MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 13


Intelligence 13 IOCs 6 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
SHA3-384 hash: 6a78f829f123eb2651e34b3e881eaf19929bc435c16ee02322d9a26325b2dc563a822eeb36ea3fd0ad60939e6143d80d
SHA1 hash: 43cab9f90509553f67eaed5b7321e358227cbe4f
MD5 hash: 7419b76a053b660459e1edcf1dfef302
humanhash: floor-comet-mars-nineteen
File name:setup_x86_x64_install.exe
Download: download sample
Signature Glupteba
Create hunting rule
File size:6'519'901 bytes
First seen:2021-09-14 05:23:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:yDdrnIPj07CTrDF9OeTGYzR0vdPPioAAj71ZyS:yDdrnCj07CXxs7YzR0lKI19
Threatray 549 similar samples on MalwareBazaar
TLSH T14666333A17DAF193C7C2B635A1809419D3F9D1F1276E2F71B3E14A7798328A9CA1C4E4
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe Glupteba Loader

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://stygius.tech/6.jpg https://threatfox.abuse.ch/ioc/221603/
http://stygius.tech/1.jpg https://threatfox.abuse.ch/ioc/221604/
http://stygius.tech/2.jpg https://threatfox.abuse.ch/ioc/221605/
http://stygius.tech/3.jpg https://threatfox.abuse.ch/ioc/221606/
http://stygius.tech/4.jpg https://threatfox.abuse.ch/ioc/221607/
http://stygius.tech/5.jpg https://threatfox.abuse.ch/ioc/221608/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'351
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
No threats detected
Analysis date:
2021-09-14 05:25:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0bfc5860-8d4f-4a7b-85c4-459101106014

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187640/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/617509b09a5a1e91c5d1ffad/reports/1e4fd7e5-2dce-4c5b-b0a7-1ac61559228f/overview
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/853a3fa9-0daf-4ffa-a7ed-1bcd5090d295
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850388
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the document folder of the user
Found C&C like URL pattern
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 482815 Sample: setup_x86_x64_install.exe Startdate: 14/09/2021 Architecture: WINDOWS Score: 100 105 ip-api.com 208.95.112.1, 49774, 80 TUT-ASUS United States 2->105 107 88.99.66.31 HETZNER-ASDE Germany 2->107 109 6 other IPs or domains 2->109 141 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->141 143 Multi AV Scanner detection for domain / URL 2->143 145 Antivirus detection for URL or domain 2->145 147 20 other signatures 2->147 11 setup_x86_x64_install.exe 10 2->11         started        14 svchost.exe 1 2->14         started        signatures3 process4 file5 87 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->87 dropped 16 setup_installer.exe 19 11->16         started        process6 file7 53 C:\Users\user\AppData\...\setup_install.exe, PE32 16->53 dropped 55 C:\Users\user\...\Tue02f29f3c89f511ab1.exe, PE32 16->55 dropped 57 C:\Users\user\...\Tue02e87f4cbd37d48.exe, PE32 16->57 dropped 59 14 other files (9 malicious) 16->59 dropped 19 setup_install.exe 1 16->19         started        process8 dnsIp9 111 hsiens.xyz 104.21.87.76, 49766, 80 CLOUDFLARENETUS United States 19->111 113 127.0.0.1 unknown unknown 19->113 149 Performs DNS queries to domains with low reputation 19->149 151 Adds a directory exclusion to Windows Defender 19->151 23 cmd.exe 19->23         started        25 cmd.exe 1 19->25         started        27 cmd.exe 1 19->27         started        29 9 other processes 19->29 signatures10 process11 signatures12 32 Tue02d4ad56f882.exe 23->32         started        37 Tue02683a155e.exe 25->37         started        39 Tue02f29f3c89f511ab1.exe 27->39         started        153 Adds a directory exclusion to Windows Defender 29->153 41 Tue02e4526a7b.exe 29->41         started        43 Tue029d9fb624f.exe 14 6 29->43         started        45 Tue021d1ab6df10aacd4.exe 29->45         started        47 4 other processes 29->47 process13 dnsIp14 99 2 other IPs or domains 32->99 77 12 other files (none is malicious) 32->77 dropped 115 Detected unpacking (changes PE section rights) 32->115 117 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->117 119 Machine Learning detection for dropped file 32->119 137 2 other signatures 32->137 89 45.144.225.236, 49756, 49769, 80 DEDIPATH-LLCUS Netherlands 37->89 91 37.0.10.214, 49755, 80 WKD-ASIE Netherlands 37->91 101 4 other IPs or domains 37->101 61 C:\Users\...\KpsOGsJxCRTkR_QAxP2LmVwy.exe, PE32+ 37->61 dropped 63 C:\Users\user\...63iceProcessX64[1].bmp, PE32+ 37->63 dropped 121 Drops PE files to the document folder of the user 37->121 123 May check the online IP address of the machine 37->123 125 Disable Windows Defender real time protection (registry) 37->125 127 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 39->127 129 Maps a DLL or memory area into another process 39->129 131 Checks if the current machine is a virtual machine (disk enumeration) 39->131 133 Antivirus detection for dropped file 41->133 139 2 other signatures 41->139 93 startupmart.bar 172.67.211.161, 443, 49770, 49775 CLOUDFLARENETUS United States 43->93 65 C:\ProgramData\2282775.exe, PE32 43->65 dropped 67 C:\ProgramData\1806303.exe, PE32 43->67 dropped 69 C:\ProgramData\2759246.exe, PE32 43->69 dropped 71 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 45->71 dropped 95 162.248.225.172 HOSTING-SOLUTIONSUS United States 47->95 97 a.goatgame.co 172.67.146.70, 443, 49772 CLOUDFLARENETUS United States 47->97 73 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 47->73 dropped 75 C:\Users\user\AppData\...\Tue02902c8f8fe8.tmp, PE32 47->75 dropped 135 Creates processes via WMI 47->135 49 Tue02902c8f8fe8.tmp 47->49         started        file15 signatures16 process17 dnsIp18 103 safialinks.com 162.0.213.132, 49768, 80 ACPCA Canada 49->103 79 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 49->79 dropped 81 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 49->81 dropped 83 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 49->83 dropped 85 C:\Users\user\AppData\...\46807GHF____.exe, PE32 49->85 dropped file19
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530/
Threat name:
Win32.Downloader.Zenlod
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 05:24:16 UTC
AV detection:
25 of 44 (56.82%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqkhrujjay7hdcc7s54rgonetrmmokmrztedbfzu6expmcxokuya._file
Verdict:
malicious
Similar samples:
3febf03463e0e65ef9d0fc4e8a38f01dd7c6dfee10258876981539b7a319a620
Glupteba
4f4c2c9bdfef8a8cfbe2c8f84bf12cc86f26f59d54c277dab39f4c5e92948708
Glupteba
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
Glupteba
5bbc833edf2e7c061fd34fe1aba85ff56746dbe0875eafcc945c264ac45193ae
Glupteba
6bd2d5f2630ce91d3d93d5a686d0ea381b6efa2b25d0dbd0f509a17f7ed3788d
Glupteba
6e67e541d5801d97cb6fc3ec483b7b9dc302506c0f3a1ef0942ea3f7126e9e87
Glupteba
76c9ba959cb30c682c744ec265b3ae18fa5f92250cdc153139fb83835ca17356
Glupteba
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
Glupteba
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
Glupteba
+ 539 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:redline family:smokeloader family:socelars family:vidar botnet:139f4t botnet:706 botnet:ani aspackv2 backdoor discovery dropper evasion infostealer loader stealer suricata themida trojan vmprotect
Link:
https://tria.ge/reports/210914-f3rmxsaagr/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Glupteba
Glupteba Payload
MetaSploit
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://dimonbk83.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
45.142.215.47:27643
185.215.113.104:18754
Unpacked files
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
c034ee0ed45c8278cf10e330a92220f7d33c2d3d10f2721c2acabcca552b6423
MD5 hash:
4df600c45dbfd49fa9e31134e8f47434
SHA1 hash:
f07d4411a7b3722206e9d17e94749819930cedcb
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
76dfed12190f13c429fbd4927ca86aba574101f0c34a7bb078e2f36c3f92c025
MD5 hash:
20db8d663190e8c34f8b42d54a160c2c
SHA1 hash:
eb45301ec9c5283634679482e9b5be7a83187bb5
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
1c140ca4792432915430a87771aaddd4c8358f473781daf8092ce869357f0364
MD5 hash:
8579bbcf11379a259513c5bf78e76b8c
SHA1 hash:
c54fd7fca970c321b8ff7c4b9c7ae4f361503609
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
ac77b0eeef4d09fba26dc24fb67a9158b96c52f083e4ec58e89aa29df5a3675c
MD5 hash:
3d7be553c929902a460dd8e5057dc7be
SHA1 hash:
a043a0f5e90b5fa89d3f7a3d87d29d6cb03e5a32
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
992004f0db18c19df1b9d3011e49a7a2f631219060d48eff505d6c62c056bd10
MD5 hash:
fc89a45c05ce4192fdc58707e881f4af
SHA1 hash:
5e7e5371d29a1ca65a2633137cadafac7fd550a3
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
48537f7d4e0b8ad4541b2310079af3d792c227e8744013f53cfa3dad1d7a8db0
MD5 hash:
9a016bd3213a599809788423fe15a194
SHA1 hash:
3bd888da104af5e33b02d487d2ab4d77cce180f0
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
53e3007f2b6d24bc38fd552011a1ce8939a300e1d86ce0cd9d200b68fb5c25da
MD5 hash:
6da7713d9b3670d53931ba3503b644b0
SHA1 hash:
0bc3c9b724dfba7f1f51b76d948eff328440df2a
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
c598a971f1d8bc58362396b10df4359654354e6c7b1b56741cea2a532e9bdd94
MD5 hash:
3367116dc59fc2b806bb5ec8c36bf2b6
SHA1 hash:
f4fb01a1efff6c7969383ccf7f64e4ac8cfc2c6f
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
Parent samples :
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
c5a30dfcd0606c9e71af7e2d49383aff0234cfb9bdc8a127a821e11acaa875cf
MD5 hash:
f8cf99cd93964273e2deaae635e6dab9
SHA1 hash:
cf4d1b5dd69fe0f56ce0c0a211bb4dd46c37f4ee
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
1523f3c220ea7cfb3746f0a66c57594743f403546f40b679f23ac1d5e02bcb2a
MD5 hash:
498267949fb7f29b1d9e2e3275113f64
SHA1 hash:
d0456c85372d429eb2c9eef252cc65415bde96db
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
1408fbfcbf003e68b5a362a8fc0b7739d1d6214eda08ab261e06b5bb27ec4897
MD5 hash:
7339150f225d3605c77d1a4c84635e6c
SHA1 hash:
fae00c79c51709b3cdd52c5f7290ae0652df751d
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
b074b0bf38e1d66e6e2e01557dc5f818a58e549d212c94608ae4b352eee51e0b
MD5 hash:
bb5c9e74d1ef73938771d188d88806e4
SHA1 hash:
8e4193178489d1c1853077cb64313329b0206864
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
47777ba117dd92f6f424cd6fa93d3732f19bdfe8193b59cd4840a28b462cdaaa
MD5 hash:
65f27541c2e2c04abdf161d3c2c1f6b9
SHA1 hash:
2a9d60a322e0a2c8b3ea609f4cb3fbdae095eeb7
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
SH256 hash:
941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
MD5 hash:
7419b76a053b660459e1edcf1dfef302
SHA1 hash:
43cab9f90509553f67eaed5b7321e358227cbe4f
Link:
https://www.unpac.me/results/bd9289cf-221b-406e-abff-4cc2329fe5a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187640/

Comments