MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
SHA3-384 hash: 45abe3545616d174f1c655fa0d9998e6004d3c310d48870e01b46521ffcd7cae67d6a54212259101d475982b7abbfa3a
SHA1 hash: 44c9f5abfbf5176ae16d68fbe48c5e079efc7547
MD5 hash: b938dc291cb3fb3c927a5e683e191633
humanhash: beryllium-pasta-johnny-lamp
File name:9265B09595C59007E116C60605C28BD616387CF0DFF79.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'431'179 bytes
First seen:2022-12-26 21:45:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xmCvLUBsgYn1HcgtJodtEz1eDX0q0zMYtLw6alsaJN0+S6ICa/50:xPLUCgYnig7odtEpeDkdMIjalsaHJS6B
Threatray 1'574 similar samples on MalwareBazaar
TLSH T1702633913FF290F7D8821436DA8CABB251FA8319463619D37BCAD3196F1C4E5C11FA86
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://116.203.121.167/

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
9265B09595C59007E116C60605C28BD616387CF0DFF79.exe
Verdict:
Malicious activity
Analysis date:
2022-12-26 21:46:56 UTC
Tags:
evasion trojan loader smoke redline
Link:
https://app.any.run/tasks/550987ff-4846-4bd1-a915-fdd6cc97b4a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Socelars-9901323-1
Create hunting rule

Win.Packed.Socelars-9901373-1
Create hunting rule

Win.Malware.Socelars-9901376-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63aa161c40e878e30420360a/reports/3cc244cd-0495-4e8e-81a0-02bc04e3fb2a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b983701-8a32-4263-83c9-bbbfa1fe365e
Result
Threat name:
Fabookie, Nymaim, RedLine, Socelars, onl
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1141265
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates HTML files with .exe extension (expired dropper behavior)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Found C&C like URL pattern
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 773995 Sample: 9265B09595C59007E116C60605C... Startdate: 26/12/2022 Architecture: WINDOWS Score: 100 112 t.gogamec.com 2->112 114 api.ip.sb 2->114 116 9 other IPs or domains 2->116 154 Snort IDS alert for network traffic 2->154 156 Multi AV Scanner detection for domain / URL 2->156 158 Malicious sample detected (through community Yara rule) 2->158 160 25 other signatures 2->160 15 9265B09595C59007E116C60605C28BD616387CF0DFF79.exe 20 2->15         started        signatures3 process4 file5 100 C:\Users\user\AppData\...\setup_install.exe, PE32 15->100 dropped 102 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 15->102 dropped 104 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 15->104 dropped 106 15 other files (14 malicious) 15->106 dropped 18 setup_install.exe 1 15->18         started        process6 dnsIp7 118 hsiens.xyz 18->118 120 127.0.0.1 unknown unknown 18->120 162 Multi AV Scanner detection for dropped file 18->162 164 Performs DNS queries to domains with low reputation 18->164 166 Adds a directory exclusion to Windows Defender 18->166 22 cmd.exe 18->22         started        24 cmd.exe 18->24         started        26 cmd.exe 18->26         started        28 13 other processes 18->28 signatures8 process9 signatures10 31 Sat053d2789b60d.exe 4 48 22->31         started        36 Sat058b772138cf0f3.exe 24->36         started        38 Sat056c52386ee94b16c.exe 26->38         started        170 Adds a directory exclusion to Windows Defender 28->170 40 Sat05ae182be20069e.exe 28->40         started        42 Sat0556e72238ef5897.exe 28->42         started        44 Sat057428ebfd0d.exe 15 2 28->44         started        46 7 other processes 28->46 process11 dnsIp12 122 212.193.30.115, 49730, 49737, 80 SPD-NETTR Russian Federation 31->122 126 19 other IPs or domains 31->126 82 C:\Users\...\uH9HIgdqbrUC3F9X1vT_FZnc.exe, PE32 31->82 dropped 84 C:\Users\...\lDktZqG2OVaABEDXjKG29j4Z.exe, PE32+ 31->84 dropped 86 C:\Users\...\fctdOZLS6A20BdhqoefmZSpU.exe, PE32 31->86 dropped 90 18 other malicious files 31->90 dropped 136 Antivirus detection for dropped file 31->136 138 Multi AV Scanner detection for dropped file 31->138 140 May check the online IP address of the machine 31->140 152 3 other signatures 31->152 88 C:\Users\user\...\Sat058b772138cf0f3.tmp, PE32 36->88 dropped 142 Obfuscated command line found 36->142 48 Sat058b772138cf0f3.tmp 36->48         started        144 Machine Learning detection for dropped file 38->144 146 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->146 148 Checks if the current machine is a virtual machine (disk enumeration) 38->148 52 explorer.exe 38->52 injected 128 4 other IPs or domains 40->128 54 WerFault.exe 40->54         started        56 WerFault.exe 40->56         started        130 3 other IPs or domains 42->130 150 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 42->150 58 WerFault.exe 42->58         started        132 5 other IPs or domains 44->132 124 t.gogamec.com 46->124 134 3 other IPs or domains 46->134 60 mshta.exe 46->60         started        62 Sat053bd2e87da.exe 46->62         started        64 Sat053bd2e87da.exe 46->64         started        file13 signatures14 process15 dnsIp16 108 safialinks.com 48->108 110 best-link-app.com 48->110 92 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 48->92 dropped 94 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 48->94 dropped 96 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 48->96 dropped 66 cmd.exe 60->66         started        file17 process18 file19 98 C:\Users\user\AppData\...\SkVPVS3t6Y8W.EXe, PE32 66->98 dropped 69 SkVPVS3t6Y8W.EXe 66->69         started        72 conhost.exe 66->72         started        74 taskkill.exe 66->74         started        process20 signatures21 168 Multi AV Scanner detection for dropped file 69->168 76 mshta.exe 69->76         started        process22 process23 78 cmd.exe 76->78         started        process24 80 conhost.exe 78->80         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2021-10-03 01:25:00 UTC
File Type:
PE (Exe)
Extracted files:
134
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjs3bfmvywiapyiwyydalqul2yldq7hq373zy7nyywea4i6p56ha._file
Verdict:
malicious
Similar samples:
1e4b2af07cb9e6478dbf5051e1839a1f944e950a6f2dbadc94446928e46e7d45
ArkeiStealer
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
ArkeiStealer
be2a74bc76e5429010ce7741e58aecc253a33e1dbd713d8b6f02a20545469502
ArkeiStealer
cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0
ArkeiStealer
dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287
ArkeiStealer
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
ArkeiStealer
+ 1'564 additional samples on MalwareBazaar
Result
Malware family:
tofsee
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:nullmixer family:onlylogger family:privateloader family:redline family:smokeloader family:socelars family:tofsee botnet:10k botnet:ani botnet:install botnet:logsdiller cloud (tg: @logsdillabot) aspackv2 backdoor dropper evasion infostealer loader main persistence spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/221226-1mlrysha6y/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Drops Chrome extension
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Uses the VBS compiler for execution
ASPack v2.12-2.42
Blocklisted process makes network request
Creates new service(s)
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
VMProtect packed file
OnlyLogger payload
Detect Fabookie payload
Detects Smokeloader packer
Fabookie
NullMixer
OnlyLogger
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine payload
SmokeLoader
Socelars
Socelars payload
Tofsee
Malware Config
C2 Extraction:
http://hsiens.xyz/
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
45.142.215.47:27643
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
159.223.106.156:81
51.210.137.6:47909
109.107.191.169:34067
svartalfheim.top
jotunheim.name
Unpacked files
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
393447aa843f148cd22e887d1eda74062785f0b4a6f098fbcb0d024b5aa23e4e
MD5 hash:
07f99f9e2df157ae78339603186ac280
SHA1 hash:
cb295687ae130d85061676471abcaa5f60df4198
Detections:
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
bc945e03237641e79cb1a9b5399fffafce68daa318430e959b701aa3f4628c05
MD5 hash:
5275ae278e347d83fb061a92e979fe86
SHA1 hash:
6c1118b87f366df72a25f1988f740ea6753984cd
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
cc40fc4502d705d9698fd9d9493efdd39f6fcd0f0e03678eef29773b80e51ff9
MD5 hash:
bf8b0c8e992a344ce312c8a939fa1c9e
SHA1 hash:
3e207a18a539ab6ec17737e6fe79562f59502718
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
2cf67278ce63932f7efabdee1be667555c408718fca6622de2456b8e59db69cf
MD5 hash:
7b9e5d37881a3e58e26e22c79de09d47
SHA1 hash:
0cf699c041c6f7ad485b77f25403776aab99c057
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
450316cde8a53c5f3092cef320997b942eb48108dcdc037660499b93a43f40e5
MD5 hash:
abe213198e2254d389e5c81b371885dd
SHA1 hash:
c24b34e74887b55bf784490966a3e8931b5d4fcc
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
5ef3269764a570e011401629cf561870625f012f05935d64984ae39c0680192d
MD5 hash:
7b4a134c40b89f13e855b04f3ffc0250
SHA1 hash:
f8494929f94fe275c3a152c9c927f584794bb80c
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
bffb5e0da99f01972d746d4bf68765ca7db0fb32e598f8fd9a92e8389f321c1f
MD5 hash:
417411e71de543ffbe76242943ba5b90
SHA1 hash:
e50f45218c6d01cb67787add25491acfead007fa
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
0cb045b86d3fb15e6bc23d0ddd74de0793b280e1c7445e3ed174370b7b65d62b
MD5 hash:
caa50e37645b639e79142683a423cae3
SHA1 hash:
c73ae1a4f09157d5cc5bdab97466e154ac534a01
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
2f3795cc165b443201be6ccbb16821beb1ef532157ce54cf2f97d278cb6ec340
MD5 hash:
4957863fcc426c5bc8ec43174ea3754b
SHA1 hash:
b368cf6dab159579691b5fa9673e611418fe54d4
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee
MD5 hash:
57e3a53d7576635f94c0b7ea6b9fad43
SHA1 hash:
a43b28cd48d9efcbccc12ad2a644d6186acbd968
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
70f246fd61a27a4e2ffde2357e6c8ebe554a79811a35e7141f747090d05ff7e1
MD5 hash:
51b73b4d3041eb2d32a29dca61059549
SHA1 hash:
9845a8e5716e5e16ffc33ceccae9abf52872a2b5
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
87a9a01f415c3fbe68604be6674ab2f4b6104db0bb21c5273610a4621a962b82
MD5 hash:
6e8c9d63e8ab299be3c53fcc870c0348
SHA1 hash:
86e4f9a86b44819c9d1401efcc7dded6f496c83d
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
5e0e68e706bae10caa68edc625ad9ada909a277660583e8fbe5681a98170066c
MD5 hash:
eef74b250b8faefb76f5e5d2f2477fb7
SHA1 hash:
45efe669d04dd90979c747b5ec0c6bfab5e1f05a
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
0495244034321e1a37002a450f4d53d6b55354c9ac09fce2e1e913ab6d866315
MD5 hash:
7f314d5d3e31b900073a1cb319cbe333
SHA1 hash:
105b0ac7ed95d3d6d0e05e7e127b050d0d54a163
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
857a7df9a7dcf62007e40ed82660bd50106af7a4fd73711dc332751bc31fca16
MD5 hash:
6afb47cb5af277ac5965b9db3ef76710
SHA1 hash:
cf32e9c3a21a82f517ea52c2677953337a890bba
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
a12b581167ee38b475cc5249a1a239acc477bbbb9dfec90b404bb8a24bb6f68d
MD5 hash:
541351ce2ae045da9a118061ea255dd9
SHA1 hash:
037a61fb0e9fe65cedef388be016be5ebf0c4c87
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
52feda7c1f1d236324207d0d8c91bbb192d438b2afad1b9d26e689cd11e13c8e
MD5 hash:
4d03feea198719b502095b367953be57
SHA1 hash:
acf64d7e69d0de8e9254c6f0f335062d84c61791
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
SH256 hash:
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
MD5 hash:
b938dc291cb3fb3c927a5e683e191633
SHA1 hash:
44c9f5abfbf5176ae16d68fbe48c5e079efc7547
Link:
https://www.unpac.me/results/c36637f5-eca9-4488-b80c-6fbfea71b569/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9265b09595c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Redline32
Create hunting rule
Author:Muffin
Description:This rule detects Redline Stealer
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Windows_Trojan_RedLineStealer_3d9371fd
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_RedLineStealer_f54632eb
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments