MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
SHA3-384 hash: 1cf0e47b42550e414a952414e259f3fd02f5821dc9ada7f5bc6d9c51fa73ac7f45cda0b370de1d6ce0df31c6f7853917
SHA1 hash: 1a6c863fcf9e8dad9e5f8bd9bcdd67aa02f4e182
MD5 hash: b79cd7c09560aefc13c02489ca05a479
humanhash: floor-lake-mexico-oven
File name:B79CD7C09560AEFC13C02489CA05A479.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:10'059'852 bytes
First seen:2021-08-30 09:12:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 196608:Pl2HpzNexHb9mT5kszFw1d4zZkxaZzDaC0b8LP3gt8+dfZKVURWw/Rk9E5I:s5el9E5kszq4zZqwzD30biPwR144Rk9T
Threatray 248 similar samples on MalwareBazaar
TLSH T11FA633217E80B9F1D1A36D3305B65EAC36BC6D214BB146ABB3D40B12DE72C92E731593
dhash icon f0cccacaece4e0f0 (12 x RedLineStealer, 2 x GCleaner, 2 x RaccoonStealer)
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
http://193.38.54.196/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://193.38.54.196/ https://threatfox.abuse.ch/ioc/202296/

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B79CD7C09560AEFC13C02489CA05A479.exe
Verdict:
Malicious activity
Analysis date:
2021-08-30 09:13:04 UTC
Tags:
evasion trojan rat redline stealer
Link:
https://app.any.run/tasks/a67eb1c5-f8fe-41eb-9036-4b1c6e87157d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183672/
Detection(s):
Win.Malware.Qshell-9875653-0
Create hunting rule

Win.Malware.Chapak-9883695-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file
Creating a file in the %temp% directory
Connection attempt
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Deleting a recently created file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Possible injection to a system process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Blocking the Windows Defender launch
Unauthorized injection to a system process
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d22265a0-1a17-46c2-be8a-a797931eab8b
Result
Threat name:
Cyberduck Glupteba Metasploit RedLine So
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841474
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected Cyberduck
Yara detected Glupteba
Yara detected Metasploit Payload
Yara detected RedLine Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473903 Sample: ATTzc6pREK.exe Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 56 208.95.112.1 TUT-ASUS United States 2->56 58 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->58 60 4 other IPs or domains 2->60 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Antivirus detection for URL or domain 2->78 80 Antivirus detection for dropped file 2->80 82 18 other signatures 2->82 9 ATTzc6pREK.exe 15 2->9         started        signatures3 process4 file5 38 C:\Users\user\Desktop\new23.exe, PE32 9->38 dropped 40 C:\Users\user\Desktop\md9_1sjm.exe, PE32 9->40 dropped 42 C:\Users\user\Desktop\SoCleanInst.exe, PE32 9->42 dropped 44 7 other files (5 malicious) 9->44 dropped 12 File.exe 9->12         started        17 md9_1sjm.exe 16 9->17         started        19 Install.exe 9->19         started        21 5 other processes 9->21 process6 dnsIp7 62 37.0.10.214 WKD-ASIE Netherlands 12->62 64 37.0.10.237 WKD-ASIE Netherlands 12->64 72 9 other IPs or domains 12->72 46 C:\Users\...\zj3kc5f4qO52f49LiVkUjzYy.exe, PE32 12->46 dropped 48 C:\Users\...\zLAJxxL83TVO1nGqDCW8HCTY.exe, PE32 12->48 dropped 50 C:\Users\...\nD_F6rsp1U0EkpCZbt_UKWii.exe, PE32 12->50 dropped 54 33 other files (28 malicious) 12->54 dropped 84 Drops PE files to the document folder of the user 12->84 86 Creates HTML files with .exe extension (expired dropper behavior) 12->86 88 Machine Learning detection for dropped file 12->88 90 Disable Windows Defender real time protection (registry) 12->90 66 iplogger.org 88.99.66.31, 443, 49703 HETZNER-ASDE Germany 17->66 68 186.2.171.3, 49702, 80 DDOS-GUARDCORPBZ Belize 17->68 52 C:\Users\user\Documents\...\md9_1sjm.exe, PE32 17->52 dropped 92 May check the online IP address of the machine 17->92 94 Tries to harvest and steal browser information (history, passwords, etc) 17->94 74 2 other IPs or domains 19->74 96 Antivirus detection for dropped file 19->96 70 193.56.146.78 LVLT-10753US unknown 21->70 98 Detected unpacking (changes PE section rights) 21->98 100 Creates processes via WMI 21->100 102 Injects a PE file into a foreign processes 21->102 23 Folder.exe 5 21->23         started        26 conhost.exe 21->26         started        28 conhost.exe 21->28         started        file8 signatures9 process10 file11 32 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 23->32 dropped 34 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 23->34 dropped 36 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 23->36 dropped 30 conhost.exe 23->30         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd/
Threat name:
Win32.Infostealer.Passteal
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 06:51:00 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=snijt4qwb4w5l7wguy7kaleb3agawlf7oevq4sftq2uba6fge7oq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
DiamondFox
1cf6570844a3a440ad731d0c72ed9bd8369f2cfb44243a952942f91097767776
DiamondFox
2cc5f31570047becc5e77581e2f640afba8d6904c6be61105603d60d01c181d0
DiamondFox
39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4
DiamondFox
4101bd379660a169d50442c9921d6fb0329620efbc5a163856c2f5e5f41e601c
DiamondFox
41ce43aa875bf977ec9eb039e5853ade1af522dd0dff4f19282f6c8038ae2dff
DiamondFox
b01b61c911a3b80d4f265e4915f9d62275efa34f84989f77be142f3f9e062f9b
DiamondFox
b5f88e34db4bb65da8c21982590b67922fe32e62e7cfaae9fbe417a4262aa143
DiamondFox
fff25302774366cdb466fa0e4015f9c7de93fd0192585a3cab2e2f51b635047c
DiamondFox
+ 238 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:socelars family:vidar botnet:spmmastif botnet:upd backdoor dropper infostealer loader persistence spyware stealer themida trojan upx
Link:
https://tria.ge/reports/210830-fhvs1djwsa/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
193.56.146.78:54955
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
135.148.139.222:1494
Unpacked files
SH256 hash:
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
MD5 hash:
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1 hash:
b968c57a14ddada4128356f6e39fb66c6d864d3f
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
55361941ab12c7edd987c706d25423d868f756fab1028d99eeffacdabf3da4ca
MD5 hash:
4de4b7bc0a92902422c4204fcfa58150
SHA1 hash:
587e0299ea32cc836281998941daa60f471e3480
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
MD5 hash:
7165e9d7456520d1f1644aa26da7c423
SHA1 hash:
177f9116229a021e24f80c4059999c4c52f9e830
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
e949546beeb7315cfe33ba69299fccbf2081cf7e4e44c1a64cf63b0558e2f411
MD5 hash:
c6bc3e90f40768dbf009fa49f87b2d67
SHA1 hash:
ad19c879edbaf1956b29f42c5b5ae37d103aec82
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
686877759472a391a47e55de42ef91413abdfc6c443a35929cd8fb085aab4040
MD5 hash:
8ef40432787decbba07e55b8efdcf403
SHA1 hash:
2bc59a451e796e81560abb79adaefbca5df5faa1
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
858f522c40ca77f2de04fbcb7b8491f6d6fd9284307331376ce6f0ab172cb4b5
MD5 hash:
7e2153fcd2dd055f732c005f2134a713
SHA1 hash:
20a048788d5ea0f70c5abfa88b1f411e780d1faa
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
b3dfd39fbd86b5473844d8e68bb08e24fce0778ac0ad83af44867d100ed6b9f3
MD5 hash:
57699197e5670c0f77d674d7818abbe6
SHA1 hash:
1b648548a7ce05ac6a62b0341e9ecbfff768dd03
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
Parent samples :
5befb90b9e363ee7a3c80607b83247dee8d21267f5923345119c07ac22f0bdef
3de698ac8b7a255a50e6f0ec0fc0cba3299719516a96f641a24d0996aa1515c2
4b5091f5530ef7e23a331115a0290cc3c368fe23e4e53b68d5d61ffddd27e793
415f9d7bdc9ea00d2c8e58d906cdd7af876e28494e24e027401b6be60144ddcc
7471e982051110160ecb8d1a95aa8ba5d8f3d61d341706232caf57c1b8b3ac88
79c334850dedad7a1eacb71789b4f025a307bb093f916b51939384a6593315d3
db724681d71bd9cc6d6272e1fb68e52509a453b16c6b2bf3cf3040b6169bb1e5
cdd97a4a8f04c6241bc2bc9fed6b43dfc4b08b8d96ffa91688df52c3f0b489a6
dad7611f8df2b970dad82657205886a8b314472c59927c9ba29a484e1376e157
9629761247d31f92dd76b67e98acb749b69572cb7198e05b3a2a2b1fa3a9bfaa
7a30562757837dadbb29871ae310dd344b0c422d14920d4c72a98fa820f5e9e2
2db2cc193feadebfc2a1847f97ba91070840b51cc9729a3208cf288afa71f19a
67315a8a56433109b3fd378798d9d9a0b5b7f31e8054e1dcb4c5e91eb596b495
0042db3f1d304c60dc3d50fb26fcc87cea1b8f2eb15132429588d3a0f4bae296
670eb3744d703bdf43a246ffbb313cecaf01f55feaa973a3f85bd8c4dae781c2
98fa2b33875a2409f9107832e7869bca91f44e57af1fc0743009c8eb53f0e928
8cd17893e8ac733bb4bf624e9351dcb0b08d83c3908385fba72fe72c70fd4f03
e48022e9f7c8d368e6f8d65c86f19afb98d1104dda8d06047acd1feff6a658d7
37550c63f7c27440149dcd0cefdc456f04422595679adebb3be0278249d145c6
b503aee98c27d8e15feb765addc1c386c7c59ccbd43ae7c4d2842b293120130b
3ad13fd7968f9574d2c822e579291c77a0c525991cfb785cbe6cdd500b737218
3221c7c857b80fab3818cf1ea9435cef9626d84bd308d7a365e4e5089e5ef413
67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33
8bb0c75f554647d27173b3d8b2e63abba3670fb7972b6856cbca89f1eda96c6d
21391fc51c85957fb1bf530fbdd01b9cc6b855445c5ae6e46d9be51441ee62f5
0b07fe8c554ff364d42e3311b10a79ba6ed1b47e35763e45c924bafeb8d0d50a
a8647cfb02a8b8c077fb4285357c29f58afb1a8ffff6da199e6a3887030869fd
4df83e858a2d52987f6e9b8afcde20643ee1cd106089e412e25b1df186a57b29
a4561c8115ba9a40d8ccc6411379e8db03ac8540c681b8aae63763a7e8c10a27
d6d3dd2923a9b46473abb1d811fb4b64bdcf2c0c15c1f48161353b1c220d7e23
bf5bc18439ee4363f861058f1dc8a0fa74775be6efc44fbf7d8d6c511fd2a447
cb7fc22f3b5ccf76238049bd7388f760204728fe846742fbda3560b1085efa7f
cf46c5f2cd03626cad846f9d3d55366a7b469704eae8ed7ba54eda6940dc9bba
a7a2d5e0d31d31e452252c14023420621e92967814dc6410f783c5f101c3de1b
41ce43aa875bf977ec9eb039e5853ade1af522dd0dff4f19282f6c8038ae2dff
39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4
d824b099e911bc138c15e82996288b84253e98e2f2b286801edc564ff98e7bf5
db9c79df5fa9185f4f1d4745cdc8c417d21679d4bfd7dc7d5939312024d92127
d2f01f5182de940b27db63f60ca85d5f4421c75de628c03a63d8e92cf9f3681c
055581a45098bcdda89f414c2346c7737546908ad7fba54f1c6f6451886e014d
30471f6f937611ff3868013eccd4b8fd33150e7bd0c25e49bc1ae53c2f3ad78a
4024acf12f12a1ef676b1edd835a5e384d4800725c352c1e88b9c94b94293e72
7edd23716ea559a786a78a1637749a4dd626c79f7119fd128e43334dafa1dceb
d57957436111516ca7a7e9af7cb143353cf41a22d556aa19ba6e710a37c6f0ae
f421b369da1548568f6d2edc332073ef7604517e83eb1425f9b336eb56e6ce7a
b5f88e34db4bb65da8c21982590b67922fe32e62e7cfaae9fbe417a4262aa143
8eea00bd7d1db820c7a1b5622119b76944215e5803c2e8b772b9548e9ee91c66
b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8
203a03884451e5f74fa167f4708e19722f1d91ba434957aac1ba13f1a3d70127
8980c8abaa3365782c905b3f9506a032c54a5d1833fef1fe0ce46b6f84ee7534
049305763188b36e9010906c55428a2b42b59da7da4e0709112835a46c600243
58a7195eaf6e6d8c366dd038689da7697e0acfc5d0d160fb89d63f1658e997b8
ce16fc8b907646744f5790fa16e1bba6b1b3c3484a7c9d3802193d7c518c1f08
d64cda4b27aee29a8f491b125d83bc8b55d483db8884b14fc1a3ef20fe1717eb
13b76d70cecc082e06783f4a67c8c3b9cd5e4fb652e22475e9e11440b7a215cd
d179e667e2790673f30e69bebaa0bcd4d4b9bf68503611b6d26b278447cd4ae1
d86aa13697e550f6e74a585167e0e5aae455a7a99284679f230fe1d96ff59d8a
07a3740166cef528ebddd4f594c555f7a07cee5260fb85d2840dded9ebbbd652
50ab699ceb6bb259199d197392ea0ed00d024ce77d3d663ea13fe7b93a4ab50e
769a9ae9ab253e8cce64c35143eff02b2ae70e53465ab4aa4f6cf1b2d4fe698e
b01b61c911a3b80d4f265e4915f9d62275efa34f84989f77be142f3f9e062f9b
1c74706b3f7dc817e51a166a5e41e55383347e1080a3b2aa41b9f6dd87d63040
56538d4161a6b6e0e57759f73f81a76db0b7bf9f923791f56e719793ae10ece9
2cc5f31570047becc5e77581e2f640afba8d6904c6be61105603d60d01c181d0
fff25302774366cdb466fa0e4015f9c7de93fd0192585a3cab2e2f51b635047c
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
c9371cc485825207fe107e6600c14cfd9049c34f74c8c7332f16a20afea88164
962793c4decea8dd718bd96ccc4209ce744414a62e4afb93c79db64df4b792e2
SH256 hash:
512ea64655c676d19de78257d80edddd88379879becc02e11517378575b7c545
MD5 hash:
54e52d3a7df69be432ec9d790be8a462
SHA1 hash:
c80c2d000b97ac196b22ecebf3117b998a5c1092
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
fe8271b07c7c09665d7fbe09b68a4e8a75ad60156dba8bbf0452c360316a426d
MD5 hash:
46a6486b595a78c4b3aab889fc848a4f
SHA1 hash:
480fc04e49830b524d473159f24877b82ecdb645
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
99c29e0a45a471c4d343fe456909fdd1e8f273fa2477bed92a1c0f1ffc90848c
MD5 hash:
3a313b1ea44ebb2e9acb804fee6e4712
SHA1 hash:
20f67277bf2a51c6de338fc718e1645c7900db2a
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
b9cefc04996e89e4b573c98044588940b374b239aeeeb990f3cdd3af8d3bb61b
MD5 hash:
cda72c1384b147c05fc1202f6c832aaa
SHA1 hash:
7872becf22ddd5d7ed544be243bb6f4c884d53da
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
ffaa26e86682e777bb3e1016eb1dcff5e3e67be6ff283eeee0645c3a2f3ce3db
MD5 hash:
510528bf7ba4e77af016a8debe77f92e
SHA1 hash:
ac74876518f5fe5f0579c36b73a53afa1fbcf153
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
8697d131465e5f0e14d5c75c4a2d8a4990bf3a0146ad150d11aff5ed95319da5
MD5 hash:
62ca48a616bf98d009c236a10e17e62b
SHA1 hash:
a1f4e0f197f3759a840476e51f0cea0289467aa0
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
2cc3ef82277080c83a545e8ea6cce40d2878038d9878a1189f3e6dae245f14e4
MD5 hash:
10bd2db259520cf69356c09ac3e61885
SHA1 hash:
a0b5d3a2eeb8aa6d919a8a5cc45c1360d59825b8
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
5ccd837ee994f5e5676bedc65bd57b495d1269c2c39cc98ec6c877cc3dfdfc19
MD5 hash:
196bb6d6667108aeb08eebb81cddde8b
SHA1 hash:
cbc211d1469a6d2cca9af04d51e593e2a39c7f95
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
f660d2b756b46e4a3148336dae1f07eda2fefa43857c56489b55514cfbed70a7
MD5 hash:
291c9ebd2c6aecba47924901b8c280e3
SHA1 hash:
72c51c69300ae1e9ac2bcc1ec51d0da199d4972d
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
Parent samples :
fff25302774366cdb466fa0e4015f9c7de93fd0192585a3cab2e2f51b635047c
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
c9371cc485825207fe107e6600c14cfd9049c34f74c8c7332f16a20afea88164
SH256 hash:
ecb51083dd78b645d94823390d7961f73d89b71af87acaf89a656d25682bb382
MD5 hash:
e7fe8f00cffbf0a25aa819f3fd0d9f40
SHA1 hash:
f817b59e064c5da8e054e8b99cce3decba5143af
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
853c325f6607263a1f4e750e5cf05e137e2789113b3cdd9f8c161425e5c8ed80
MD5 hash:
23f4238ed990d7c3b00bd7fcb8c55e07
SHA1 hash:
433396c8e5f09ae7815ba661bfb65d303d595361
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
6cb20d8874afb99b1af0d581d5e4f0d25860e664e639371efb3024499c16f8e1
MD5 hash:
ff34d834c648f30d47a406fc63a7d975
SHA1 hash:
64dd4f6ad17ce4a4a7ec068b36cd5cde49e0551d
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
439202c1a8b9fe6874f448ecb1505510922253314dfc21208c18dbc14df19268
MD5 hash:
295ee2770bfc89c62b80d42d1150bd4d
SHA1 hash:
8f5a5c15211ed0a4588f4edbf052c235104840bc
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
5a846db5f39827a4ce8960a18d0e3a12b9878e5d8cfb656c2426699c4aacdafe
MD5 hash:
f5a72758836c0c09782a5c3eac6321e4
SHA1 hash:
a4292a64fe6b227d1f40ec2262096d5ce5b573a7
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
SH256 hash:
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
MD5 hash:
b79cd7c09560aefc13c02489ca05a479
SHA1 hash:
1a6c863fcf9e8dad9e5f8bd9bcdd67aa02f4e182
Link:
https://www.unpac.me/results/e86a229b-6edc-496a-a4ca-2ee7c38c0a8c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/935099f2160f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183672/

Comments