MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84b3387d512191b0764fde9a03d827cb42ffe33d864b115b959c61a0147aa64d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 13


Intelligence 13 IOCs 2 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84b3387d512191b0764fde9a03d827cb42ffe33d864b115b959c61a0147aa64d
SHA3-384 hash: 6bc0a135a799fb8956b3a1c9257e4d371605f520494624553e2c0a8462100952e093c35dfe34eb97ac2312290ac3c21b
SHA1 hash: 174e1cc76b437dd864748017101f1f836c732201
MD5 hash: 7e43434df7b3d71a0004abe7ce7abba2
humanhash: cat-florida-two-fourteen
File name:84B3387D512191B0764FDE9A03D827CB42FFE33D864B1.exe
Download: download sample
Signature TeamBot
Create hunting rule
File size:4'065'987 bytes
First seen:2022-03-05 18:50:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JCj0Dp3Jn2U9xie2r130PmFt25FqjfW1tU:JQ8l39xieq0Pmuzqi1tU
TLSH T18616334B32769073CE920EF40512FB551FEE82B27415873D9398CF09255AB76B3A734A
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe TeamBot


Avatar
abuse_ch
TeamBot C2:
5.45.77.29:2495

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.45.77.29:2495 https://threatfox.abuse.ch/ioc/392577/
37.1.217.131:26250 https://threatfox.abuse.ch/ioc/392643/

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247575/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Sending an HTTP GET request
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8319/overview
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a3d673e-8c27-495e-bb0b-c020acdf98cd
Result
Threat name:
Cookie Stealer RedLine SmokeLoader Socel
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951250
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Base64 MpPreference
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cookie Stealer
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 583731 Sample: 84B3387D512191B0764FDE9A03D... Startdate: 05/03/2022 Architecture: WINDOWS Score: 100 76 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->76 78 34.64.183.91 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 2->78 80 104.21.75.46 CLOUDFLARENETUS United States 2->80 126 Malicious sample detected (through community Yara rule) 2->126 128 Antivirus detection for URL or domain 2->128 130 Antivirus detection for dropped file 2->130 132 24 other signatures 2->132 11 84B3387D512191B0764FDE9A03D827CB42FFE33D864B1.exe 10 2->11         started        14 WmiPrvSE.exe 2->14         started        signatures3 process4 file5 74 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->74 dropped 16 setup_installer.exe 20 11->16         started        process6 file7 54 C:\Users\user\AppData\...\setup_install.exe, PE32 16->54 dropped 56 C:\Users\user\...\Mon10f517e0e67b60.exe, PE32 16->56 dropped 58 C:\Users\user\AppData\...\Mon10ef6865ace2.exe, PE32 16->58 dropped 60 15 other files (10 malicious) 16->60 dropped 19 setup_install.exe 1 16->19         started        process8 dnsIp9 82 127.0.0.1 unknown unknown 19->82 138 Adds a directory exclusion to Windows Defender 19->138 23 cmd.exe 1 19->23         started        25 cmd.exe 19->25         started        27 cmd.exe 1 19->27         started        29 12 other processes 19->29 signatures10 process11 dnsIp12 33 Mon10877827b40ca.exe 23->33         started        36 Mon1057a67cd49e880b.exe 25->36         started        40 Mon100fb812963ca1.exe 3 27->40         started        98 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->98 140 Adds a directory exclusion to Windows Defender 29->140 42 Mon101e9657be.exe 29->42         started        44 Mon1067a69050305.exe 29->44         started        46 Mon10c60bf407.exe 29->46         started        48 7 other processes 29->48 signatures13 process14 dnsIp15 100 Antivirus detection for dropped file 33->100 102 Detected unpacking (changes PE section rights) 33->102 104 Machine Learning detection for dropped file 33->104 124 4 other signatures 33->124 50 explorer.exe 33->50 injected 84 67.222.39.89 UNIFIEDLAYER-AS-1US United States 36->84 86 212.193.30.21 SPD-NETTR Russian Federation 36->86 94 13 other IPs or domains 36->94 64 C:\Users\user\AppData\Local\...\wam[1].exe, PE32 36->64 dropped 66 C:\Users\user\AppData\Local\...\meSH2[1].exe, PE32 36->66 dropped 68 C:\Users\user\AppData\Local\...\file1[1].exe, PE32 36->68 dropped 72 8 other files (3 malicious) 36->72 dropped 106 Creates HTML files with .exe extension (expired dropper behavior) 36->106 108 Disable Windows Defender real time protection (registry) 36->108 88 135.181.129.119 HETZNER-ASDE Germany 40->88 110 Multi AV Scanner detection for dropped file 40->110 112 Detected unpacking (overwrites its own PE header) 40->112 90 45.9.20.13 DEDIPATH-LLCUS Russian Federation 42->90 114 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 42->114 116 Sample uses process hollowing technique 44->116 118 Injects a PE file into a foreign processes 44->118 92 208.95.112.1 TUT-ASUS United States 48->92 96 6 other IPs or domains 48->96 70 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 48->70 dropped 120 Tries to harvest and steal browser information (history, passwords, etc) 48->120 122 Creates processes via WMI 48->122 file16 signatures17 process18 file19 62 C:\Users\user\AppData\Roaming\fthtwcv, PE32 50->62 dropped 134 Benign windows process drops PE files 50->134 136 Hides that the sample has been downloaded from the Internet (zone.identifier) 50->136 signatures20
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/84b3387d512191b0764fde9a03d827cb42ffe33d864b115b959c61a0147aa64d/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 03:33:06 UTC
File Type:
PE (Exe)
Extracted files:
113
AV detection:
31 of 42 (73.81%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qsztq7kregi3a5sp32nahwbhznbp7yz5qzfrcw4vtrq2afd2uzgq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:onlylogger family:redline family:smokeloader family:socelars family:vidar botnet:2bitok botnet:ani botnet:media11 aspackv2 backdoor discovery evasion infostealer loader ransomware spyware stealer trojan
Link:
https://tria.ge/reports/220305-xhgqnahab6/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger Payload
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
45.142.215.47:27643
91.121.67.60:2151
45.132.1.57:15771
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
109.107.181.110:34060
http://fuyt.org/test3/get.php
Unpacked files
SH256 hash:
0e2e68dc9724fc97647db64d367e7eed6ecf41b6cfe23fef257260607f86445d
MD5 hash:
91220afa4a880b7fb2d1b6a5117bf30d
SHA1 hash:
486b03728efe58dfbe19078bceb412e43eb153dd
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
51083f1071cc6c67bc643417a0be92c3190a044f6cb0d913bb8afb01adc08f3f
MD5 hash:
59073d016866002414aa2c915f8d1f6e
SHA1 hash:
dc285bc11154c5d4b932514934bd16c71b2a3938
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
d95b8e2d8bf52369a369cf6ee5366297a8984380210d7eea29a82cf53b8501fa
MD5 hash:
4da644a647b164089629ff894110d9cf
SHA1 hash:
8f29d97853790d852203c0921c39609ee8c6b27e
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
642f5d31e9797e4509429807009ee2871ac9826b5b513ff229956a3d87ed1f8e
MD5 hash:
488029d7287523022a3a3c0fad808e36
SHA1 hash:
1f28a900f11d99b0f6e65cf3b1e63b0bd22f45db
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
8b4aa59e3a821b1919c9738b8eee0bcc841d19062ca99da3ab5a79ea2d667660
MD5 hash:
1947827bdb01c7726a1fb68f872a6154
SHA1 hash:
fabe01bf7e4e2399d8fb2032ddfbec44e3cf9534
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
adfbbb62a2ddea588de91bb2a34aa3ba7248507c01c9142b91f60420d2236a4c
MD5 hash:
c70e3c71f4fec9edaa21bf978d326107
SHA1 hash:
f3c48545ee595f487366a02565a7382b6872252d
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
c5c1bf23e159c7145c13150ea85dabc88bed17e348e437a97bde4d680b1324ce
MD5 hash:
425a3730ac2fe2734ac9699196ee9e57
SHA1 hash:
d305dea236d713f81309512c8956fdaa289dfc98
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
20047a998622aaada093f48fa443ba6a7f6b7b7cb6afdbbb3c91673fccb0c5e6
MD5 hash:
30fcfb772ce7d2b01808aeabee0bf12d
SHA1 hash:
aa3f96e294923d2be4a4c3d2b088fa3f8a3c1d47
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
c8afcdf046c8f341ba02dc56abaa08b4b7cc0df34087c22d11236d16011eb3e6
MD5 hash:
5f2ddd37132f21311b5cc07f94952faf
SHA1 hash:
9af762055be8491978955640a56b58a9b2ad488c
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
63e4a9190f750a3fa1dbf46d1f34b53d1f353f879f7fba8750b69f3edd069802
MD5 hash:
e43ac241ea055452651171b423565beb
SHA1 hash:
869dde6bb5afc4dcbf862efae8ee5238ec4b11ae
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
bc6dfe9ae53c745b83810c092635dee8d3a5e58fda2e91552cc5683399568c09
MD5 hash:
8c9e935bccc4fac6b11920ef96927aac
SHA1 hash:
38bd94eb5a5ef481a1e7c5192d9f824b7a16d792
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
9749f4e3634392dce9ef5f75f31cfc57e9595e687218de1c921f5fff62dc4b4d
MD5 hash:
86963d3938ea1cafba3e2b67e9fb2ac6
SHA1 hash:
288f00b51435ee00921df8e636a6d0193d897fe3
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
615959c2104391930d5edf69581d2eed627cd834a6e64a763223ef2120285314
MD5 hash:
c0e71665f6e43e892b4a62d83f52d8db
SHA1 hash:
562fc96573927af109eb6d44d310b5ee92bc2718
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
51d1fb6c91c859ebbe0d33009feb91e61ac92c14412addfeb6e5b097d84b7b63
MD5 hash:
ca367012ebf8a17e84253413281d5e72
SHA1 hash:
9db93109d5bfb255c1997e422a2538beefdbb36e
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
Parent samples :
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
4d122504d709e4b3c9bf75835b9453aab45dc8fc748f2745e5ad31c6ba09cf92
MD5 hash:
f9d11f710246b5647625e117f42deb2a
SHA1 hash:
b37aa574bc9b6661bb1967d266b358caab2aa591
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
1525a6521c8999587ce543def68da9e4dc6d7d2f30206ae50ca7d56091cb4d86
MD5 hash:
df8ea74214f3c7769a3b64cb5c8d25a2
SHA1 hash:
902b1296b898e043f5780de3d288f0b0b303c8c9
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
a9719ad2f1d6dbd2cc19077702b1712f316304b29fd868efc0de71f0d1816fe5
MD5 hash:
efd688bcc0a40b7ce66aedbdf535364e
SHA1 hash:
ee1c2f36a0e62cbce769aa5f37d03f3a8f3e427c
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
263510c9d6c45d01be1357831ddd81feab3fd18c29812820c62e5394ddb89a00
MD5 hash:
c5f261f9c59a06e2ef5a34eb7b23ec97
SHA1 hash:
72b8ccf0c75bf71d4ddada0a646980497118a919
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
SH256 hash:
84b3387d512191b0764fde9a03d827cb42ffe33d864b115b959c61a0147aa64d
MD5 hash:
7e43434df7b3d71a0004abe7ce7abba2
SHA1 hash:
174e1cc76b437dd864748017101f1f836c732201
Link:
https://www.unpac.me/results/ca05ab8f-c179-48d4-a39d-79551538891d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84b3387d512191b0764fde9a03d827cb42ffe33d864b115b959c61a0147aa64d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/247575/

Comments