MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a10e2a453eaf617ffed2ec5a5f33248a56bf81426a04a199fa468083ab5f5e34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a10e2a453eaf617ffed2ec5a5f33248a56bf81426a04a199fa468083ab5f5e34
SHA3-384 hash: 566acd5123f01b841cf093dabf1827e45db874e9ffd7be77a270475662ec8c35a09a457f6317a0fadc8aeeecc3d0c561
SHA1 hash: 040faaee02ae239c50855853d75e9a2373c4e20e
MD5 hash: 510d8c1ed805b3ab6c99a1db64cfd508
humanhash: freddie-hamper-london-carolina
File name:MicrosoftFitcher.exe
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:4'659'200 bytes
First seen:2026-01-28 00:35:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5175da4b99d292f751a152b8e78310d6 (1 x SVCStealer, 1 x AsyncRAT, 1 x TinyNuke)
ssdeep 98304:kryrziVtLSFZRSmaQdNJRTamMQRfoVSe:iyn2RSnRSmaQdJTamMQRfo0
Threatray 48 similar samples on MalwareBazaar
TLSH T1A426E117B3C790BDE06A873A8962D135D6F7BD115221AE5B47E04C9BBF361A01E3E702
TrID 38.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
29.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:AsyncRAT exe RAT


Avatar
abuse_ch
AsyncRAT C2:
http://45.93.20.55/49dcd5e318c542c5.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.93.20.55/49dcd5e318c542c5.php https://threatfox.abuse.ch/ioc/1738107/

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
KINS Stealc Svit
Details
KINS
possibly: configuration data including urls and a missionid, cryptocurrency addresses, and extracted components
Stealc
decrypted strings, an RC4 key, c2 url, url paths, and possibly a missionid and a separate network RC4 key
Svit
an xor decoded default c2 address and dead-drop resolver urls
Link:
https://research.acce.ciphertechsolutions.com/results/6f43a805-28ba-4608-8968-ffd6cf20c394/
Malware family:
tinynuke
Create hunting rule
ID:
1
File name:
MicrosoftFitcher.exe
Verdict:
Malicious activity
Analysis date:
2026-01-28 00:14:39 UTC
Tags:
stealer stealc telegram tinynuke auto-reg auto-sch svitstealer loader upx
Link:
https://app.any.run/tasks/f5b4389e-687c-44f8-b85a-74f66c893be6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/50454/
Detection(s):
Win.Malware.Marte-10045369-0
Create hunting rule

Win.Downloader.Marte-10058294-0
Create hunting rule

Win.Malware.Generickdz-10058619-0
Create hunting rule

ditekSHen.INDICATOR.Packed.TriumphLoader.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697954eebec9764f452f6b83
Tags:
autorun dropper remo sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Creating a window
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request to an infection source
Behavior that indicates a threat
Sending an HTTP GET request
Reading critical registry keys
Moving a recently created file
Modifying a system executable file
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Changing settings of the browser security zones
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm crypt fingerprint krypt microsoft_visual_cc packed soft-404 stealc stealer tinynuke unsafe windows xpack
Link:
https://www.filescan.io/uploads/697959d44156786ccbdb8831/reports/f68a59d2-0827-44e9-918f-927897e8f027/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/a10e2a453eaf617ffed2ec5a5f33248a56bf81426a04a199fa468083ab5f5e34
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-26T21:33:00Z UTC
Last seen:
2026-01-28T05:29:00Z UTC
Hits:
~100
Detections:
Trojan-Spy.Stealer.TCP.C&C PDM:Trojan.Win32.Tasker.cust Backdoor.MSIL.Crysan.mmv VHO:Trojan-Downloader.Win32.Bazloader.gen Trojan.Win32.Gatak.sb Backdoor.MSIL.Crysan.b Trojan-PSW.Win32.Lumma.aanj Trojan-Dropper.Win32.Dapato.sb Trojan-Dropper.Win32.Injector.sb Trojan-Banker.TinyNuke.HTTP.C&C Backdoor.MSIL.Crysan.d Trojan-PSW.MSIL.Reline.aarh Trojan-PSW.Win32.Stealer.sb Trojan.Win32.AntiAV.sb Trojan.Win64.Agent.sb Trojan-Downloader.Bazloader.HTTP.C&C PDM:Exploit.Win32.Generic Trojan-Spy.Stealer.HTTP.C&C Backdoor.MSIL.Agent.sb Trojan-PSW.Win64.StealC.sb Trojan-PSW.Win32.StealC.v2 VHO:Backdoor.Win32.Agent.gen VHO:Backdoor.Win32.Zegost.gen PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.Generic HEUR:Trojan-Banker.Win32.TinyNuke.gen VHO:Trojan-PSW.Win32.Convagent.gen Trojan.Win32.Agent.xccfjq HEUR:Exploit.Win32.UAC.gen Trojan-PSW.MSIL.Reline.sb VHO:Trojan.Win32.Agentb.gen Trojan.Win32.Mansabo.sb Backdoor.MSIL.Crysan.c VHO:Trojan-PSW.Win32.Lumma.gen Trojan-PSW.Win32.Vidar.gto Trojan.MSIL.Crypt.sb HEUR:Backdoor.MSIL.Crysan.gen Backdoor.MSIL.Crysan.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Trojan-Spy.Stealer.TCP.ServerRequest Trojan.Win32.Zonidel.sb Trojan-Downloader.Win32.Bazloader.kf Trojan-PSW.Vidar.HTTP.C&C Backdoor.Win32.Androm Trojan.Win32.RokRat.sb Backdoor.MSIL.Crysan.fb Trojan-PSW.Win32.Coins.sb Trojan-PSW.MSIL.Stealer.sb Trojan.Win32.Shellcode.sb Trojan-Banker.Win32.TinyNuke.sb HEUR:HackTool.Win64.Inject.gen HEUR:Backdoor.Win32.Agent.gen HEUR:Backdoor.MSIL.SheetRat.gen Trojan-PSW.Lumma.HTTP.C&C Trojan-Spy.Win32.SpyEyes Trojan-Banker.Win32.ClipBanker.sb Backdoor.Win32.DarkVNC.sb VHO:Backdoor.MSIL.Crysan.gen BSS:Trojan.Win32.Generic VHO:Trojan-PSW.Win32.Vidar.gen HEUR:Trojan.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/a10e2a453eaf617ffed2ec5a5f33248a56bf81426a04a199fa468083ab5f5e34/results?tab=lookup
Malware family:
SalatStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/44a0da22-6640-4a2d-a8eb-50ad6e49b8f3
Result
Threat name:
Tinynuke / Nukebot, Clipboard Hijacker,
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1858690
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected Tinynuke / Nukebot malware
Drops PE files to the user root directory
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Leaks process information
Malicious sample detected (through community Yara rule)
Modifies Internet Explorer zone settings
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected RedLine Stealer
Yara detected Stealc v2
Yara detected TinyNuke
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1858690 Sample: MicrosoftFitcher.exe Startdate: 28/01/2026 Architecture: WINDOWS Score: 100 186 t.me 2->186 188 mosslotus2020.shop 2->188 210 Suricata IDS alerts for network traffic 2->210 212 Found malware configuration 2->212 214 Malicious sample detected (through community Yara rule) 2->214 216 16 other signatures 2->216 15 MicrosoftFitcher.exe 8 2->15         started        18 53255374470869161091.exe 2->18         started        21 4CEE0C3F403281E7.exe 2->21         started        23 2 other processes 2->23 signatures3 process4 file5 150 C:\Users\user\AppData\Roaming\xvpbhsn.exe, PE32+ 15->150 dropped 152 C:\Users\user\AppData\Roaming\syncappk.exe, PE32 15->152 dropped 154 C:\Users\user\AppData\Roaming\socxtnre.exe, PE32 15->154 dropped 156 4 other malicious files 15->156 dropped 25 socxtnre.exe 4 15->25         started        29 syncappk.exe 4 15->29         started        31 ponbyxs.exe 15->31         started        35 4 other processes 15->35 200 Detected Tinynuke / Nukebot malware 18->200 202 Tries to harvest and steal browser information (history, passwords, etc) 18->202 204 Writes to foreign memory regions 18->204 208 2 other signatures 18->208 33 dllhost.exe 18->33         started        206 Multi AV Scanner detection for dropped file 21->206 signatures6 process7 dnsIp8 122 C:\Users\user\...\4CEE0C3F403281E7.exe, PE32 25->122 dropped 240 Multi AV Scanner detection for dropped file 25->240 242 Writes to foreign memory regions 25->242 244 Allocates memory in foreign processes 25->244 246 Injects a PE file into a foreign processes 25->246 38 svchost.exe 25->38         started        43 schtasks.exe 25->43         started        45 schtasks.exe 25->45         started        124 C:\Users\user\...\53255374470869161091.exe, PE32 29->124 dropped 248 Found evasive API chain (may stop execution after checking mutex) 29->248 250 Contains functionality to inject threads in other processes 29->250 252 Uses schtasks.exe or at.exe to add and modify task schedules 29->252 47 53255374470869161091.exe 29->47         started        49 schtasks.exe 29->49         started        51 schtasks.exe 29->51         started        126 C:\Users\user\AppData\Local\...\ponbyxs.tmp, PE32 31->126 dropped 53 ponbyxs.tmp 31->53         started        190 45.93.20.55, 49688, 49690, 49693 COGENT-174US Netherlands 35->190 192 t.me 149.154.167.99, 443, 49687 TELEGRAMRU United Kingdom 35->192 194 mosslotus2020.shop 104.21.30.123, 49689, 80 CLOUDFLARENETUS United States 35->194 128 C:\Users\user\AppData\...\zlc0I8jLHAGG.exe, PE32 35->128 dropped 130 C:\Users\user\AppData\Local\...\Bot[1].exe, PE32 35->130 dropped 132 C:\Users\user\AppData\Local\...\zx[1].exe, PE32+ 35->132 dropped 134 2 other malicious files 35->134 dropped 254 Early bird code injection technique detected 35->254 256 Found many strings related to Crypto-Wallets (likely being stolen) 35->256 258 Creates autostart registry keys with suspicious names 35->258 260 7 other signatures 35->260 55 explorer.exe 46 8 35->55 injected 57 2 other processes 35->57 file9 signatures10 process11 dnsIp12 196 45.93.20.151, 49691, 49692, 49695 COGENT-174US Netherlands 38->196 114 C:\Users\user\AppData\Local\...\vqlgbwrm.exe, PE32+ 38->114 dropped 116 C:\Users\user\AppData\Local\...\eimquycg.exe, PE32 38->116 dropped 118 C:\Users\user\AppData\Local\...\cegikmoq.exe, PE32 38->118 dropped 224 System process connects to network (likely due to code injection or exploit) 38->224 226 Unusual module load detection (module proxying) 38->226 59 eimquycg.exe 38->59         started        77 2 other processes 38->77 63 conhost.exe 43->63         started        65 conhost.exe 45->65         started        228 Multi AV Scanner detection for dropped file 47->228 230 Detected Tinynuke / Nukebot malware 47->230 232 Found evasive API chain (may stop execution after checking mutex) 47->232 238 5 other signatures 47->238 67 dllhost.exe 47->67         started        69 conhost.exe 49->69         started        71 conhost.exe 51->71         started        120 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 53->120 dropped 73 ponbyxs.exe 53->73         started        234 Switches to a custom stack to bypass stack traces 55->234 236 Contains functionality to compare user and computer (likely to detect sandboxes) 55->236 75 ebecabcdbbbdc.exe 55->75         started        file13 signatures14 process15 file16 136 C:\Users\user\AppData\Local\...\eimquycg.tmp, PE32 59->136 dropped 270 Multi AV Scanner detection for dropped file 59->270 79 eimquycg.tmp 59->79         started        138 C:\Users\user\AppData\...AF0.tmp.zx.exe, PE32+ 67->138 dropped 140 C:\Users\user\...\8EBF.tmp.syncloh.exe, PE32+ 67->140 dropped 142 755B.tmp.Public-key_73.18.9_INSTALL.exe, PE32 67->142 dropped 148 3 other malicious files 67->148 dropped 272 Detected Tinynuke / Nukebot malware 67->272 274 Creates multiple autostart registry keys 67->274 276 Injects code into the Windows Explorer (explorer.exe) 67->276 278 6 other signatures 67->278 144 C:\Users\user\AppData\Local\...\ponbyxs.tmp, PE32 73->144 dropped 82 ponbyxs.tmp 73->82         started        146 C:\Users\user\AppData\Local\...\cegikmoq.tmp, PE32 77->146 dropped 84 cegikmoq.tmp 77->84         started        signatures17 process18 file19 158 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 79->158 dropped 86 eimquycg.exe 79->86         started        160 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 82->160 dropped 162 C:\ProgramData\...\vcruntime140.dll (copy), PE32 82->162 dropped 164 C:\ProgramData\...\sciter-x.dll (copy), PE32 82->164 dropped 168 8 other malicious files 82->168 dropped 89 eServiceHost.exe 82->89         started        166 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 84->166 dropped 93 cegikmoq.exe 84->93         started        process20 dnsIp21 110 C:\Users\user\AppData\Local\...\eimquycg.tmp, PE32 86->110 dropped 95 eimquycg.tmp 86->95         started        198 196.251.107.104 ANGANI-ASKE Seychelles 89->198 262 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 89->262 264 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 89->264 266 Tries to harvest and steal browser information (history, passwords, etc) 89->266 268 3 other signatures 89->268 112 C:\Users\user\AppData\Local\...\cegikmoq.tmp, PE32 93->112 dropped 98 cegikmoq.tmp 93->98         started        file22 signatures23 process24 file25 170 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 95->170 dropped 172 C:\ProgramData\...\vcruntime140_1.dll (copy), PE32+ 95->172 dropped 174 C:\ProgramData\...\vcruntime140.dll (copy), PE32+ 95->174 dropped 182 10 other malicious files 95->182 dropped 100 FnHotkeyUtility.exe 95->100         started        176 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 98->176 dropped 178 C:\ProgramData\...\is-B7P4V.tmp, PE32 98->178 dropped 180 C:\ProgramData\...\is-8ANDT.tmp, PE32 98->180 dropped 184 2 other malicious files 98->184 dropped process26 file27 108 C:\Users\user\taskhost.exe, PE32+ 100->108 dropped 218 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 100->218 220 Drops PE files to the user root directory 100->220 222 Found direct / indirect Syscall (likely to bypass EDR) 100->222 104 cmd.exe 100->104         started        signatures28 process29 process30 106 conhost.exe 104->106         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a10e2a453eaf617ffed2ec5a5f33248a56bf81426a04a199fa468083ab5f5e34
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a10e2a453eaf617ffed2ec5a5f33248a56bf81426a04a199fa468083ab5f5e34/
Verdict:
Malicious
Threat:
Family.STEALC
Link:
https://tip.neiki.dev/file/a10e2a453eaf617ffed2ec5a5f33248a56bf81426a04a199fa468083ab5f5e34
Threat name:
Win64.Trojan.Stealc
Create hunting rule
Status:
Malicious
First seen:
2026-01-27 04:40:50 UTC
File Type:
PE+ (Exe)
Extracted files:
7
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uehcurj6v5qx77ws5rnf6mzerjll7akcnickdgp2i2aihk27ly2a._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
tinynuke
Create hunting rule
Similar samples:
191ee35d59e9a5931693a774419205bd3055408f449328a4d129ea2a4e61c19c
AsyncRAT
306b63008a41038707b4df139833adb8b23830b7ce7dd438c5113ebf36aa88b1
AsyncRAT
3e40d42332c8d1600b75d65e22f4af7b05cb1ee53633fd9b0c112737de22cb2d
AsyncRAT
769aac8954481363c5783e562bf8862698ade1f73be6d5e4c1add5887af1fd41
AsyncRAT
a10e2a453eaf617ffed2ec5a5f33248a56bf81426a04a199fa468083ab5f5e34
AsyncRAT
ca2b33469af1ab82a940fcb4b6e04565b8e93604844cb4712264a5a92a029a23
AsyncRAT
e90cf0479813630ed30a9946fe9808e40139c1065f60bcdfe7d3e1b6385fbe7b
AsyncRAT
error
AsyncRAT
+ 38 additional samples on MalwareBazaar
Result
Malware family:
svcstealer
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:redline family:stealc family:svcstealer botnet:default botnet:loaded botnet:mrgbooxgp55qkw== adware discovery downloader execution infostealer installer persistence pyinstaller rat spyware stealer upx
Link:
https://tria.ge/reports/260128-axq7bafx9b/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Inno Setup is an open-source installation builder for Windows applications.
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Async RAT payload
AsyncRat
Asyncrat family
Detects SvcStealer Payload
RedLine
RedLine payload
Redline family
SvcStealer, Diamotrix
Svcstealer family
Malware Config
C2 Extraction:
http://45.93.20.55/xuiobvu/data.php
http://62.60.226.159/zbuyowgn/data.php
http://196.251.107.23/diamo/data.php
http://178.16.53.7/diamo/data.php
http://158.94.208.102/diamo/data.php
http://196.251.107.61/diamo/data.php
196.251.107.104:1912
196.251.107.104:6606
196.251.107.104:7707
196.251.107.104:8808
45.93.20.151:6606
45.93.20.151:7707
45.93.20.151:8808
Gathering data
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a10e2a453eaf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a10e2a453eaf617ffed2ec5a5f33248a56bf81426a04a199fa468083ab5f5e34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MAL_packer_lb_was_detected
Create hunting rule
Author:0x0d4y
Description:Detect the packer used by Lockbit4.0
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:StealcV2
Create hunting rule
Author:kevoreilly
Description:Stealc V2 Payload
Rule name:StealcV2
Create hunting rule
Author:Still
Description:attempts to match the instructions found in StealcV2
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Stealc_41db1d4d
Create hunting rule
Author:Elastic Security
Rule name:win_stealc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stealc.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/50454/

Comments