MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65341b1f7f4018e163e564b546012d5bfa41a70c9b9926a0b48781ae4e3f9ec3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 37 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65341b1f7f4018e163e564b546012d5bfa41a70c9b9926a0b48781ae4e3f9ec3
SHA3-384 hash: 3292c7476a296e9a0c93f251fa604d19555cd91b052d68a4f4bb585f3ab55ddde10f1e78c9e17a97941fb90f52fe509a
SHA1 hash: f8eb247e6befb3189b03b8aab9bb9bec72bc80a8
MD5 hash: a4506dad7f03d4ee8a127d128f0ca712
humanhash: moon-iowa-mountain-december
File name:65341B1F7F4018E163E564B546012D5BFA41A70C9B992.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:3'474'871 bytes
First seen:2022-08-16 14:45:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcB3tvx0sDcrJJG7pVcmgbdLWXHZsdtrkZkfqrQsaQHkpemkXbEwJ84vLRaBtIlR:xdscsumgB8ZOrRCR9HSx6wCvLUBsKGEy
TLSH T1B5F533207A9441B7F9840039D92967F3D9FEC38807B415C723E90B6E1FB9E79C4275AA
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://95.217.246.94/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://95.217.246.94/ https://threatfox.abuse.ch/ioc/843458/

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
65341B1F7F4018E163E564B546012D5BFA41A70C9B992.exe
Verdict:
No threats detected
Analysis date:
2022-08-16 14:48:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a8ea94f9-9cf4-4d12-bd8e-002e90378ccd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299026/
Detection(s):
Win.Malware.Generic-9852703-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Barys-9859550-0
Create hunting rule

Win.Trojan.Jaik-9862229-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Trojanx-9873669-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Malware.Jaik-9883011-0
Create hunting rule

Win.Malware.Malwarex-9883929-0
Create hunting rule

Win.Malware.Generickdz-9883930-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Moving a file to the %temp% subdirectory
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29119/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
overlay packed shell32.dll socelars wacatac zusy
Link:
https://www.filescan.io/uploads/62fbae267a5eee5048110d73/reports/d13c7d7c-a3e2-4e3b-976d-23aea72c5954/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0561c52c-f7c6-4e6b-a22d-2bb893c3a8ec
Result
Threat name:
PrivateLoader, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1052383
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 684899 Sample: 65341B1F7F4018E163E564B5460... Startdate: 16/08/2022 Architecture: WINDOWS Score: 100 108 live.goatgame.live 2->108 110 liezaphare.xyz 2->110 112 4 other IPs or domains 2->112 145 Snort IDS alert for network traffic 2->145 147 Multi AV Scanner detection for domain / URL 2->147 149 Malicious sample detected (through community Yara rule) 2->149 151 21 other signatures 2->151 11 65341B1F7F4018E163E564B546012D5BFA41A70C9B992.exe 18 2->11         started        signatures3 process4 file5 66 C:\Users\user\AppData\...\setup_install.exe, PE32 11->66 dropped 68 C:\Users\user\AppData\Local\...\jobiea_9.txt, PE32 11->68 dropped 70 C:\Users\user\AppData\Local\...\jobiea_8.txt, PE32 11->70 dropped 72 13 other files (8 malicious) 11->72 dropped 14 setup_install.exe 1 11->14         started        process6 dnsIp7 139 marisana.xyz 14->139 141 127.0.0.1 unknown unknown 14->141 100 C:\Users\user\AppData\...\jobiea_9.exe (copy), PE32 14->100 dropped 102 C:\Users\user\AppData\...\jobiea_8.exe (copy), PE32 14->102 dropped 104 C:\Users\user\AppData\...\jobiea_7.exe (copy), PE32 14->104 dropped 106 7 other files (6 malicious) 14->106 dropped 143 Performs DNS queries to domains with low reputation 14->143 19 cmd.exe 1 14->19         started        21 cmd.exe 1 14->21         started        23 cmd.exe 1 14->23         started        25 10 other processes 14->25 file8 signatures9 process10 process11 27 jobiea_7.exe 19->27         started        32 jobiea_6.exe 21->32         started        34 jobiea_5.exe 2 23->34         started        36 jobiea_8.exe 25->36         started        38 jobiea_9.exe 25->38         started        40 jobiea_1.exe 2 25->40         started        42 4 other processes 25->42 dnsIp12 114 212.193.30.115, 49763, 49821, 80 SPD-NETTR Russian Federation 27->114 124 10 other IPs or domains 27->124 74 C:\Users\...\ts8itL69BFHcRfUxX3ZKWznf.exe, PE32 27->74 dropped 76 C:\Users\...\qp1k_uDFaLiAcGUuOr2coR8j.exe, PE32 27->76 dropped 78 C:\Users\...\jGVZVAb3cc7ttlz69LR4isFO.exe, PE32 27->78 dropped 86 7 other malicious files 27->86 dropped 155 Drops PE files to the document folder of the user 27->155 157 May check the online IP address of the machine 27->157 159 Tries to harvest and steal browser information (history, passwords, etc) 27->159 161 Disable Windows Defender real time protection (registry) 27->161 116 music-sec.xyz 32->116 118 iplogger.org 148.251.234.83, 443, 49744, 49745 HETZNER-ASDE Germany 32->118 163 Detected unpacking (changes PE section rights) 32->163 165 Performs DNS queries to domains with low reputation 32->165 80 C:\Users\user\AppData\Local\...\jobiea_5.tmp, PE32 34->80 dropped 167 Obfuscated command line found 34->167 44 jobiea_5.tmp 34->44         started        82 C:\Users\user\AppData\Local\...\jobiea_8.tmp, PE32 36->82 dropped 48 jobiea_8.tmp 36->48         started        120 f.youtuuee.com 38->120 122 ip-api.com 208.95.112.1, 49716, 80 TUT-ASUS United States 38->122 84 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 38->84 dropped 50 jfiag3g_gg.exe 38->50         started        52 jfiag3g_gg.exe 38->52         started        54 jfiag3g_gg.exe 38->54         started        62 5 other processes 38->62 56 jobiea_1.exe 1 40->56         started        126 3 other IPs or domains 42->126 58 explorer.exe 42->58 injected 60 jobiea_4.exe 42->60         started        file13 signatures14 process15 dnsIp16 128 superstationcity.com 194.163.135.248, 49719, 49720, 80 NEXINTO-DE Germany 44->128 130 most-fast-link-download.com 44->130 88 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 44->88 dropped 90 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 44->90 dropped 92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->92 dropped 132 most-fast-link-download.com 48->132 94 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 48->94 dropped 96 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 48->96 dropped 98 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 48->98 dropped 134 live.goatgame.live 56->134 137 192.168.2.1 unknown unknown 56->137 64 conhost.exe 56->64         started        file17 153 Performs DNS queries to domains with low reputation 134->153 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65341b1f7f4018e163e564b546012d5bfa41a70c9b9926a0b48781ae4e3f9ec3/
Threat name:
Win32.Downloader.ShortLoader
Create hunting rule
Status:
Malicious
First seen:
2021-08-01 14:48:37 UTC
File Type:
PE (Exe)
Extracted files:
312
AV detection:
22 of 26 (84.62%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mu2bwh37iamocy7fms2umajnlp5edjymtomsnifuq6a24tr7t3bq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
raccoon
Create hunting rule
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:nymaim family:privateloader family:redline family:vidar botnet:706 botnet:aniold botnet:logsdiller cloud (sup: @mr_golds) botnet:nam6.1 botnet:ruzki agilenet aspackv2 evasion infostealer loader spyware stealer trojan upx
Link:
https://tria.ge/reports/220816-r5ayqsacbr/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Uses the VBS compiler for execution
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Nirsoft
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
NyMaim
PrivateLoader
RedLine
RedLine payload
Vidar
Malware Config
C2 Extraction:
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
https://xeronxikxxx.tumblr.com/
liezaphare.xyz:80
208.67.104.9
212.192.241.16
193.233.193.14:8163
103.89.90.61:34589
109.107.180.76:37989
Unpacked files
SH256 hash:
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
MD5 hash:
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1 hash:
b968c57a14ddada4128356f6e39fb66c6d864d3f
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
55361941ab12c7edd987c706d25423d868f756fab1028d99eeffacdabf3da4ca
MD5 hash:
4de4b7bc0a92902422c4204fcfa58150
SHA1 hash:
587e0299ea32cc836281998941daa60f471e3480
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
MD5 hash:
7165e9d7456520d1f1644aa26da7c423
SHA1 hash:
177f9116229a021e24f80c4059999c4c52f9e830
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
edd2a0334bfcf63a8c9b9d3a148fd6ad7f76a757ea56589b0670cb72d7dce6ff
MD5 hash:
ad6992e6f028f1f9cd8714ad4cf5313e
SHA1 hash:
f837082d106727a30ff849ed3838da6cfdd4b29c
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
ff5b7e9a2d5af436c13951d0746015237e3b12f4d4dc845a92b4e430c098e224
MD5 hash:
8ecc287212bb08f80f80c4ec1a7c6c4c
SHA1 hash:
59d08bda2e494600ed25fd608582b25261ec13b0
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
Parent samples :
7fa24025283e6b745f20c81e15a8cdb866905fb079579b71efd9e659398cb574
65341b1f7f4018e163e564b546012d5bfa41a70c9b9926a0b48781ae4e3f9ec3
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
7140765cd0d5f61bb453f0511e24786e21d950c2cb3b30aa2945ba1846a4e0a5
280c314b18ddf2481c1173c653acf508262e0ad3dbf2dfa8b64f48d75bd10765
dad9e695e9f592e48326dd349556f81987c115ad152bf3433f12d969135d943a
dc812fa1ae68dfa017cfde268e2ae523019308b102bce0acb1656c08b34dc818
SH256 hash:
a19adea0a2b66cfcb23eebd1d1ff9d854eccd4dc65536a45665c149da4ff6265
MD5 hash:
117c7ff5dd9efc0b059f64520f2d4f46
SHA1 hash:
ff07b1fcc58aa62b42d797981e0d953d9f9e0120
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
7115e8209d9ba71862f3d61c8322a81c3253d099463935622b9884a9a3f65cae
MD5 hash:
42ca70f6f86ac8ae060a709dd6cd477d
SHA1 hash:
ee404bbe56d258e112801f5bc9f257f0b2583ca1
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
8d183c1ce0b2240386e0bc2d9da1f27de356a9d2e56122f36b3c96b9a0113ce2
MD5 hash:
020cc93b4f38fe2ad849ef7be56b5178
SHA1 hash:
ddf5194235eb22fb0ca6b5fcf3730f532de765b0
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6
MD5 hash:
270dd1da0ab7f38cdff6fab84562ec7a
SHA1 hash:
cf7be169ee4415085baeb4aeaa60932ac5abf4ac
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
f182c0c6dc8944151e340b3cab01c6d0f97740379aff73d6657e8adec651551a
MD5 hash:
32f26aa4b7563812f3a1a68caad270b1
SHA1 hash:
91a45d1d4246a4c574e1238751ffacc68acc5fa7
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
924d8775b97a45353b0de182884b267b3d5d49a84d59e621fd80a2552c96b165
MD5 hash:
ec8229f2b1bab19d53795680321f08bb
SHA1 hash:
6a011ab0baa765fd0c05bcd41b063d0644bdb010
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
MD5 hash:
3263859df4866bf393d46f06f331a08f
SHA1 hash:
5b4665de13c9727a502f4d11afb800b075929d6c
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
ed6f65d65ba22fbaa3e526bd28c8f847bf12c545fdd543f092d55d0741f84e85
MD5 hash:
19c2278bad4ce05a5efa4b458efdfa8b
SHA1 hash:
521d668d24f05c1a393887da1348255909037ce2
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
2c519ae6533e21813275fc3b186d492bcd9c6c8cb3667aafaf18958dcb383a4f
MD5 hash:
fff7e7efe1deaf03d1129a0d0dba96ae
SHA1 hash:
40024b78547041b5fd4070a6882651e4930a2ed1
Detections:
win_privateloader_a0
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
da72fa2ad767e22db3d55506846b5d4db7932cd7287391c483faa80c5e86bcce
MD5 hash:
eb73f48eaf544bf7e035a58f95f73394
SHA1 hash:
251f0d09f14452538ecfa0924a4618c3c16887e3
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
b83c5b16de4d1700deff7e3d66d8d50d0f86968688802041c7015414749238f6
MD5 hash:
a788afa0205efafc74f8e22c355d9bd5
SHA1 hash:
18ded4df69023aa30864fd1935ea43cb51e6e247
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
SH256 hash:
65341b1f7f4018e163e564b546012d5bfa41a70c9b9926a0b48781ae4e3f9ec3
MD5 hash:
a4506dad7f03d4ee8a127d128f0ca712
SHA1 hash:
f8eb247e6befb3189b03b8aab9bb9bec72bc80a8
Link:
https://www.unpac.me/results/d6d76a84-5d3d-40e5-a0ad-f409dd3f974d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/65341b1f7f40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65341b1f7f4018e163e564b546012d5bfa41a70c9b9926a0b48781ae4e3f9ec3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:crime_ZZ_botnet_aicm
Create hunting rule
Author:imp0rtp3
Description:DDoS Golang Botnet sample for linux called 'aicm'
Reference:https://twitter.com/IntezerLabs/status/1401869234511175683
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RaccoonV2
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.
Reference:https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/
Rule name:Redline32
Create hunting rule
Author:Muffin
Description:This rule detects Redline Stealer
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_recordbreaker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.recordbreaker.
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/299026/

Comments