d7c9da86c71d
SHA1 hash:
49bfad813f5dae52a89799bdd38bab634129df28
Link:
https://www.unpac.me/results/63b94048-1848-405e-83c7-91cd006dc902/
SH256 hash:
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
MD5 hash:
09031a062610d77d685c9934318b4170
SHA1 hash:
880f744184e7774f3d14c1bb857e21cc7fe89a6d
Link:
https://www.unpac.me/results/63b94048-1848-405e-83c7-91cd006dc902/
SH256 hash:
b3191692c5d33bddabdaeacf6c55d57cea8277951a3bf058a807722251fb0f81
MD5 hash:
2dfd92f0f88c5f61bcd23b504ccb9695
SHA1 hash:
9ba7d3272047c4bad6ca7a84caf27a92599b2bb5
Link:
https://www.unpac.me/results/63b94048-1848-405e-83c7-91cd006dc902/
SH256 hash:
6b82735b51c526df460236f681648a40ecd7d2b9c3a71e7fbf63a98911ce9524
MD5 hash:
1c6bc548ed94695805daafc44a80ba94
SHA1 hash:
8fde60fa88e6416e4e375e65e60bde983f3f809b
Link:
https://www.unpac.me/results/63b94048-1848-405e-83c7-91cd006dc902/
SH256 hash:
4902f86bade914d7609b8e5901de16c08e8d0c6e133149596f6dac608b433410
MD5 hash:
1b64ca664cdbeac4f739142c97893f02
SHA1 hash:
9d790027ca611a2cbf633f8ea1df761f679ad7f2
Link:
https://www.unpac.me/results/63b94048-1848-405e-83c7-91cd006dc902/
SH256 hash:
6369f6e4a8398cccbbebef2ae7078834d3f92d499257a59b4f9142bd5b079057
MD5 hash:
0518d9c6db9a614769bf43fbff180167
SHA1 hash:
928084a70bffb6eb474658dcf062d74f5ca84f68
Detections:
MALWARE_Win_DLInjector04
Create hunting rule
Link:
https://www.unpac.me/results/63b94048-1848-405e-83c7-91cd006dc902/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6369f6e4a839/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6369f6e4a8398cccbbebef2ae7078834d3f92d499257a59b4f9142bd5b079057

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:crime_ZZ_botnet_aicm
Create hunting rule
Author:imp0rtp3
Description:DDoS Golang Botnet sample for linux called 'aicm'
Reference:https://twitter.com/IntezerLabs/status/1401869234511175683
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifacts associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:msil_rc4
Create hunting rule
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shortloader
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:ShortLoader Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 6369f6e4a8398cccbbebef2ae7078834d3f92d499257a59b4f9142bd5b079057

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2748988/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/471820/

Comments