MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7af33e5528ab8a8f45ee7b8c4dd24b4014feaa6e1d310458fdc53f95ea9f8a04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7af33e5528ab8a8f45ee7b8c4dd24b4014feaa6e1d310458fdc53f95ea9f8a04
SHA3-384 hash: e8a62dc4cdc2f91b5722df8ccc85c3a82a49c510161f852ecb29be357763f442a3d94099fb6b5c5e4a40759017f73430
SHA1 hash: 2b3fd709aa60c1b436c4a2b4c90bf4bd93fee2de
MD5 hash: beeae0294566a823cc4b40d6a006b374
humanhash: indigo-six-hot-jersey
File name:7AF33E5528AB8A8F45EE7B8C4DD24B4014FEAA6E1D310.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'289'735 bytes
First seen:2021-11-30 21:46:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xC3f/VR9BFRmo5DdNX00Lx33rOwvdfZBazR4Nypgv7nzNv:xOxxXtPx37OwvdfZkROypgvlv
Threatray 928 similar samples on MalwareBazaar
TLSH T1BF1633107CF180F9C24143B0A9ADBBBA68F6C79A5E31189B33A4960A577F125D23D3B5
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://postbackstat.biz/stats/save.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://postbackstat.biz/stats/save.php https://threatfox.abuse.ch/ioc/256403/

Intelligence

File Origin
# of uploads :
1
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7AF33E5528AB8A8F45EE7B8C4DD24B4014FEAA6E1D310.exe
Verdict:
No threats detected
Analysis date:
2021-11-30 21:48:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7e839a10-8bc7-4c66-b0bb-4e11de6a9796

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210099/
Detection(s):
Win.Dropper.Pswtool-9857535-0
Create hunting rule

Win.Packed.Barys-9859263-0
Create hunting rule

Win.Malware.Barys-9859499-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Creating a window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult mokes overlay packed zusy
Link:
https://www.filescan.io/uploads/61a69bd8c4c531414823f529/reports/330235b0-3319-4bc0-9a6f-367130981a97/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2662d9c9-b3cd-4bfa-afe4-b7ebc580265f
Result
Threat name:
Cookie Stealer RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/899068
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cookie Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 531546 Sample: 7AF33E5528AB8A8F45EE7B8C4DD... Startdate: 30/11/2021 Architecture: WINDOWS Score: 100 91 37.0.10.199 WKD-ASIE Netherlands 2->91 93 163.181.57.225 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 2->93 95 23 other IPs or domains 2->95 101 Antivirus detection for dropped file 2->101 103 Multi AV Scanner detection for dropped file 2->103 105 Multi AV Scanner detection for submitted file 2->105 107 16 other signatures 2->107 11 7AF33E5528AB8A8F45EE7B8C4DD24B4014FEAA6E1D310.exe 22 2->11         started        15 WmiPrvSE.exe 2->15         started        signatures3 process4 file5 61 C:\Users\user\AppData\...\setup_install.exe, PE32 11->61 dropped 63 C:\Users\user\AppData\...\Fri18ffa67bb1a9.exe, PE32 11->63 dropped 65 C:\Users\user\...\Fri18f592d6886e02.exe, PE32 11->65 dropped 67 16 other files (11 malicious) 11->67 dropped 115 Creates HTML files with .exe extension (expired dropper behavior) 11->115 17 setup_install.exe 1 11->17         started        signatures6 process7 dnsIp8 75 127.0.0.1 unknown unknown 17->75 97 Adds a directory exclusion to Windows Defender 17->97 99 Disables Windows Defender (via service or powershell) 17->99 21 cmd.exe 17->21         started        23 cmd.exe 17->23         started        25 cmd.exe 17->25         started        27 12 other processes 17->27 signatures9 process10 signatures11 30 Fri189e2a28ef.exe 21->30         started        33 Fri18141d19a0b68d79.exe 23->33         started        36 Fri1830fb709aaba9b0.exe 25->36         started        109 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->109 111 Adds a directory exclusion to Windows Defender 27->111 113 Disables Windows Defender (via service or powershell) 27->113 38 Fri18bd3a110b8f8ae14.exe 27->38         started        41 Fri189280e2380c13399.exe 27->41         started        43 Fri18d1108f714dbea2.exe 27->43         started        45 6 other processes 27->45 process12 dnsIp13 117 Antivirus detection for dropped file 30->117 119 Multi AV Scanner detection for dropped file 30->119 121 Machine Learning detection for dropped file 30->121 133 3 other signatures 30->133 77 45.9.20.13 DEDIPATH-LLCUS Russian Federation 33->77 123 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 33->123 125 Injects a PE file into a foreign processes 36->125 89 2 other IPs or domains 38->89 57 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 38->57 dropped 127 Creates processes via WMI 38->127 59 C:\Users\user\...\Fri189280e2380c13399.tmp, PE32 41->59 dropped 129 Obfuscated command line found 41->129 47 Fri189280e2380c13399.tmp 41->47         started        79 208.95.112.1 TUT-ASUS United States 43->79 81 8.8.8.8 GOOGLEUS United States 43->81 83 192.168.2.1 unknown unknown 43->83 131 Tries to harvest and steal browser information (history, passwords, etc) 43->131 85 104.21.51.48 CLOUDFLARENETUS United States 45->85 87 162.159.135.233 CLOUDFLARENETUS United States 45->87 50 mshta.exe 45->50         started        file14 signatures15 process16 file17 69 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 47->69 dropped 71 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 47->71 dropped 73 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 47->73 dropped 52 cmd.exe 50->52         started        process18 file19 55 C:\Users\user\AppData\...\A9FTEC7EEQfCT.EXE, PE32 52->55 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7af33e5528ab8a8f45ee7b8c4dd24b4014feaa6e1d310458fdc53f95ea9f8a04/
Threat name:
Win32.Trojan.Antiloadr
Create hunting rule
Status:
Malicious
First seen:
2021-10-23 05:06:59 UTC
File Type:
PE (Exe)
Extracted files:
113
AV detection:
35 of 45 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=plzt4vjivofi6rpopoge3usliakp5ktoduyqiwh5yu7zl2u7rica._file
Verdict:
malicious
Similar samples:
3a227b8e84722b577247b94618314f2ff02a48a2f984c32391717a68df894586
RedLineStealer
62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720
RedLineStealer
7af33e5528ab8a8f45ee7b8c4dd24b4014feaa6e1d310458fdc53f95ea9f8a04
RedLineStealer
7e890b0ee04f14d8989db2a0a853c06741112c432030b63457fe866600b44749
RedLineStealer
81c62d3a5523b804ee83aadc9ca7d648fa028073d8f8e6f0d39123ca402d739e
RedLineStealer
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
RedLineStealer
a5e44dd81280a7fbef17c18e528c9df4b1289144fbc107d011af282a69cc3062
RedLineStealer
d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a
RedLineStealer
+ 918 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar aspackv2 backdoor infostealer spyware stealer trojan
Link:
https://tria.ge/reports/211130-1m7dnabhe7/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Unpacked files
SH256 hash:
57357e1d304ed1c4db3d22dbbd6a01327237d1fad37437db58f0a7d97a3d7ba3
MD5 hash:
42c09e2ff1923e01e6b465436b1d176f
SHA1 hash:
6fc4b58ff71392865812ba14a6b469ddec5df7d4
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
Parent samples :
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
e07353baabb9c287093629bdbe00c5721f3b130a2bf337cba5cf475d857681e9
MD5 hash:
a46e4985a6592cad27270c965643b752
SHA1 hash:
89188cb0f9c715848b71b162916e0c88e956f08a
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
5f0b8203aa3721553b6de2f1a4c2243ad6a324f8817cf8a17e6f0968e16e1753
MD5 hash:
b840862085ee24884ffe5052cf8d8438
SHA1 hash:
9417720327bf821fb5c88b09f9d7bcc6ccf09a8e
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
c4b9130d8318ea827e67d4a0bc760ff10bd7933dfbe36a943477d7ba6dff264f
MD5 hash:
b049cba0b638d868f88a816153f989de
SHA1 hash:
6d0cf8d101e49b89ac31636acd28259e5c55e86b
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
fb35e940eb07e761704d5c922e77e28d51279088375fef12ed342361e428df66
MD5 hash:
4023b304f7969a24b91be30d76997997
SHA1 hash:
40bf9443df97437df7b695874fefa3e8103d76bc
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
9adde66952d0364f76c40d793e925053cd1732df0e6ce029d94dec9cb14dfa01
MD5 hash:
e86d3c24179f6c80ee40bbfe2af94977
SHA1 hash:
c67ac9ca9054f180edf12b650042fed11196b244
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
82b60a8c25db65bae520e73b7a67d2a6ca1f0fe6926439d0d7f1c0d52aa2f7d4
MD5 hash:
a758705ffd480485776c573bbe7091ca
SHA1 hash:
ae62bd009da6c2bf8e91f06a9a01890f74828d07
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
6bcca33a599532917b446f07952719fa7a70edf6646c14b13e64686ff2c6d44c
MD5 hash:
7af76a6cff6996241b9d85558848e6c8
SHA1 hash:
a8df8a22e003849550c2e6827bf17a5edbec5524
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
2d7a6f7f90fa30150bb357d1e87a2e5835c58fefd642941d3ac65f6c9ae694f4
MD5 hash:
e558fed9aedd4a379c2f393b0f63449e
SHA1 hash:
a8bd26b27079376e8421ccaeb2abd6b93007a816
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
ee0319835bb84494dd251024c82580fab59682a5cb7e3840544f5a15bfa4b119
MD5 hash:
868caedcb8bf1d90b5861a19c0452ef9
SHA1 hash:
78468e3b72f29d9640f8c5be6a0e4bd96c37ad22
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
fc1628c0017183eeb979a6e5799e74dc3ec53684aacc1ba6b94531eaf65d8e47
MD5 hash:
c3fdb44e808f31781e17a3b1dc68356f
SHA1 hash:
50fb4945668068ed19629aff5a3aa40abb917838
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
a5ee7424d3057bf1cb71771bdff879d85dd4fb7a95fa7b06c65b489ef179a65c
MD5 hash:
bf5b83f0a0989c3753ae6cfa05dd5e7e
SHA1 hash:
4807824f59d6d660b7779e91756cea04b08f6a39
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
506b0cc7f58ad4882d8ceef6d88e2a2f4e31f6c67968d66501c46f66264f0814
MD5 hash:
0a91dc63882cb813200a39bdf4f36c28
SHA1 hash:
3c2c1388dfa72d131e3e5025a753638f5aa2ebc4
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
a66bf332eab3d4153d03454f661adf5b98afabb119bbe9069a871125ab190a3f
MD5 hash:
177d13a7bf5ae8cb3aa31bc60567f52c
SHA1 hash:
235206d85cb4093ac35adf1be5cb5b686fdd737e
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
997acdabb46d85057e781b6165e7492163c9a46076c086a3f4f9ea3320367b8d
MD5 hash:
5b5e9fb631ae6ca50bfe15a3f3c0b92b
SHA1 hash:
0f38f5b83f221ea9a5390005d97221373c0055b5
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
6af147d4e5657d40227257a33a849dbac39786af4fc40227f889e84e15d5de71
MD5 hash:
ea0a50376e9034d931bc44e9e295c0d1
SHA1 hash:
04b5763f2210091e45c808b2624fff91368f2dac
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
83c783e887e3eeef2f9186359585c16e3b7feef3f34f75ebf32a3c6cf059ffc1
MD5 hash:
f33f02d6c868b9bfcf61d3f64d79f9e6
SHA1 hash:
a4542a0c39202cfac629a10a79994ed098c38f0f
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
b41816358ac871c08931406eabc89b1d69db0ff0c4090243c159928daf016928
MD5 hash:
7609a0f6d4c5f5319352f5b433409558
SHA1 hash:
d5a6aae7a9fcd3dcb9b88039d15c5ae0050cd67b
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
428d30d387337bc0f908e66e72d81a57938bd54f4d54ceedbcf05e0515220e26
MD5 hash:
6c422d47678e6887bbb9a547420786c1
SHA1 hash:
5f4f63440e478b9b771b11d45417b68a0fb7263a
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
SH256 hash:
7af33e5528ab8a8f45ee7b8c4dd24b4014feaa6e1d310458fdc53f95ea9f8a04
MD5 hash:
beeae0294566a823cc4b40d6a006b374
SHA1 hash:
2b3fd709aa60c1b436c4a2b4c90bf4bd93fee2de
Link:
https://www.unpac.me/results/36e8b68f-9a03-49c5-9f98-b8f06da98d17/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7af33e5528ab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7af33e5528ab8a8f45ee7b8c4dd24b4014feaa6e1d310458fdc53f95ea9f8a04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/210099/

Comments