MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dd6efa0fd92ed74a70003b923b702bc16fa3c1374b737b4ede50d752a0cc58c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.FileTour


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6dd6efa0fd92ed74a70003b923b702bc16fa3c1374b737b4ede50d752a0cc58c
SHA3-384 hash: 4c61a90cab511f1cd13302634ca61bef78efdc280ef80f8ac4d82bda465137caac3dc8e60719d4bb053b4ea4370977f9
SHA1 hash: 76acfabdea71c81c7e79fa685b3d71a0299f6fdb
MD5 hash: 25f9b6f64d4c687c6f5c5003a1ce815c
humanhash: alanine-earth-march-carbon
File name:25F9B6F64D4C687C6F5C5003A1CE815C.exe
Download: download sample
Signature Adware.FileTour
Create hunting rule
File size:3'949'828 bytes
First seen:2021-09-01 23:11:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xgrRBJfNCQkNoUI2EK65vFXNexLmkAhScarmZnv6kyzCYdU/:xgrR/MNNg2EN59QCk2aknSkMCYdU/
Threatray 469 similar samples on MalwareBazaar
TLSH T11D063340BBD58AFFE9820471BA586EF4C0FB470C43BA06C31710E49D5F68ADA757AB21
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:Adware.FileTour exe


Avatar
abuse_ch
Adware.FileTour C2:
http://45.142.215.144/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.142.215.144/ https://threatfox.abuse.ch/ioc/204183/

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
25F9B6F64D4C687C6F5C5003A1CE815C.exe
Verdict:
No threats detected
Analysis date:
2021-09-01 23:13:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/320007c7-da76-4c14-a0f6-38330558ad8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184593/
Detection(s):
Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Creating a file
Deleting a recently created file
Running batch commands
Connection attempt
Sending a custom TCP request
DNS request
Launching the default Windows debugger (dwwin.exe)
Launching a process
Creating a window
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %AppData% directory
Creating a process with a hidden window
Sending a UDP request
Delayed reading of the file
Unauthorized injection to a recently created process
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0505d29-04ea-4ee4-b58c-3d24ce064166
Result
Threat name:
SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843686
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to steal Chrome passwords or cookies
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 476117 Sample: iwRDZ0zfWO.exe Startdate: 02/09/2021 Architecture: WINDOWS Score: 100 120 google.vrthcobj.com 2->120 152 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->152 154 Antivirus detection for URL or domain 2->154 156 Antivirus detection for dropped file 2->156 158 14 other signatures 2->158 13 iwRDZ0zfWO.exe 8 2->13         started        16 svchost.exe 1 2->16         started        signatures3 process4 file5 94 C:\Users\user\AppData\...\setup_install.exe, PE32 13->94 dropped 96 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 13->96 dropped 98 C:\Users\user\AppData\Local\...\libzip.dll, PE32 13->98 dropped 100 3 other files (none is malicious) 13->100 dropped 18 setup_install.exe 3 13->18         started        process6 file7 84 C:\Users\user\...\83904ea3382de84ea.exe, PE32 18->84 dropped 160 Multi AV Scanner detection for dropped file 18->160 22 cmd.exe 1 18->22         started        25 conhost.exe 18->25         started        signatures8 process9 signatures10 162 Adds a directory exclusion to Windows Defender 22->162 27 83904ea3382de84ea.exe 16 22->27         started        process11 file12 86 C:\Users\user\AppData\...\setup_install.exe, PE32 27->86 dropped 88 C:\Users\user\AppData\...\Sun21dd3b887a3.exe, PE32 27->88 dropped 90 C:\Users\user\AppData\...\Sun21cfc7686a.exe, PE32 27->90 dropped 92 11 other files (6 malicious) 27->92 dropped 30 setup_install.exe 1 27->30         started        process13 dnsIp14 134 127.0.0.1 unknown unknown 30->134 136 watira.xyz 30->136 186 Performs DNS queries to domains with low reputation 30->186 188 Adds a directory exclusion to Windows Defender 30->188 34 cmd.exe 1 30->34         started        36 cmd.exe 30->36         started        38 cmd.exe 1 30->38         started        40 8 other processes 30->40 signatures15 process16 dnsIp17 44 Sun21cfc7686a.exe 34->44         started        47 Sun213b31a7e71d4cf6d.exe 36->47         started        51 Sun21caad43cbccfb.exe 1 38->51         started        122 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 40->122 164 Adds a directory exclusion to Windows Defender 40->164 53 Sun21dd3b887a3.exe 40->53         started        55 Sun218856081dd1.exe 40->55         started        57 Sun21ab69e87d0.exe 40->57         started        59 3 other processes 40->59 signatures18 process19 dnsIp20 166 Detected unpacking (changes PE section rights) 44->166 168 Machine Learning detection for dropped file 44->168 170 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 44->170 184 3 other signatures 44->184 61 explorer.exe 44->61 injected 144 2 other IPs or domains 47->144 70 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 47->70 dropped 172 Antivirus detection for dropped file 47->172 66 LzmwAqmV.exe 47->66         started        146 2 other IPs or domains 51->146 174 May check the online IP address of the machine 51->174 176 Contains functionality to steal Chrome passwords or cookies 51->176 178 Tries to harvest and steal browser information (history, passwords, etc) 51->178 138 37.0.10.237, 49712, 49723, 80 WKD-ASIE Netherlands 53->138 140 37.0.10.214, 49710, 80 WKD-ASIE Netherlands 53->140 142 ipinfo.io 34.117.59.81, 443, 49719 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 53->142 180 Disable Windows Defender real time protection (registry) 53->180 72 C:\Users\user\AppData\...\Sun218856081dd1.tmp, PE32 55->72 dropped 68 Sun218856081dd1.tmp 55->68         started        148 2 other IPs or domains 57->148 74 C:\Users\user\AppData\Roaming\7455746.exe, PE32 57->74 dropped 76 C:\Users\user\AppData\Roaming\5082637.exe, PE32 57->76 dropped 78 C:\Users\user\AppData\Roaming\3634522.exe, PE32 57->78 dropped 80 C:\Users\user\AppData\Roaming\1531392.exe, PE32 57->80 dropped 150 2 other IPs or domains 59->150 82 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 59->82 dropped 182 Creates processes via WMI 59->182 file21 signatures22 process23 dnsIp24 124 193.142.59.117 HOSTSLICK-GERMANYNL Netherlands 61->124 126 187.156.151.25 UninetSAdeCVMX Mexico 61->126 128 210.92.250.133 LGDACOMLGDACOMCorporationKR Korea Republic of 61->128 102 C:\Users\user\AppData\Roaming\fjjcwhh, PE32 61->102 dropped 104 C:\Users\user\AppData\Local\Temp\9DAB.exe, PE32 61->104 dropped 106 C:\Users\user\AppData\Local\Temp\2ACC.exe, PE32 61->106 dropped 190 System process connects to network (likely due to code injection or exploit) 61->190 192 Benign windows process drops PE files 61->192 194 Hides that the sample has been downloaded from the Internet (zone.identifier) 61->194 108 C:\Users\user\AppData\Local\Temp\3002.exe, PE32 66->108 dropped 110 C:\Users\user\AppData\Local\Temp\2.exe, PE32 66->110 dropped 112 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 66->112 dropped 116 5 other files (none is malicious) 66->116 dropped 130 the-flash-man.com 68->130 132 best-link-app.com 68->132 114 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 68->114 dropped 118 2 other files (none is malicious) 68->118 dropped file25 signatures26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6dd6efa0fd92ed74a70003b923b702bc16fa3c1374b737b4ede50d752a0cc58c/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 23:12:07 UTC
AV detection:
16 of 44 (36.36%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxlo7ih5slwxjjyaao4shnycxqlpupatos3tpnhn4ugxkkqmywga._file
Verdict:
unknown
Similar samples:
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
Adware.FileTour
0a823cbd6a32a10c927253fa40466c8a3177e487ee7895a8a2e244a9b4c415fc
Adware.FileTour
12f7ffd93e0af380b2fe64c1477afcf876ae1449dcc197d71da381873bfbb439
Adware.FileTour
16bf40060a0544cf49bda85272b976265fb56248c6068d7d95296937af664ecc
Adware.FileTour
3d7ba99d7b360819146cd6223b2d668e8b1a661023f5b36932860bc84271eecd
Adware.FileTour
423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110
Adware.FileTour
45c04168fe1e27939f2e08c178279d8c1aca5eba4ed8f6a717eb70b966cc5617
Adware.FileTour
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
Adware.FileTour
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
Adware.FileTour
bbb1867666dcd3898495a36ebec4d9a00c5c4c519eab587f530f5f5c6d80cb32
Adware.FileTour
+ 459 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar aspackv2 stealer suricata
Link:
https://tria.ge/reports/210901-l5zv1p6fjj/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/Tnega Activity (GET)
Unpacked files
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
SH256 hash:
16fe676f338597ae7eb18cb0b514a5112e1647350b8415ab1a5acc2e49bcfb51
MD5 hash:
81f4be10fd5f6c757d7b4a0edba497c2
SHA1 hash:
d9cf8601bb46ce25660b5b0be7e42f1c3b3d9eae
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
SH256 hash:
1b9d29f4887cb5ec2f7980f3b51fccf0eb699bf81361b31342e9a895cc362c8d
MD5 hash:
abea1f518f0b3957a1755eae02698ca3
SHA1 hash:
b3130e09832595c47cfb06a883388fabdd5bc488
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
SH256 hash:
98e7f9b7d0bef132b5871d098f628ac8b8a2bb20a51100267826d522b31a6a90
MD5 hash:
c10dbbcfe59adf575309c00f4144a195
SHA1 hash:
b1773fe090a4b86f38ef14a7fae4fddd867da673
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
SH256 hash:
adaebc4e58571c1f9ed4d7f2dd69045c4e7f1b7781dee2e97d5090e4ba7630e4
MD5 hash:
bc972d6cf21476d7396095f1452e359a
SHA1 hash:
97286c9348dcd80e99b686b1bfaf00b32e2ef28d
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
SH256 hash:
3e9fbd899c570ef27f7af37a63aae9b2d1b3a5e6717e571b9e8ed6efcf63778b
MD5 hash:
56d5c8e1d4431050061e2d1b8a9a22b0
SHA1 hash:
3d071f57add429765045b7aa61715086ac061ddd
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
SH256 hash:
a1a1f636b65bd84247c87965980f3adc0fa1316506a56bb6ea1042de0c9526c6
MD5 hash:
638e8b3e6640a0885cd8a1fe8ff70065
SHA1 hash:
56e819d5ff1b424f1c8d39d82d699f5567bcfac9
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
12fac3cdabdf537965538db54ef0559446f377d52f83c518a58712d58976f5d8
MD5 hash:
441c249a916407e491fbea1703abdb1f
SHA1 hash:
d929357696511bde2b5171e932e90ed1599b90d7
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
SH256 hash:
c12ca8a9c29faccf92d8f579aa1dde3f4cd0e51e88ba36e510aa2bdff30d364f
MD5 hash:
c0583e01fa34ca6f068c3e83126f32d4
SHA1 hash:
84511598ca96e1be00c1dbfa36b35abbbf262941
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
SH256 hash:
ae4de7b6267dd7bae603fe613c10b1795fb10a99fe379b63c099fc73eb670368
MD5 hash:
96e92314ac6541d52570f16da7e806c9
SHA1 hash:
23cae3aa8e98995fa55bf6b16c33e789ffb8cf1a
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
SH256 hash:
d81cd22fefb78ed8a23711ea3d025401ebeeeb264cb3272a43c5733bf82ae9ed
MD5 hash:
e900313e2818228b4e6b4799b4beda0c
SHA1 hash:
5c57a4ee30379d21d4cce9cce457b38706a3b803
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
SH256 hash:
ed4ff3218dcae9973b78151045ca979148db9ec637359d443d08d22a9dabe067
MD5 hash:
be4ea18042588b35d81993edb1105a71
SHA1 hash:
8a303319bef823bcea092965b8af8cc0de7ad354
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
SH256 hash:
6dd6efa0fd92ed74a70003b923b702bc16fa3c1374b737b4ede50d752a0cc58c
MD5 hash:
25f9b6f64d4c687c6f5c5003a1ce815c
SHA1 hash:
76acfabdea71c81c7e79fa685b3d71a0299f6fdb
Link:
https://www.unpac.me/results/49957025-3faa-4b0a-9beb-bb2716e6627e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6dd6efa0fd92/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6dd6efa0fd92ed74a70003b923b702bc16fa3c1374b737b4ede50d752a0cc58c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184593/

Comments