MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Backdoor.TeamViewer


Vendor detections: 16


Intelligence 16 IOCs YARA 43 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d
SHA3-384 hash: 271f2c58b30471f581fc942c2a3e5b44d5adf5ed77d4d6e6a6485eacffb51e693994f6ca12ea63bd8f4b7b6507a458ec
SHA1 hash: 37adc7f63e2c38b2ad803c49d2782be701da9b56
MD5 hash: 3141032e3b1e4f3ee0d0a1fe68ccc6e8
humanhash: nevada-bravo-kentucky-beer
File name:file
Download: download sample
Signature Backdoor.TeamViewer
Create hunting rule
File size:16'458'752 bytes
First seen:2023-10-06 12:05:48 UTC
Last seen:2023-10-08 18:46:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'449 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 393216:g8EDE090yXtcYODN8EDE090yXtcYODCef/GyF3ibKL4BCXtU/PS:gjg09jtcYyjg09jtcYyxFSbi4StU6
Threatray 99 similar samples on MalwareBazaar
TLSH T139F6006068F4CED29AA11D445AF47E939A7173212E5CF28EC6B35B9C0E11B604DA733F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:Backdoor.TeamViewer exe


Avatar
andretavare5
Sample downloaded from http://45.9.74.80/zinda.exe

Intelligence

File Origin
# of uploads :
50
# of downloads :
306
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://sunbabsco.com/wp-download/server/zip.7z
Verdict:
Malicious activity
Analysis date:
2023-10-06 17:35:54 UTC
Tags:
privateloader evasion opendir loader gcleaner risepro stealer redline ransomware stop hijackloader tofsee botnet stealc vidar trojan arkei miner raccoon recordbreaker amadey raccoonclipper teamspy remote
Link:
https://app.any.run/tasks/261c410a-1efa-4cf2-b27f-6c8b86ac0d59

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.31192.18367.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Sending a custom TCP request
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching the process to interact with network services
Modifying a system file
Sending an HTTP GET request
Creating a service
Launching a process
Creating a process with a hidden window
Running batch commands
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d
Result
Verdict:
MALICIOUS
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9aa06e52-c6ce-4012-aed3-7530361ae0ca
Result
Threat name:
Glupteba, RedLine, SmokeLoader, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1320873
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1320873 Sample: file.exe Startdate: 06/10/2023 Architecture: WINDOWS Score: 100 155 host-host-file8.com 2->155 157 host-file-host6.com 2->157 159 5 other IPs or domains 2->159 177 Snort IDS alert for network traffic 2->177 179 Multi AV Scanner detection for domain / URL 2->179 181 Found malware configuration 2->181 183 19 other signatures 2->183 12 file.exe 7 2->12         started        16 svchost.exe 2->16         started        18 powershell.exe 23 2->18         started        20 2 other processes 2->20 signatures3 process4 file5 131 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 12->131 dropped 133 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 12->133 dropped 135 C:\Users\user\AppData\Local\Temp\kos1.exe, PE32 12->135 dropped 137 2 other malicious files 12->137 dropped 217 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->217 22 toolspub2.exe 12->22         started        25 kos1.exe 4 12->25         started        28 latestX.exe 1 12->28         started        40 2 other processes 12->40 30 WerFault.exe 16->30         started        32 WerFault.exe 16->32         started        34 WerFault.exe 16->34         started        36 WerFault.exe 16->36         started        38 conhost.exe 18->38         started        signatures6 process7 file8 185 Multi AV Scanner detection for dropped file 22->185 187 Detected unpacking (changes PE section rights) 22->187 189 Contains functionality to inject code into remote processes 22->189 191 Injects a PE file into a foreign processes 22->191 42 toolspub2.exe 22->42         started        121 C:\Users\user\AppData\Local\Temp\set16.exe, PE32 25->121 dropped 123 C:\Users\user\AppData\Local\Temp\kos.exe, PE32 25->123 dropped 193 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->193 45 set16.exe 2 25->45         started        48 kos.exe 14 4 25->48         started        125 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 28->125 dropped 127 C:\Windows\System32\drivers\etc\hosts, ASCII 28->127 dropped 195 Suspicious powershell command line found 28->195 197 Modifies the hosts file 28->197 199 Adds a directory exclusion to Windows Defender 28->199 201 Detected unpacking (overwrites its own PE header) 40->201 203 Machine Learning detection for dropped file 40->203 205 Found Tor onion address 40->205 51 31839b57a4f11171d6abc8bbc4451ee4.exe 40->51         started        53 e0cbefcb1af40c7d4aff4aca26621a98.exe 40->53         started        55 powershell.exe 40->55         started        57 2 other processes 40->57 signatures9 process10 dnsIp11 207 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->207 209 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->209 211 Maps a DLL or memory area into another process 42->211 215 2 other signatures 42->215 59 explorer.exe 42->59 injected 151 C:\Users\user\AppData\Local\...\is-IAEVL.tmp, PE32 45->151 dropped 213 Multi AV Scanner detection for dropped file 45->213 64 is-IAEVL.tmp 45->64         started        153 iplogger.com 148.251.234.93, 443, 49683 HETZNER-ASDE Germany 48->153 66 WerFault.exe 48->66         started        68 powershell.exe 51->68         started        70 WerFault.exe 51->70         started        72 powershell.exe 53->72         started        74 WerFault.exe 53->74         started        76 conhost.exe 55->76         started        78 conhost.exe 57->78         started        file12 signatures13 process14 dnsIp15 161 colisumy.com 123.213.233.131, 49692, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 59->161 163 host-host-file8.com 194.169.175.127, 49690, 49691, 49693 CLOUDCOMPUTINGDE Germany 59->163 165 3 other IPs or domains 59->165 139 C:\Users\user\AppData\Roaming\gtievtw, PE32 59->139 dropped 141 C:\Users\user\AppData\Local\Temp\7D21.exe, PE32 59->141 dropped 219 System process connects to network (likely due to code injection or exploit) 59->219 221 Benign windows process drops PE files 59->221 223 Suspicious powershell command line found 59->223 225 2 other signatures 59->225 80 cmd.exe 59->80         started        83 cmd.exe 59->83         started        85 powershell.exe 59->85         started        87 schtasks.exe 59->87         started        143 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 64->143 dropped 145 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 64->145 dropped 147 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 64->147 dropped 149 7 other files (6 malicious) 64->149 dropped 89 previewer.exe 64->89         started        92 net.exe 64->92         started        94 previewer.exe 64->94         started        97 conhost.exe 68->97         started        99 conhost.exe 72->99         started        file16 signatures17 process18 dnsIp19 173 Uses powercfg.exe to modify the power settings 80->173 175 Modifies power options to not sleep / hibernate 80->175 101 conhost.exe 80->101         started        103 sc.exe 80->103         started        115 4 other processes 80->115 105 conhost.exe 83->105         started        117 4 other processes 83->117 107 conhost.exe 85->107         started        109 conhost.exe 87->109         started        129 C:\ProgramData\...\ContentDVSvc.exe, PE32 89->129 dropped 111 conhost.exe 92->111         started        113 net1.exe 92->113         started        167 datasheet.fun 104.21.89.251, 49713, 80 CLOUDFLARENETUS United States 94->167 169 emptdbu.ua 185.141.63.172, 49716, 49719, 49720 BELCLOUDBG Bulgaria 94->169 171 91.92.111.133, 1074, 49763, 49805 BELCLOUDBG Cyprus 94->171 file20 signatures21 process22 process23 119 Conhost.exe 105->119         started       
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-06 09:49:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
29 of 37 (78.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ocxruhbvavkcocedor7hb74fseglftbmalj6yez3irlracqfnfgq._file
Verdict:
malicious
Similar samples:
08dcd62ba2989e93c04ce28b5619d9aae32d1fa40ea8003eb85d211be9772089
Backdoor.TeamViewer
08e61151199e31c2cf54f12f95c8ad95ee8467bb630166800114c0b912682a74
Backdoor.TeamViewer
69ded352d815114251f0986f1f9d16702f1b33372c23fe8de2cd18ddab231e13
Backdoor.TeamViewer
76e0a05722db609c2d5fc63f43fd52e093404f10f14722aa7f44fb967d2f153c
Backdoor.TeamViewer
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f
Backdoor.TeamViewer
ab1a8ab5aa1f5c62fa6f2027c9bc4ed91a30385ec847cf92226ae144493df35d
Backdoor.TeamViewer
bcf6cae1bda693ce71df94dee69483c65092020ac5faea5d59c9918ba3e2034f
Backdoor.TeamViewer
d74686c87f0777d1e8c4fcc18b40fe3ce97d6e531e23b6665037e5599b72aa32
Backdoor.TeamViewer
+ 89 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:smokeloader family:xmrig botnet:up3 backdoor discovery dropper evasion loader miner persistence rootkit trojan upx
Link:
https://tria.ge/reports/231006-n9qyzadc25/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unexpected DNS network traffic destination
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Glupteba
Glupteba payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Malware Config
C2 Extraction:
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
MD5 hash:
076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 hash:
7b40783a27a38106e2cc91414f2bc4d8b484c578
Link:
https://www.unpac.me/results/cf9f07bd-4e47-43b8-9002-33b567b8d871/
Parent samples :
d822320e69cb0ddf07bd762ddf9d56bf46bae93a37ed1abc7d37485faf56761a
173cf6b50cfad4fa06f6826452aeceae743a49fb7c2cdc6445961c01dc11da92
a754eb655af6114a85fe5d32bc3a42b0038fec86c2d557fef2d3f2f92d68b942
b115ad95814af3c46b71fd230d3b2a224c8a8f356b27e0367b0f98d4948b2b60
98e2336afe9aed01d8859c988cb984a017800bf5a5760a643b9f5579c8936e40
31c5da8614998e7836aaf3c70559f7710edbd4b536b840e0c63babfdc95c5921
0c620ad9e0327c9397c2e869a45e3c24cf234f6da22df60ae7fcd802c63d0e8c
f9deeaaba4135cc9417f0a39a0b2860c88f91015cdee2dc8649f59800c5ef673
8d833183ab5dcf4f622de22dd3bb6df752725339804906f7bb374b6df7c3c354
78d20bb0f3344b725617819f4f2c2246a3c1d1cada81d931d63603f67a1b7aa7
96a8fc693eb17083f2fc31beffbbda57741ddec7b3ff38d29554a55bac7909a7
2cf8ca0a1593e5ef380c8d8e9207f4257bbc4ef1ad2a5a5315f321ffecdc70ec
93ec2f65e8dcbd9bf755573667f9bc5d085e3533f1c0a67391fd2feed16899ed
SH256 hash:
86be1957ae3967782a3bf08a9b4965bb42b08aa36604d59c8148c0d2ac17c561
MD5 hash:
cad3606bbbc3e5c557a91f7ecdcef763
SHA1 hash:
1f32187a21e8323018f37b07909ec01928e8b2bc
Link:
https://www.unpac.me/results/cf9f07bd-4e47-43b8-9002-33b567b8d871/
SH256 hash:
e206de78f87b7d3f73242e179261d0bd7a91524bc2ef6cb043789c4b8e8b3e69
MD5 hash:
139a0ba2600e97aae458a2db1324fc08
SHA1 hash:
afbeaa6d4008abb99596e19747deb92d8a22a45f
Detections:
Glupteba
Create hunting rule
Link:
https://www.unpac.me/results/cf9f07bd-4e47-43b8-9002-33b567b8d871/
Parent samples :
265a9e7f1ceb8b4fd7f8bc18826b9eb68826af0e22d0ff074c19d7d0e77e8fd3
d571dbe3249950ebc2a8b600b9e3dcac5fa2393b84983709995df071d7f9a2be
222301a390730394fdfba560a8a0070c3571aaf9541d4c96cb5ee931b26ede59
f2d0f2dac71c7ee35134c60db2f50514005e58832b2dedc388080c71dad6f411
7d07d17c2783ceeee097dc94082d7991a7e27755065dc5f73be10321803fe80f
aa234447899c8ce342f8b90ddd3bc2ba20cb51ed6856835ba9c18e842f057215
08e61151199e31c2cf54f12f95c8ad95ee8467bb630166800114c0b912682a74
1e662d2a9bc77dc09ff39c21dbd8f11968da7c1dea6f4bbcfc5216c0d8f8c8fd
27ea24685a6d2531295871e4ddafb9c9a47873e0bc434d0fef0706d5487dc42c
7406f239a9fbb2d5b2f04043795102fda05e04706d2445f2a538d621298dabda
62256fe57905ac3855bd6d2e200162e3692a47f3bb32946fbf6d85a97fb74a8d
6531b801cc6cbf4139616803f9d43e9b886eed6c9ca82b86bb9c461c50f673a0
336e13cf278f9d39ac6d95cede295d3af1c903b5f0ca9c865f1a44f07683bcd8
0ed14c1e8965c13065a00f7d3159a4c711faa24643b4c4815e88299cba495ba0
a09d7d79ba4e1177ee17cc8f10e21508b3b69cf2a29c0f8b3bb478a65ad60846
27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7
4c4e0c61380662adc756d147f9c51ead1d3a6913f49510eae2766270b778f427
010fe481ba6275ebbf71e102e66d73f5d819252f2b4b1893d2acf53c04f4200f
ace208a4aebe9ac1b659808b108c795961d1160de5b147be47b5624f6de46830
475fc6c207d89eed272ef4d2c8096de644c476d6b6d6b295f2ea81b0d404c01a
08dcd62ba2989e93c04ce28b5619d9aae32d1fa40ea8003eb85d211be9772089
ab1a8ab5aa1f5c62fa6f2027c9bc4ed91a30385ec847cf92226ae144493df35d
7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f
edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a
18acbe225a09abaf3a67f12e79b67d498b3d809faa526b69b40170f4a7beff0d
530ba3e07e01ded69f648ab41bf6967677526630e0b78dd91e03304622871680
ff2190173c71d9e4a5a7c9b5356cd2a5b762a735b3bc0e920113735735c625c4
bbe7c155c748f15faa3994f66075b46daeeac61a929d8c9bc247af0a5c2d8e4c
cf2ba11b6ae9a9893d6f7a65f6b6251a110e51c1eee656455c4a3caf68c738d9
70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d
d822320e69cb0ddf07bd762ddf9d56bf46bae93a37ed1abc7d37485faf56761a
173cf6b50cfad4fa06f6826452aeceae743a49fb7c2cdc6445961c01dc11da92
a754eb655af6114a85fe5d32bc3a42b0038fec86c2d557fef2d3f2f92d68b942
b115ad95814af3c46b71fd230d3b2a224c8a8f356b27e0367b0f98d4948b2b60
98e2336afe9aed01d8859c988cb984a017800bf5a5760a643b9f5579c8936e40
31c5da8614998e7836aaf3c70559f7710edbd4b536b840e0c63babfdc95c5921
0c620ad9e0327c9397c2e869a45e3c24cf234f6da22df60ae7fcd802c63d0e8c
8d833183ab5dcf4f622de22dd3bb6df752725339804906f7bb374b6df7c3c354
78d20bb0f3344b725617819f4f2c2246a3c1d1cada81d931d63603f67a1b7aa7
f9bc3ddfb1e5e253dac94c91d2d678ad2f1c61537207e71fc04d42af28b04520
8f3054ea1c4adfcafc009a413324aec4d47357384e1f57c08a4cdc8ec3863826
f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
96a8fc693eb17083f2fc31beffbbda57741ddec7b3ff38d29554a55bac7909a7
2cf8ca0a1593e5ef380c8d8e9207f4257bbc4ef1ad2a5a5315f321ffecdc70ec
66da62cc89a98f16d5e1abd5668d91e04be2f024354b1dab5b805610cf482ed4
93ec2f65e8dcbd9bf755573667f9bc5d085e3533f1c0a67391fd2feed16899ed
90ea61df57638931a932194ba370a6b0e68c2e149a3a79c350437a11c63a2d9a
d1fba6a4c016f0c76ca578d5f7e656fe12f4abc260eec61e668c398a6e3e8bad
03e8ce6519475df85008e4abed555b02150fb60d8afb039b98a3fae433679c4c
2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
c057351817aed450137d0445d192900399d35498d8523bcb52264edf7e56b54c
31095cd8210c0dc8061090055014e5bf7990e5835378bdfd0372c416355b9cac
295daf4708da6e3b7613e4ea7637739054656332c3dfdfb0499431ef267e6a39
ebf0fbb2d06f3a42839c341b052cfe7b8b4e0b7e93a5f37a3c426f27a762e63a
e30d175069d8b2cfacb4ae58ef031a817141a320ab6c69923239afffdc897bf6
1d72961d502e70a02b703d2ea171d370ab8d62281aa9d6200a81b4a5e210e55f
dfe54b78172996677a5847633964338462e29277e09e28f6db7beec2d3d01244
82ece5e948ab466f78cc02f5cec49ded063af38623f32fd5bf9b00538e00cace
6a9ca8cd0fe53e1036bc16b292926a413dc4aa896f4da8a29afd10c65138799f
0ff5066a1c9caf9db55ddca514049faa9badfd6bee0a6e8ba825ee8198b65efb
adb6d89cae18f5501ce8c7e25a22de907bec44d74f583f9c5b2499a5e955534b
a75f981326ea2802a6255e99d414aad4ebc4871b9547897dd70fea3b8105ed42
8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
4aa80d6935201d51bc5be593908289cc2e239be14991a5dc6054bb19e7f90c44
7b101e4c3f86d6b121d25c79d718af9b24ad1ba2bbf9ad83dc285b8ba2e4756a
c4a2e403dc091a191ae09578bf914baf70fd9b2d9593f8061dc953cbd431e5b5
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc
746b5874dbdfcd6168d395a2da5cd43dabadad8ec4a38c1c87d8c3779d41f5f7
0e11a6be0205a2a9ffbe57ac11c8057c2d72fbd794c6303f445c3ddfc2fa6c97
bada456f7b51709847d11d6b7d17a2e1d4322dec3c36abbd87ed594242ea2b59
f24d47bd9cc9daa71c869a1d06551801395ba2bbbff0c33a102e79d32c0a630d
3434aa61c95c3ec240471fc0fdfca1143a50281314a8e61c3a7d8887b0233ce3
c39a990dc179128a4d4136de519676636ad393b77f43913fb0d5c238b20c95d7
d56792563235750411ef4841e1ea37039a5db2a8810146734112bb0e11ff366d
SH256 hash:
22481bcab3bd1258b5d588dca71452d8a4efab00dd7ee2e38a8bacc4a5c80821
MD5 hash:
a875a11578c7fbdfbe69734c0f409e6b
SHA1 hash:
092ad5bea3e5f49fd3ec4561f62b3e529733ccbb
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/cf9f07bd-4e47-43b8-9002-33b567b8d871/
Parent samples :
24dee27353810b40cc9ba92be44366d2d349c439eeec6bc05f52b5f439d31b79
f3052878865704277dbbbc6d8e38a009468cb0fa5fc911b426d26fd13e75b337
0769315bba7b57606f1949f13c30f2e193bf0ed18d8fc7b37a7f11721b124091
1e34106fd70c84ab8a1a0b27425e2f6d53500fc48bbdc5b02041fb3459721473
9a320124fdf55f46111de1f805c054477a7db5c9bcbf1894f8e7fed2d7c1fe28
0f42edd76f7309fbf1e26780e1e3e184dfa6d291ef6516ab8ae9c3107082eb39
1a550ec76a4f902183aa449878dec042982ef01b67ebc788148b829ab88696b3
c085ae21f3536226d317a92d7943c7a5c58d4d33b17941cb23131f01294c5fd6
2de843e3843c3f56e559026b018492522ad4ee39ba73a481710d54b84de8610a
40ebe2f864e61a190e83905b6dd90a640139852e3d1ade8256d5b53cab4b5511
267de067a0574bc4611f6f5a92b65b20d4de66b83cdebf71177dbc89fc82d37c
a75c766167a44c78f3824d28780078cf2cc31522a55372958cefd5f3f093e4c1
470e93134b2e4d19076792887f553f79cd8b1b54fe0b4b0bc03878df47e2440c
73b174c6316230888f3cef2a93ac3f4ba3d35897fa82181cd83beceda6fa7606
dcba1aa4b4d92b68713b03f12985b0b0689055b3921e0273506d23f7e675ff52
b50e9756050929c7b6852cd1fb9ced19227f70a7e6f75532d8a7d92d222ae415
ee366039716c1ca70c1c1744faaf2aeeae8d780c6bbd438cc0c1fef3f7a57cc7
222301a390730394fdfba560a8a0070c3571aaf9541d4c96cb5ee931b26ede59
d8bdb32cb558ab6bfac8f7b3525475297e90779b55e437222ccd77ff15b8b8ce
a3b9b231eedc6701cd76d624ed7dbfab8614e8a07088512b5e6ef3aa44235f50
7d07d17c2783ceeee097dc94082d7991a7e27755065dc5f73be10321803fe80f
aa234447899c8ce342f8b90ddd3bc2ba20cb51ed6856835ba9c18e842f057215
08e61151199e31c2cf54f12f95c8ad95ee8467bb630166800114c0b912682a74
1e662d2a9bc77dc09ff39c21dbd8f11968da7c1dea6f4bbcfc5216c0d8f8c8fd
53db21b2aff17083eeaf5d5988127944ffe4508ddd160cf50ab3d9d942d81160
6531b801cc6cbf4139616803f9d43e9b886eed6c9ca82b86bb9c461c50f673a0
b1e4aecc6fa5f38ad4c3f016ea1d789ba210c5fa63dfb3c0ceb9ebd9bf390e50
3800128c3f871b732f0d4f7f19a3b2ed9670bb61f8bf2445daf7f9eee6009b7a
10d5acaf335351c394065caea772a79d686fab672649cb94315342fe0a9e4df4
0a43bc29b96992aaec01af4c1a83318e1db149f8d8f216425c371b3a1400bf8e
02afba9405a5b480a7b1b80ec9abab41e462f8c30567f1926105a63eaf13e059
2f4140d42063d60f416435b8cc1493588293c7516e25aad65fc6929125b4c7dd
811b68a18e565772b4123653e83cc20c2860e9662a282a5018dcab228c5b29a7
7a3ed98aad8f0e6cc774200cdc7b35b86bffdb5f5ce23e8750acb0945d3c78fd
bab323bb1575333960a2c2b136206f8732afb14b799dd563e982b22cb567d833
28dc2e5876c22e3f65fcbcd09294720a8bfcb90e216bf5368789017d6bb3c35d
f1067936bae4b49f2da4d284584be19153fde9e6aaab6c9657803d8caa684f74
6f2ff4beca2ddfb19a229f614f81576648daa2db28d7b52bd408b177467513ba
0ffab407dd3ebd93f007e24f439bbda8c8b68d50b5ba6537213608608c6f8d61
1ae04fa07154cef3ce6fd3d7d00f8fe13b897107a328cfa516c9f26cf7c22b59
9546efb1a30d3f9a9c7597edc70f5f87ddaa1e30ab528627f31c5d2f65fc8e11
d570c7efc7e3e6c43ac25349f43cf3664d6a7caa13cb859848f3fe99c40bb277
fa1fa9f865ed8e2604edf690db58351bf7050f4e04bdaa5c83836c503d3af84b
c30d2cb931fdee3e3ddd9ec2589ad02efbe981101df6ec4f6d2e1472e0374e01
b54f42b5b0d19670960eb10c6789968a30df7e8532519b32d5ef33bf155fc034
4c4e0c61380662adc756d147f9c51ead1d3a6913f49510eae2766270b778f427
12eeed553b2a15c4fac0fdcc12b0f7ecf75d92a82bb684d5a503dbd542104c3f
f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
8d1b5f9c660205e3475c482dd9a4618aee5b7d165126a844b5148bf8bb3c253f
010fe481ba6275ebbf71e102e66d73f5d819252f2b4b1893d2acf53c04f4200f
ace208a4aebe9ac1b659808b108c795961d1160de5b147be47b5624f6de46830
475fc6c207d89eed272ef4d2c8096de644c476d6b6d6b295f2ea81b0d404c01a
08dcd62ba2989e93c04ce28b5619d9aae32d1fa40ea8003eb85d211be9772089
ab1a8ab5aa1f5c62fa6f2027c9bc4ed91a30385ec847cf92226ae144493df35d
7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f
ee016d52e39688670944b58a33a11545254d3c8f8b6813d59992138738349193
70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d
bd6bd7cf8acf51a6cb03c0717559ee431e1549e504d4ed16d3fbbaea55803e28
fe018aac095ca8730a0b520fb76f0f9b042bfd956f0958751036b9c53e0df19e
a3db51e8ff90d147fbc7113a6f9c7af37084d95ade5d7ff82425d0ceee4d4116
d16581b77c0a19e06d4e612349abd154ee48f527933aa3ecc50c215c1cbadd95
e7a9e66f0069fd7a36925826080d722d69e66f82e64365cb9bb0e60d7de04f6f
2f1b76c93a90c8f8f6464c5b5d73fd7fbcae5ffdea517bd05226e7c80824bd98
fed65d2ec645b2a01ea7ba68810632bcad754687aa921be620358403ab06f7ab
3c258ed46041141a294c68b2de32dfc67d39bb77a9a3e53542f8547ab0aaea83
3ae385541e4b73e89a72f72cac99bcedcc8770c2877d19809abad5d3d72fa1d8
f24d91ea2d2167918e32dcf65495af793981b103eb6c908ed51dffb42c76b3ce
d822320e69cb0ddf07bd762ddf9d56bf46bae93a37ed1abc7d37485faf56761a
173cf6b50cfad4fa06f6826452aeceae743a49fb7c2cdc6445961c01dc11da92
a754eb655af6114a85fe5d32bc3a42b0038fec86c2d557fef2d3f2f92d68b942
b115ad95814af3c46b71fd230d3b2a224c8a8f356b27e0367b0f98d4948b2b60
98e2336afe9aed01d8859c988cb984a017800bf5a5760a643b9f5579c8936e40
31c5da8614998e7836aaf3c70559f7710edbd4b536b840e0c63babfdc95c5921
0c620ad9e0327c9397c2e869a45e3c24cf234f6da22df60ae7fcd802c63d0e8c
8d833183ab5dcf4f622de22dd3bb6df752725339804906f7bb374b6df7c3c354
78d20bb0f3344b725617819f4f2c2246a3c1d1cada81d931d63603f67a1b7aa7
f9bc3ddfb1e5e253dac94c91d2d678ad2f1c61537207e71fc04d42af28b04520
8f3054ea1c4adfcafc009a413324aec4d47357384e1f57c08a4cdc8ec3863826
f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
96a8fc693eb17083f2fc31beffbbda57741ddec7b3ff38d29554a55bac7909a7
2cf8ca0a1593e5ef380c8d8e9207f4257bbc4ef1ad2a5a5315f321ffecdc70ec
93ec2f65e8dcbd9bf755573667f9bc5d085e3533f1c0a67391fd2feed16899ed
12a5b844e946f8c8b4b4bb3301664f7a662a1341ea9171359d1c4fc25bc11b6a
295daf4708da6e3b7613e4ea7637739054656332c3dfdfb0499431ef267e6a39
ebf0fbb2d06f3a42839c341b052cfe7b8b4e0b7e93a5f37a3c426f27a762e63a
e30d175069d8b2cfacb4ae58ef031a817141a320ab6c69923239afffdc897bf6
82ece5e948ab466f78cc02f5cec49ded063af38623f32fd5bf9b00538e00cace
6a9ca8cd0fe53e1036bc16b292926a413dc4aa896f4da8a29afd10c65138799f
0ff5066a1c9caf9db55ddca514049faa9badfd6bee0a6e8ba825ee8198b65efb
adb6d89cae18f5501ce8c7e25a22de907bec44d74f583f9c5b2499a5e955534b
8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
4aa80d6935201d51bc5be593908289cc2e239be14991a5dc6054bb19e7f90c44
7b101e4c3f86d6b121d25c79d718af9b24ad1ba2bbf9ad83dc285b8ba2e4756a
c4a2e403dc091a191ae09578bf914baf70fd9b2d9593f8061dc953cbd431e5b5
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc
f24d47bd9cc9daa71c869a1d06551801395ba2bbbff0c33a102e79d32c0a630d
c39a990dc179128a4d4136de519676636ad393b77f43913fb0d5c238b20c95d7
60861a072ffc6b404ae640f7270e6d36afd5f4b0911866598be0800da4c16ab8
0d56a6315fa87dedf33b91c34e70ace7cf2913fc4f30976dc9b34a974d30ca31
3fb42de7bef728db9db776ce892a5893f84b24c433253988d849c514a4008b67
ca3040a40850c986cb8461a90f6b43bcffa783d9cc0446d4641a7c95d47258fa
39eda85740817da8e123ed2c96fbe131356b31a6a98231a522e271cd35748829
997585dddb2b230656f708be5add526f5e9322d4af25d85bb2982b7a280f98a9
c646664de8fc9fee5af83d716642be363f0965fa3d95958b433719bd3e73a778
6a1dbe2bdacdbe77a94de61ffc0001e87adcfb51f85d1a3066e1f1924bb2f496
8559eef75d44d48a5987571139ce0f791879fe3a7a21761a68f5f9dbac1ff216
19ed8a06e27e50c441bb3b3e0c743ea9f0263b43154e323a93e5b78953162e32
9d8ca0ed84c5b3a858c2230000f28d9326ceeefc8a8a603e9af3c6c1bc65ba67
8c5a38887768a98da1ba757c359a2f24b137ef9b78c7b5ba8383d999582d1b2b
a8fcef9a9b81e5db11f0ed6444943f8540d3875cdb8b1c0862abcebcf648e5ea
c8790db260cf26290bbafcd3d17d3e33e6bc3e5fa65bbc248a9e03cde96d8f8e
3f79351f496df9b1433f5875b6901f06f2c7a3490038b8a346ea40e0a7801e59
4d51e1dc59c149003604bbd8ddaa425ef767789c19e2d3d3d7db2b4e530f8b4a
7ef4fce93908840ce8083e0a717e82f80720e5fa5d3b7820f3d6ceb9c23bfbbd
debb5be5017de832cef391e9ff463c19a0bb5394b86453b1c28ba75be7d70f04
0889831e4c97e94979a7cbafe87f3dcd3106f0be34e85487055bd47df1ca0a57
8817cbb6de1446a920401a072df1453459aa95684ffc7da9c05ca759b1836c0c
4abd157267e0e423d698f49a60011c7d0c9fc30e21585ff42f974909e37bde4d
121a9ea644073f820645f34c67bd159aff5a29cec51269cdc07bf4dad0249f30
fae531687cc458d8d7e504b81776514eec3cd9700891a1b873afa3748c84cc78
e340efd16c8fc3ed295ec674e97bed2ec4bc1e2a14a8089537b03da23f0f47ff
6f735da34e90dce7418f49a7d25fa183650fd9fe681804a9ab5f80d3005b1c5d
08cc8cfcabf0fe26de3d9bdfd6e705eb1e70f1b3e9f880f8a50cb1aee051cee0
55bdcc2b5a25a711fb46e9ac4fd88da91c65f799f9faec3273f818b5a65c20fa
bccddbc2947cf297abd7f6d7d8414130b127aae72fb141f3090a4948878d2cc1
374759c6b7befc3ca7b914ee861abbb6ac3f7949e4c8ce08fbf55a14c57b6e8b
d008c142c0ba6ed73c2f3e14f73e54eb09c382e6d2acdc1a4bee8625059bd8ab
df49358309febdea15599800af5780c409b85c61a8417d43e63d472ba938e2c1
5f9234210d08bd7c15c45d258c8db0e3d8026654ab69ade712cd6f1773d22a45
9172b881a60c8d5a220257ae6c7d3618af3e9cb77d68c13cdb71fb85bbbdb04b
3916821f7bd3d5bd8731777ecf318d11ca5555ba1329f10c87fc51f986e40ce6
3e2951ec613371b90746d93b2effdf16d1d7b743498f3040886fa40cd782e55c
7db42fa2c888ff854251e74b787c028a45d9d6e84fc08062188a957b09381bf0
8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58
98e57e4b4da05c4b701c176790508987929945e160fb2ffdfb620410d99a8973
f547ccd9ffde9ef4354831ec594ab0502aba1ca7433a02d592b1707b7249e542
142aacbf783038ea4b2a7f2d9433b1309b413330e702b8a90e300eea1bbed4c8
d570c9b41a90547737fca8b50da7fb20199e1bbbc44a30284e61158c96e3f9f4
893f4fc657c961c31d4c0a92e3708eb0e165af5c1e338ab1de376f425c6eb9ef
feeabd0ec12dfa5f3262e130908a56008d76ef32eb406a72762707bca9331eb9
ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d
e360e3ecdf794036366f3fe87706bb60812a4444fdd88d0b8c663bb623111f6a
d81d6c25570cb1bc79991743c1ad941a301fb1166a145227a5bd3596dc21abdd
d76730739de688d0598bba500856909a7800c26a2b09ffb2e111c385c6448d94
78453619b2258391ed2c50378fd075002f0219f634eea1bd9f9496a3f4d8deb0
7efbeb4cfc7acb443082fd1b442553dbdd120a2704f7a2eaa91ce0f71ce6d234
d2a91bcf09bf0e0cf35213e66652457a40aff63d856ad49370612637a8847420
7a1dd36eff62846ff6cfb5f817d170f78c08497a36303bb1d7fd04bceb235c94
1476b300798b19206d27e9646fd641f8a62e3d6c6f28eb5458bfa98524a36229
63bc7dec45027d98b236782ef2f5d6b53dfc278b8d0aabe1a9932431eb58d654
1aa7193bbb01beafb0c15358d24d0642685bec304bfe65a2938542fa5fc9e46f
fd69bb9c704200cf842d1622c32a9a1e8b60300aa120aabef2ef7ac7a7286eed
caadf824b50140951aff268849a279162b60e75095a14d7838d314c9c65ee30d
ba785f0e83304a906ded9929e6c1c5b8e4dccb137d8ec23357b27f285a5df455
60214abf86eb9f14cad54621951b0464030d2964045e365ffe759d4e37a25e70
8c887835f3b1861776b4d88a9c47dbe945dcadfd881b4ae9909488c022924cf6
bc59e033df4fb938c03ffaf274aba1a639efb5163cf84a4fc5beb6026e562dcf
f99b65078effe6fb98073119b14ed9e086d8549164a1b5550ddeaeb3cce89354
440d5de6aaa2ccd09e773a6092ebcf51025e7684025115f587552fe492eb5108
39f7d186016fa96fbf48ae617a6c75e756fdeb9df75d8f5b573dd4ebc28ca7e1
05bb2b8ec89c29fabba089b0b8e691681506685ee35edc601821678ad9551106
099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f
1749c2de6125b6a38e42dd557b64b2d07abec025eb50f23743394136f655cf35
4795b3e74b3a88891cbda6d7cb1ad17fc133266c3c95493ba0726975d9eb0046
cedd6842dc8e5b7b943cba42c7b1229e71963dfc5c47c52165947adb1287248b
00415d3dbe1002e36e94d9e11459872b7fd485ffc59a4d96a7c8e7e5df80186b
9a23805b493744d541cc279f7676d724e7a0f2824612fc9393c68d49ea2eb384
0f73dc9673062de7bb486da601791e67e78e9aaae6a1dc5fabbdf5abe5fcc058
2e08721f791305935eb167081cc4dc13b58297d3810ef998026c7a0a59f00f40
684bcee9dcb5326013108c4f4fb40dce8d98bc937a00b64e9d9f9754d0c78377
912219efa4940fedba91e95f161b179e83191ef6c4eb15be2a8bee66cb988f6f
d9c84cb774cb69a853abf29df256adadb039ac9db07d4a042ce3d12620add5c3
ecbaeab79bb9ff98c691ffddfd29e59282af48d48a87fbe20cb94dc83c1c89f3
6a4a7355b992673eecda83e99103ddd832d993ba1e66521a36f69a9d38ce5418
f6957a035715b303925a5215f2f5b56933aaf0cb3307d3bf8826f2d35515c73f
9744b215300c01b5e7f18199287b2b898bb1a8a7d3b01f9acea6eb6069c62f1f
db726961f1431fd7343b23e90a146a7fd19233d4980815f2d68d50c36bc1175d
dccf17e32afc8abc1e8179411260ffe7971826da058cf4f57162c17560c16920
792da83612534b65156bbeb82f175987cd969bee28f7c685623048b75a1e0c98
577630ab8871c11387fde67ae8791d81f96e3d3ec8db98a58ed5346c59f51229
4677c4aba91d3ad1687bae284e80deae2ebe9dd4a23e5bc071fab312f02baa8f
0a995df69165131d1a7a2c734f8f1b221338b2f9754ee1863cb8fd7fbdd296f7
461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a
63719285660c135f9b71eecf5e5da4a4684471b9041dd36d6ee8b7aede2922db
SH256 hash:
63f1eed07bb87c69e2a90057f8229774cc44b35c7ce5b4e0c878ad7f5f5e8047
MD5 hash:
b9d95180df80b181c8d8829006490eec
SHA1 hash:
93134b0b3961257f776bf65730b5c63444dcc560
Link:
https://www.unpac.me/results/cf9f07bd-4e47-43b8-9002-33b567b8d871/
SH256 hash:
0990c73e4389e3b912fff43e2ed3363e9f9af367741fc285b3aa5168b5646c74
MD5 hash:
39baa178f1fc5ec2111eb95008ee6e38
SHA1 hash:
8a36b6d95d6453e9eed8df12eaed71580384f2a3
Link:
https://www.unpac.me/results/cf9f07bd-4e47-43b8-9002-33b567b8d871/
SH256 hash:
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
MD5 hash:
85b698363e74ba3c08fc16297ddc284e
SHA1 hash:
171cfea4a82a7365b241f16aebdb2aad29f4f7c0
Link:
https://www.unpac.me/results/cf9f07bd-4e47-43b8-9002-33b567b8d871/
SH256 hash:
cac16d7bf5cf6f6c91c8b49668b05b3eaab0083643a3b80611eeaf31f035ff5c
MD5 hash:
8067eec6952d98f163de3b6aaea05810
SHA1 hash:
2d5618b26daf3ece78aa67c9aa2f45d334fa7a5f
Link:
https://www.unpac.me/results/cf9f07bd-4e47-43b8-9002-33b567b8d871/
SH256 hash:
83e729bf430cb49bd717764bfca56031ea9ecf07474353dc4bf258cfa838aed4
MD5 hash:
0541122760ff404c384111a20a56cf44
SHA1 hash:
f64ee22b2c4515b8fb7c0d0ced25c65b6157c1d6
Link:
https://www.unpac.me/results/cf9f07bd-4e47-43b8-9002-33b567b8d871/
SH256 hash:
d13787d68ce9c896eed653497edf624d06348608b86033971fe2537e53cb350a
MD5 hash:
19b34566d72dee6cf393b805de5f2446
SHA1 hash:
eeb5203e6103d3e619d64e7b33a5b00d08fab7c2
Link:
https://www.unpac.me/results/cf9f07bd-4e47-43b8-9002-33b567b8d871/
SH256 hash:
70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d
MD5 hash:
3141032e3b1e4f3ee0d0a1fe68ccc6e8
SHA1 hash:
37adc7f63e2c38b2ad803c49d2782be701da9b56
Link:
https://www.unpac.me/results/cf9f07bd-4e47-43b8-9002-33b567b8d871/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70af1a1c3505/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:crime_ZZ_botnet_aicm
Create hunting rule
Author:imp0rtp3
Description:DDoS Golang Botnet sample for linux called 'aicm'
Reference:https://twitter.com/IntezerLabs/status/1401869234511175683
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:msil_rc4
Create hunting rule
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shortloader
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:ShortLoader Payload
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2717230/

Comments