MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d2b844ad0114dd3ec1731fa828132dc70ad045004c9c643279f71e774e14e14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 20


Intelligence 20 IOCs 2 YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d2b844ad0114dd3ec1731fa828132dc70ad045004c9c643279f71e774e14e14
SHA3-384 hash: 6dea67c01b612173e357a1660c36317e416c9a8d3325cb1c4c2289084f21be6f441110aff26e045a2043ab6af7fbfc22
SHA1 hash: 337ee2092a62efc052a5bd47ebae21309d6d3b43
MD5 hash: e6d5de0f24c9e8ce95ec860fdf075b29
humanhash: sweet-texas-september-triple
File name:E6D5DE0F24C9E8CE95EC860FDF075B29.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:4'952'576 bytes
First seen:2025-08-01 05:05:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:aXjMyjHltogIY6tKNut9Fm8hywqRpRfuSpFnw4RiXKNdWZk10I:tyrlbIY6tKNuJm87eRfuSp5DdWZa0I
TLSH T1D536330AEBDC0705E14107768EB707831A367FB2EB12C655613A3C0E2EF15E96564BEE
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
http://45.141.233.196/ho4lu3dk/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.141.233.196/ho4lu3dk/index.php https://threatfox.abuse.ch/ioc/1562884/
178.255.148.247:66 https://threatfox.abuse.ch/ioc/1563013/

Intelligence

File Origin
# of uploads :
1
# of downloads :
51
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
E6D5DE0F24C9E8CE95EC860FDF075B29.exe
Verdict:
Malicious activity
Analysis date:
2025-08-01 05:06:30 UTC
Tags:
amadey loader auto redline stealer auto-reg rdp stealc lumma quasar rat
Link:
https://app.any.run/tasks/f5fd399e-1ebc-4e79-9934-6d44f7edbfe8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18206/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688c4b240b4775fb213469f3
Tags:
autorun emotet autoit xmrig
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Running batch commands
Launching a process
Launching a service
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm anti-vm anti-vm CAB crypt explorer fingerprint installer lolbin microsoft_visual_cc overlay packed rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/688c4b1f73b8ef6f4af8e60b/reports/2a36067f-556d-4bd2-b592-66351f38a0f3/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/6d2b844ad0114dd3ec1731fa828132dc70ad045004c9c643279f71e774e14e14
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f60feef2-09bb-445c-b672-89be910d337f
Result
Threat name:
Amadey, LummaC Stealer, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1748192
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Found strings related to Crypto-Mining
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1748192 Sample: 64OutMie7C.exe Startdate: 01/08/2025 Architecture: WINDOWS Score: 100 138 royaltbn.xyz 2->138 140 woodenso.top 2->140 142 11 other IPs or domains 2->142 158 Suricata IDS alerts for network traffic 2->158 160 Found malware configuration 2->160 162 Malicious sample detected (through community Yara rule) 2->162 166 20 other signatures 2->166 13 64OutMie7C.exe 1 4 2->13         started        16 fSMYR68E.exe 2->16         started        19 svchost.exe 2->19         started        21 5 other processes 2->21 signatures3 164 Performs DNS queries to domains with low reputation 138->164 process4 file5 126 C:\Users\user\AppData\Local\...\2g8113.exe, PE32 13->126 dropped 128 C:\Users\user\AppData\Local\...\1E08s6.exe, PE32 13->128 dropped 23 2g8113.exe 7 13->23         started        27 1E08s6.exe 13->27         started        152 Binary is likely a compiled AutoIt script file 16->152 154 Uses cmd line tools excessively to alter registry or file data 16->154 30 cmd.exe 16->30         started        32 jAk6FVw8.exe 16->32         started        34 cmd.exe 16->34         started        36 cmd.exe 16->36         started        156 Changes security center settings (notifications, updates, antivirus, firewall) 19->156 signatures6 process7 dnsIp8 112 C:\w0HZ6G0\fSMYR68E.exe, PE32 23->112 dropped 114 C:\w0HZ6G0\Mj7TYuJI.exe, PE32 23->114 dropped 116 C:\w0HZ6G0\DNqCKF65.exe, PE32 23->116 dropped 184 Multi AV Scanner detection for dropped file 23->184 38 cmd.exe 1 23->38         started        144 steamcommunity.com 23.54.187.178, 443, 49724 AKAMAI-ASUS United States 27->144 186 Antivirus detection for dropped file 27->186 188 Detected unpacking (changes PE section rights) 27->188 190 Tries to detect sandboxes and other dynamic analysis tools (window names) 27->190 196 4 other signatures 27->196 192 Suspicious powershell command line found 30->192 41 powershell.exe 30->41         started        43 conhost.exe 30->43         started        194 Contains functionality to start a terminal service 32->194 45 conhost.exe 34->45         started        47 Mj7TYuJI.exe 34->47         started        49 conhost.exe 36->49         started        51 schtasks.exe 36->51         started        file9 signatures10 process11 signatures12 174 Suspicious powershell command line found 38->174 176 Uses cmd line tools excessively to alter registry or file data 38->176 178 Bypasses PowerShell execution policy 38->178 182 2 other signatures 38->182 53 fSMYR68E.exe 38->53         started        56 DNqCKF65.exe 15 38->56         started        59 conhost.exe 38->59         started        180 Loading BitLocker PowerShell Module 41->180 process13 file14 168 Multi AV Scanner detection for dropped file 53->168 170 Binary is likely a compiled AutoIt script file 53->170 172 Found API chain indicative of sandbox detection 53->172 61 jAk6FVw8.exe 2 57 53->61         started        66 cmd.exe 53->66         started        68 cmd.exe 1 53->68         started        70 cmd.exe 53->70         started        118 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 56->118 dropped 120 C:\Users\user\AppData\Local\...\cecho.exe, PE32 56->120 dropped 122 C:\Users\user\AppData\Local\...122SudoLG.exe, PE32+ 56->122 dropped 124 2 other malicious files 56->124 dropped 72 cmd.exe 56->72         started        signatures15 process16 dnsIp17 146 94.154.35.25, 49725, 49727, 49730 SELECTELRU Ukraine 61->146 148 45.141.233.196, 49729, 49731, 49734 ASDETUKhttpwwwheficedcomGB Bulgaria 61->148 150 167.160.161.247 ASN-QUADRANET-GLOBALUS United States 61->150 130 C:\Users\user\AppData\Local\...\OTIWCUm.exe, PE32+ 61->130 dropped 132 C:\Users\user\AppData\Local\...\YT1For2.exe, PE32 61->132 dropped 134 C:\Users\user\AppData\Local\...\v9d9d.exe, PE32+ 61->134 dropped 136 22 other malicious files 61->136 dropped 202 Multi AV Scanner detection for dropped file 61->202 204 Contains functionality to start a terminal service 61->204 206 Creates multiple autostart registry keys 61->206 74 a1f1679897.exe 61->74         started        76 powershell.exe 66->76         started        79 conhost.exe 66->79         started        81 Mj7TYuJI.exe 2 68->81         started        84 conhost.exe 68->84         started        90 2 other processes 70->90 208 Suspicious powershell command line found 72->208 210 Uses cmd line tools excessively to alter registry or file data 72->210 86 reg.exe 72->86         started        88 cmd.exe 72->88         started        92 17 other processes 72->92 file18 signatures19 process20 file21 94 cmd.exe 74->94         started        96 Conhost.exe 74->96         started        198 Loading BitLocker PowerShell Module 76->198 110 C:\w0HZ6G0\jAk6FVw8.exe, PE32 81->110 dropped 200 Suspicious powershell command line found 86->200 98 chcp.com 86->98         started        100 conhost.exe 86->100         started        102 nircmd.exe 86->102         started        104 tasklist.exe 88->104         started        106 Conhost.exe 92->106         started        signatures22 process23 process24 108 Conhost.exe 98->108         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6d2b844ad0114dd3ec1731fa828132dc70ad045004c9c643279f71e774e14e14
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/e6d5de0f24c9e8ce95ec860fdf075b29
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6d2b844ad0114dd3ec1731fa828132dc70ad045004c9c643279f71e774e14e14/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/6d2b844ad0114dd3ec1731fa828132dc70ad045004c9c643279f71e774e14e14
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-07-26 03:38:00 UTC
File Type:
PE (Exe)
Extracted files:
147
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nuvyiswqcfg5h3axgh5ifajs3ryk2bcqate4mqzht5y6o5hbjyka._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:cyber_stealer family:donutloader family:lumma family:vidar family:xmrig family:xworm botnet:c0aea96f5dc5ea23da54dbccbac6de78 botnet:fbf543 collection defense_evasion discovery execution loader miner persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/250801-fq43gsvlv4/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Power Settings
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Xmrig family
Xworm
Xworm family
xmrig
Amadey
Amadey family
CyberStealer
Cyber_stealer family
Detect Vidar Stealer
Detect Xworm Payload
Detects CyberStealer
Detects DonutLoader
Disables service(s)
DonutLoader
Donutloader family
Lumma Stealer, LummaC
Lumma family
Modifies WinLogon for persistence
Malware Config
C2 Extraction:
https://perpenab.icu/xiut
https://royaltbn.xyz/xaoi
https://columnez.shop/xlak
https://mixp.digital/amnt
https://woodenso.top/xaoi
https://foundrr.bet/zuqy
https://onyxistn.bet/xlkg
https://keulkgl.fun/qpdl
https://nanoceus.run/agkr
https://t.me/sadv1323v13q4as
https://conaqr.click/qokl
https://mastwin.in/qsaz/api
https://precisionbiomeds.com/ikg
https://physicianusepeptides.com/opu
https://vishneviyjazz.ru/neco/api
https://htsfhtdrjbyy1bgxbv.cfd/vcd
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
https://mocadia.com/iuew
http://94.154.35.25
https://t.me/dz25gz
https://steamcommunity.com/profiles/76561199880530249
hexa.dnsframe.com:66
https://paxrobot.digital/webpanel/
Verdict:
Malicious
Tags:
stealer redline Win.Packed.Nanocore-9942160-0
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/b01315d3-4b07-4125-8012-127a8cba0a8a
Unpacked files
SH256 hash:
6d2b844ad0114dd3ec1731fa828132dc70ad045004c9c643279f71e774e14e14
MD5 hash:
e6d5de0f24c9e8ce95ec860fdf075b29
SHA1 hash:
337ee2092a62efc052a5bd47ebae21309d6d3b43
Link:
https://www.unpac.me/results/609ba4b1-d6af-4e71-8162-148f78062f63/
SH256 hash:
a3211015b1e0b96f84040d510f2956c42495e6839a67022877671e69fe2fd737
MD5 hash:
f2cbeb6f93ee4add80e07cca938c4e90
SHA1 hash:
ab8959bc0d5b9782234c8c48e24dc4c9470cf25b
Link:
https://www.unpac.me/results/609ba4b1-d6af-4e71-8162-148f78062f63/
SH256 hash:
341698422d893442ca77f3ab5fa61e710a35bfd525b68f634ae82727a2ef78b9
MD5 hash:
d881c3838a434156c9a466681f769275
SHA1 hash:
95d34ab8f5b6643bcf5333aa2f3d59ae2067d04a
Link:
https://www.unpac.me/results/609ba4b1-d6af-4e71-8162-148f78062f63/
SH256 hash:
ebde56c264fe0acfe6987c261091a1a96a8f227bf27f1857bfa85bab58a9b93a
MD5 hash:
8daeed85dc35d026e4b20edffb915888
SHA1 hash:
306b406886c9229201e98dbb40d57bb7fc5e2b77
Link:
https://www.unpac.me/results/609ba4b1-d6af-4e71-8162-148f78062f63/
SH256 hash:
7e904715e66065b1bb0b4e339cde347a214786169ccc0db5842bdaf3e4058d4f
MD5 hash:
65e44a7444cf0955b0e184e986696c80
SHA1 hash:
495698ae81fa4a74efe6c5ab837c0c0b0fea1f6f
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/609ba4b1-d6af-4e71-8162-148f78062f63/
Parent samples :
6d2b844ad0114dd3ec1731fa828132dc70ad045004c9c643279f71e774e14e14
d7ab100eec217ae7edde5ad39ec0775e7ebca760ed758c63c412a6253de6a9d5
SH256 hash:
3c7959d26a0e983a65a0f0cb9501567ad6b7149f9052e649649d1f4f8390480a
MD5 hash:
d6a28e90544f88191342edd75cd1732b
SHA1 hash:
25f16dc288f9f819b113f090227c32f36704c6d1
Link:
https://www.unpac.me/results/609ba4b1-d6af-4e71-8162-148f78062f63/
SH256 hash:
1df6786cee4565ffcc7b2746111475fa946207ee81b2c097e2a85aec94ff4a76
MD5 hash:
8e4f7ac1c1f96be23a21d6238747dbb4
SHA1 hash:
ab7da7859c505ba7d601730c6aaec5835336cf59
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/609ba4b1-d6af-4e71-8162-148f78062f63/
SH256 hash:
e972463cc46b2b0c148905e4c17834a6a2e7dd220d795573103d37002c032bae
MD5 hash:
db5b3a4972a7f1d8995fcc4a4a6dfe7c
SHA1 hash:
f3f500a5b4c3de4bad1ca8c2af913d77ca0c93ee
Link:
https://www.unpac.me/results/609ba4b1-d6af-4e71-8162-148f78062f63/
SH256 hash:
84650e28d06640c00b558b1a80fac3dbb80e6f94b26bdaeee0eb80f1c58fb0f4
MD5 hash:
b64e019681970678d241fd96e184a73a
SHA1 hash:
f340dd298b3bc6e6c26fab53b2930b3db511c868
Link:
https://www.unpac.me/results/609ba4b1-d6af-4e71-8162-148f78062f63/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6d2b844ad011/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d2b844ad0114dd3ec1731fa828132dc70ad045004c9c643279f71e774e14e14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:INDICATOR_SUSPICIOUS_EXE_References_PasswordManagers
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many Password Manager software clients. Observed in infostealers
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_quasar_rat_client
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in Quasar Rat Samples.
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18206/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments