MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 14


Intelligence 14 IOCs 2 YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
SHA3-384 hash: 6c739f4306f02636e7d1b58e2ae2e4a96fa3987adfc255a7d07fb51299eb5ee68a0ea331b5dd671f0f6d2cad94633db4
SHA1 hash: 73aa332119858941a5e6ae5beac329c6bd694262
MD5 hash: 00b5165ffceb32d283f1178251688396
humanhash: lion-friend-carbon-lactose
File name:822EE6C4B4BB9A619985E83C04A2DFE1A09152DC0276B.exe
Download: download sample
Signature TeamBot
Create hunting rule
File size:6'196'575 bytes
First seen:2022-07-23 11:10:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JweRil2yZ5t6NZO2hDosDCmNcZaq49eqoDbgRGvsMiWbIqe0DYEVJub5uZU5XTHV:Jdilf56NZO2hDosliwP9eb0pHZ0UEiVB
TLSH T13A5633E3318BDE69D85397B0A1B2B147ECE1A32650316F5D2A20F79E1E246417F2FB14
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe TeamBot


Avatar
abuse_ch
TeamBot C2:
195.2.78.242:33091

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.2.78.242:33091 https://threatfox.abuse.ch/ioc/839183/
46.173.219.60:80 https://threatfox.abuse.ch/ioc/839188/

Intelligence

File Origin
# of uploads :
1
# of downloads :
342
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293652/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Sending an HTTP GET request
Reading critical registry keys
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27173/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
60%
Tags:
barys overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62dbd750ef2b0e63a8350215/reports/b6945d52-04d8-412f-9789-a8069e7ca43d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aaa97d11-7d9a-4d9e-a800-4d23108f1c0a
Result
Threat name:
Nymaim, PrivateLoader, RedLine, Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1039711
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 672201 Sample: 822EE6C4B4BB9A619985E83C04A... Startdate: 23/07/2022 Architecture: WINDOWS Score: 100 135 Snort IDS alert for network traffic 2->135 137 Multi AV Scanner detection for domain / URL 2->137 139 Malicious sample detected (through community Yara rule) 2->139 141 22 other signatures 2->141 12 822EE6C4B4BB9A619985E83C04A2DFE1A09152DC0276B.exe 10 2->12         started        15 WmiPrvSE.exe 2->15         started        process3 file4 81 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->81 dropped 17 setup_installer.exe 20 12->17         started        process5 file6 67 C:\Users\user\AppData\...\setup_install.exe, PE32 17->67 dropped 69 C:\Users\user\...\Thu18d8a8f35ade47189.exe, PE32 17->69 dropped 71 C:\Users\user\AppData\...\Thu18ba64fdd38b.exe, PE32 17->71 dropped 73 15 other files (10 malicious) 17->73 dropped 20 setup_install.exe 1 17->20         started        process7 dnsIp8 89 hsiens.xyz 20->89 91 127.0.0.1 unknown unknown 20->91 143 Performs DNS queries to domains with low reputation 20->143 145 Adds a directory exclusion to Windows Defender 20->145 24 cmd.exe 20->24         started        26 cmd.exe 20->26         started        28 cmd.exe 1 20->28         started        30 12 other processes 20->30 signatures9 process10 signatures11 33 Thu182e0300f99861.exe 24->33         started        36 Thu1877c0345a958.exe 26->36         started        38 Thu18591314afe196cb.exe 28->38         started        147 Adds a directory exclusion to Windows Defender 30->147 41 Thu186ceb2c906f52bc5.exe 30->41         started        43 Thu1881b5208abddb36f.exe 12 30->43         started        45 Thu18a8def7e6.exe 30->45         started        47 7 other processes 30->47 process12 dnsIp13 109 Antivirus detection for dropped file 33->109 111 Multi AV Scanner detection for dropped file 33->111 113 Machine Learning detection for dropped file 33->113 133 3 other signatures 33->133 50 explorer.exe 33->50 injected 115 Sample uses process hollowing technique 36->115 117 Injects a PE file into a foreign processes 36->117 99 2 other IPs or domains 38->99 119 May check the online IP address of the machine 38->119 121 Tries to harvest and steal browser information (history, passwords, etc) 38->121 101 2 other IPs or domains 41->101 123 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 41->123 103 4 other IPs or domains 43->103 52 WerFault.exe 43->52         started        55 WerFault.exe 43->55         started        95 163.123.143.12 ILIGHT-NETUS Reserved 45->95 105 6 other IPs or domains 45->105 125 Disable Windows Defender real time protection (registry) 45->125 97 t.gogamec.com 188.114.97.3, 443, 49773 CLOUDFLARENETUS European Union 47->97 107 5 other IPs or domains 47->107 85 C:\Users\user\...\Thu182168bb8fcf44.tmp, PE32 47->85 dropped 87 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 47->87 dropped 127 Detected unpacking (changes PE section rights) 47->127 129 Obfuscated command line found 47->129 131 Creates processes via WMI 47->131 57 mshta.exe 47->57         started        59 Thu182168bb8fcf44.tmp 47->59         started        file14 signatures15 process16 dnsIp17 93 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 52->93 62 cmd.exe 57->62         started        75 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 59->75 dropped 77 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 59->77 dropped 79 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 59->79 dropped file18 process19 file20 83 C:\Users\user\AppData\Local\Temp\09xU.exE, PE32 62->83 dropped 65 conhost.exe 62->65         started        process21
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 06:38:11 UTC
File Type:
PE (Exe)
Extracted files:
335
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qixonrfuxongdgmf5a6ajiw74gqjcuw4aj3l22mpnub343whxa5a._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:privateloader family:redline family:socelars family:vidar botnet:916 botnet:media214 aspackv2 discovery evasion infostealer loader main spyware stealer suricata trojan
Link:
https://tria.ge/reports/220723-m99kmsebhr/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger payload
Vidar Stealer
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine payload
Socelars
Socelars payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
Modifies Windows Defender Real-time Protection settings
OnlyLogger
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
https://mas.to/@serg4325
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
91.121.67.60:2151
Unpacked files
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
b0907562ec1ac4ff1abc08598c77804ea6a4434b6955ef1d8ea7cfa99a6cb849
MD5 hash:
2aa74bffcea929cdd73b163a1dfabbcf
SHA1 hash:
74a2007532e312d234fbadcc0fb7d081a1932bc0
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
Parent samples :
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
71561249c783ce2c1490b734b16815f30a8f10e66cb67185f2d11b54bdd2721b
MD5 hash:
e60e4706f457c20fda8dabd03d209909
SHA1 hash:
b801478aa9c42907fb60b9c7c1a1d9febd13e01c
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
cd8ceccab4b4ac1bcca3bef80616f40d58597e0fe43d63222261af13be17faf1
MD5 hash:
bbe4f6df70cec65153e50bdb139cb2f8
SHA1 hash:
7a55560a19206cebbd33bbca802745a855d5cfa3
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
e70dfd22fd05f559b4b52afc6b14b930bd8dcbe78603c22ea12c7354f806bf15
MD5 hash:
c8c192096de02b7445136683b1ebe25b
SHA1 hash:
75b4a8c50a82de4a3012e3a32fcc74dc1212c352
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
7a6251ad315146ef52d381e5e08ed811102c8e16abea0ebf1731f1821eb92106
MD5 hash:
c5e8d556d4c35a11e282911788712808
SHA1 hash:
57fde17130bb53694a8385673d33fe60f3d85500
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
cd35ce7aa0ef6194b24e1c71a27d26852762cde87476d716de947d0172eb3b4b
MD5 hash:
50a60cc9e706ceb3466b09ebbfaa2ec3
SHA1 hash:
49d6e5b8f2db4f6545ff78c447af0dbad909c5c7
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
0efac9c1f24c44e5265ba1c8a80e0169d8b4aa6e8df218c524c57942c246f578
MD5 hash:
3d3b789155f41db5f058047d8e78a552
SHA1 hash:
c2f8488bf2c823bd165f1a41b53427ca1b24acb4
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
7dce97154d24b9982361a37133e35aaf9106f3836bb48e27dd7daea568e75378
MD5 hash:
dd601e359de7b856efc57a630f90554e
SHA1 hash:
97995811c6bbb33ea6bf7cf808570dc6b15ed6e0
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
6ba23f926327ab173fe8ff2f88097e4aedde70b650d9633d8f4e86acd689d711
MD5 hash:
ca2754153c08085902863084934399b1
SHA1 hash:
7748efadd3d0f35d860d3ec95e84d927ab9c9919
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
6e859314b1420d5d14f1f2054351659edfec19895a434e455d17ba4ff683072a
MD5 hash:
b284d20c170f6ab911074a95ce3c1897
SHA1 hash:
95fb8bf5fb1a96d3235dfc8df25289d575322e2f
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
66b37c6c9441e20e30495db39de6dd5098d8605789af4e75cf55ffe3259c2951
MD5 hash:
141c7a644769dbccc351dd5e71643f8b
SHA1 hash:
d8fda74aab15a5658ade955cddb016f0af9671a7
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
ee6a84e38ab1e00e7429f3d7889a9666539f2605b1a21686950c7ea67215c429
MD5 hash:
b89d295cb2bd4b23ed90858b409da0a4
SHA1 hash:
a4729a38e5d2e8909b16b4263f0a0c4b7ca69f61
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
b0433b746bef74c8658cedaf698dc5694cc1f3e2492274546b9552f30db9ce31
MD5 hash:
a462356d2933c17a602ad4f5056a2474
SHA1 hash:
874463e63c16b0d25c3b730678fa51a283211bb6
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
48e63ac2701358e65a6a4a2df77b4815e90cdd1f5b74edfe810722b6e5a9f621
MD5 hash:
d2fca5908a27a5b9dbf05b2abd9e5072
SHA1 hash:
a19fe1db3bdfa204c7da92e6dc36a763506249d9
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
SH256 hash:
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
MD5 hash:
00b5165ffceb32d283f1178251688396
SHA1 hash:
73aa332119858941a5e6ae5beac329c6bd694262
Link:
https://www.unpac.me/results/78137a9d-875b-4c83-86ed-63e1a80ba720/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/822ee6c4b4bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:privateloader
Create hunting rule
Author:andre@tavares.re
Description:PrivateLoader pay-per-install malware
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_privateloader
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/293652/

Comments