MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 2 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b
SHA3-384 hash: 58f9bc0611fc515e4f4fcb0b79c179e4ea4e6008e460ed536f49ba2e8fe54aeefee8c1cbbf95f9ad1c3f05bcc22d33c4
SHA1 hash: f37937e9afd6c78be38c58ebf84a03f66091c03c
MD5 hash: a9d63ba83576c19bb1dbad9e85b51ecc
humanhash: lamp-beryllium-princess-illinois
File name:a9d63ba83576c19bb1dbad9e85b51ecc.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'160'211 bytes
First seen:2021-10-18 02:50:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JaZL5WwT7cp5HNGSNhOpW8XIw0J+OfIxJ67PYpVd9kxzamMHf42P8baI2BWcjOzF:JaZoYc5geAAILMYpBiam9e8OIiFOz8q
Threatray 634 similar samples on MalwareBazaar
TLSH T1C5563311917CC7F6ECA00B7664B543BA25F30C9DE97B9ADC5D702A821E13D9E2706D83
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DiamondFox exe RedLineStealer


Avatar
abuse_ch
DiamondFox C2:
http://185.163.204.33/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.163.204.33/ https://threatfox.abuse.ch/ioc/234895/
http://rlrz.org/lancer/get.php https://threatfox.abuse.ch/ioc/234909/

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198009/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901388-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/616d075c9a5a1e91c5c331af/reports/10d29ca7-24e1-48a9-883a-3ac3dd4dcbe1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9401cbf0-d3f3-47a3-b27f-26daf9dfc5a0
Result
Threat name:
RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871920
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 504347 Sample: qKjYSnEQoZ.exe Startdate: 18/10/2021 Architecture: WINDOWS Score: 100 81 208.95.112.1 TUT-ASUS United States 2->81 83 149.154.167.99 TELEGRAMRU United Kingdom 2->83 85 3 other IPs or domains 2->85 125 Multi AV Scanner detection for domain / URL 2->125 127 Antivirus detection for URL or domain 2->127 129 Antivirus detection for dropped file 2->129 131 19 other signatures 2->131 11 qKjYSnEQoZ.exe 10 2->11         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->49 dropped 14 setup_installer.exe 23 11->14         started        process6 file7 51 C:\Users\user\AppData\...\setup_install.exe, PE32 14->51 dropped 53 C:\Users\user\...\Sat11f7ff9216f1cc.exe, PE32 14->53 dropped 55 C:\Users\user\...\Sat11dba36c1fa155.exe, PE32 14->55 dropped 57 18 other files (9 malicious) 14->57 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 77 172.67.142.91 CLOUDFLARENETUS United States 17->77 79 127.0.0.1 unknown unknown 17->79 123 Adds a directory exclusion to Windows Defender 17->123 21 cmd.exe 17->21         started        23 cmd.exe 1 17->23         started        25 cmd.exe 17->25         started        27 11 other processes 17->27 signatures10 process11 signatures12 30 Sat119216ef3957e64.exe 21->30         started        35 Sat1172dcffed8ac.exe 4 28 23->35         started        37 Sat114bd3f1cd0aec1fc.exe 25->37         started        133 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 27->133 135 Adds a directory exclusion to Windows Defender 27->135 39 Sat1174aaee9df2.exe 27->39         started        41 Sat11c6378d2d.exe 27->41         started        43 Sat11f7ff9216f1cc.exe 27->43         started        45 6 other processes 27->45 process13 dnsIp14 87 188.72.236.239 WEBZILLANL Netherlands 30->87 89 103.155.93.196 TWIDC-AS-APTWIDCLimitedHK unknown 30->89 91 5 other IPs or domains 30->91 59 C:\Users\user\...\search_hyperfs_204[1].exe, PE32 30->59 dropped 61 C:\Users\user\...61iceProcessX64[1].bmp, PE32+ 30->61 dropped 63 C:\Users\user\AppData\...\askinstall59[1].exe, PE32 30->63 dropped 71 21 other files (2 malicious) 30->71 dropped 101 Creates HTML files with .exe extension (expired dropper behavior) 30->101 103 Tries to harvest and steal browser information (history, passwords, etc) 30->103 93 5 other IPs or domains 35->93 65 C:\Users\user\AppData\...\Service[1].bmp, PE32 35->65 dropped 67 C:\Users\user\...67iceProcessX64[1].bmp, PE32+ 35->67 dropped 73 6 other files (none is malicious) 35->73 dropped 105 Disable Windows Defender real time protection (registry) 35->105 95 2 other IPs or domains 37->95 75 10 other files (none is malicious) 37->75 dropped 107 Machine Learning detection for dropped file 37->107 97 2 other IPs or domains 39->97 109 Antivirus detection for dropped file 39->109 111 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->111 113 Checks if the current machine is a virtual machine (disk enumeration) 41->113 115 Sample uses process hollowing technique 43->115 117 Injects a PE file into a foreign processes 43->117 99 3 other IPs or domains 45->99 69 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 45->69 dropped 119 Creates processes via WMI 45->119 121 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 45->121 47 mshta.exe 45->47         started        file15 signatures16 process17
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-10-16 16:37:28 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tfoqbhrpu22rbibfdck6bzy5a4e6x7pky6bov2i4vi5u5yyl2knq._file
Verdict:
unknown
Similar samples:
0d69cafe700a952a621c9b5981504e30c939c3d6cc34452691fce67b2eb6c1cd
RedLineStealer
3eaed1d4442ddd5cb4691a9cfd5aef6f374be2a3489b934d9043bb6e980a4841
RedLineStealer
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
RedLineStealer
80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e
RedLineStealer
91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5
RedLineStealer
941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
RedLineStealer
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
RedLineStealer
b41ece0fdbd279c8c8dd615981603fb4cb7052d28d26ce803fbeb0eef5ea01d2
RedLineStealer
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
RedLineStealer
f5f477d945634e37e1abca7c1390e03a7535005c9ff071a191f4d24274bdf075
RedLineStealer
+ 624 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:916 botnet:ani botnet:she aspackv2 backdoor evasion infostealer stealer suricata trojan
Link:
https://tria.ge/reports/211018-db6lnadhcl/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Vidar Stealer
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
Malware Config
C2 Extraction:
https://mas.to/@sslam
135.181.129.119:4805
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
194.104.136.5:46013
Unpacked files
SH256 hash:
630a641bebd6ded36fb1c42520e4c7ddc5ace49436dede6c255d8f12ddbfbe54
MD5 hash:
cbbdd5a549a37602019203e20a21866a
SHA1 hash:
50c80b98548b24565decfa94c034b43b753a197a
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
a2c509a815f5e12c65d62f59f4be2507b706a1a826c3f6e977e8db6e198fab41
MD5 hash:
a681d41d994a9ed82d2f698d9f7a03e0
SHA1 hash:
13150985052230295133060d4548a31702059890
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
8887613f5ceb136a7e516f3e8f4c0c9b149218efb7b721a59c9c5438cb342b3e
MD5 hash:
e67f325f360946aac003217f57682bef
SHA1 hash:
ea3d0f586f38ed848351f1a75ce6ca83eeaa3ece
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
f8a5a72c90483d5c095bb631341be122f24ebe0260cdbbdf959c18e78bfaf7fe
MD5 hash:
b4b45bfe06c55ff84b19dc288cb3da1f
SHA1 hash:
bf28197c37598b6ecc750c1791f8df715e049ccd
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
477aad5cff9cae696fef979a92ece04fe37a54770117969f80380314fd724888
MD5 hash:
f098c07afd1ae3c2645a945c363caf1b
SHA1 hash:
a280593be3514accc1fcc85b36c2bbd9e227088a
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
09bc2bd0710205fad23d8516d1bfda2d6f9d0d3d2be6591a16dff5f4d4a529dc
MD5 hash:
bc7e95c3d8fd4e9461a450aaead7f1ad
SHA1 hash:
92116300791cc08bd2ae611c4d74ff57f9b0adea
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
8842ca4d74048e3f30ff4f061090a23436ce0b60c7138d9b6652688d68140151
MD5 hash:
651a9b985db772c1af3e7e4a88e2f353
SHA1 hash:
71611302357ee2c45756a5f92808f0beaaa1328c
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
f7bd20f20b99c00dc5a59cd715dadc81febb6e3966f49da21fda7c1b08a84ad4
MD5 hash:
8f54c1adeae8ee1f05f9e4b69726de9b
SHA1 hash:
3525571bc3a4b55493ea309594e080b1c6905868
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
ea84259fb5073383ccda85807e78d9c6c4b6c48e59d8b53e066d52eab037b762
MD5 hash:
90c215968f9cb5e511b9d4bc5a56b031
SHA1 hash:
3099242cbc4e9a491b298c74d7e13cde25e1162f
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
174f4f8146a8998395b38774f52063130304ab214257d10badc37464578c8c1d
MD5 hash:
7dc5f09dde69421bd8581b40d994ccd7
SHA1 hash:
23788ae65ec05a9e542636c6c4e1d9d6be26d05c
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
a96e486b8fce8777c47b8cb34e7cc24708b3728c785775a0f3ce73b4045b690d
MD5 hash:
d02319bd2818d7362ff9e83282cbd7bc
SHA1 hash:
2729e315497fce193fe9f8045ad6a133bd8fd87f
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
5f0b8203aa3721553b6de2f1a4c2243ad6a324f8817cf8a17e6f0968e16e1753
MD5 hash:
b840862085ee24884ffe5052cf8d8438
SHA1 hash:
9417720327bf821fb5c88b09f9d7bcc6ccf09a8e
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
b7400825df4e2e22e14b51b60809bb7706cd5f8c0c758c08dbb7f97ef3bd0597
MD5 hash:
1651d2eee32c15f79fd5f2e42551f4dc
SHA1 hash:
f254b220184e991792401f4818bcae33ac37ad4f
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
51083f1071cc6c67bc643417a0be92c3190a044f6cb0d913bb8afb01adc08f3f
MD5 hash:
59073d016866002414aa2c915f8d1f6e
SHA1 hash:
dc285bc11154c5d4b932514934bd16c71b2a3938
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
d95b8e2d8bf52369a369cf6ee5366297a8984380210d7eea29a82cf53b8501fa
MD5 hash:
4da644a647b164089629ff894110d9cf
SHA1 hash:
8f29d97853790d852203c0921c39609ee8c6b27e
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
642f5d31e9797e4509429807009ee2871ac9826b5b513ff229956a3d87ed1f8e
MD5 hash:
488029d7287523022a3a3c0fad808e36
SHA1 hash:
1f28a900f11d99b0f6e65cf3b1e63b0bd22f45db
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
e4d6138f937eb46c35a2efcf038df3b8aa37b57f5e89c46e17267f989d81b848
MD5 hash:
c0fbb769df3a5588e1bc58469251d6b0
SHA1 hash:
b2415f5f6e24dd1cfbad105984072e81729be668
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
d25145bfc5d584547816317f0853427673f4e7e5103edf5d2c1ff98b64713e1d
MD5 hash:
a065662d5eb97b5839a7279d3af67140
SHA1 hash:
0223c33678f9eb16290e94df0683f0333604c696
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
ea075615a97dad15766fc7e9c7fb817c2b1acfc0f8f29afd625018ea054cf379
MD5 hash:
bbb5c8c060f8e9a782aabd4f42862b78
SHA1 hash:
cf4fd5831ebeefd08c57f3396bf3fcecec1415e4
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
SH256 hash:
995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b
MD5 hash:
a9d63ba83576c19bb1dbad9e85b51ecc
SHA1 hash:
f37937e9afd6c78be38c58ebf84a03f66091c03c
Link:
https://www.unpac.me/results/c4f39ed4-7028-49fb-907b-cb88668b4c5a/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/995d009e2fa6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/995d009e2fa6b510a0251895e0e71d0709ebfdeac782eae91caa3b4ee30bd29b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/198009/

Comments