MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
SHA3-384 hash: 6d3dba10b68bcb76beb2aa3e3a282a9fa87daa0987f4159f6a0db6bcb261a9ddd4e91b67f01158870553cd798748d0ec
SHA1 hash: 49e01952ea790c9ded556fb023a9f8a62a4b30c2
MD5 hash: 90decbf1c4cd7b40b83a9099face9926
humanhash: stairway-red-stream-mars
File name:A3F0B643265E9895B3291658516CE2B34EB06D585BD8E.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:4'046'971 bytes
First seen:2023-01-30 23:30:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xVCvLUBsgDICCGVw6gdliKs60kIM0suLSH:xmLUCgNylBsHkz0+
TLSH T16D16332172E7C0F1D3962036CF196BB36DF4835C8F390D576B5CC90E3E6C9A6A22A645
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://62.204.41.92/n9dks3s/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
A3F0B643265E9895B3291658516CE2B34EB06D585BD8E.exe
Verdict:
Malicious activity
Analysis date:
2023-01-30 23:31:53 UTC
Tags:
evasion opendir trojan socelars stealer loader smoke rat redline
Link:
https://app.any.run/tasks/253d055e-069c-4f94-aa39-031964a9f12d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/358467/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Creating a file
Sending an HTTP GET request
Reading critical registry keys
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/64150/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63d85337447edb203a022111/reports/2f8852f1-0e3d-4f14-bfc9-e3528075f4bf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fa2db3d9-3396-4960-ab72-6fe2cb2cd407
Result
Threat name:
Amadey, Nymaim, PrivateLoader, RedLine,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1162048
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Found C&C like URL pattern
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Nymaim
Yara detected onlyLogger
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 794803 Sample: A3F0B643265E9895B3291658516... Startdate: 31/01/2023 Architecture: WINDOWS Score: 100 173 s.lletlee.com 2->173 175 iueg.aappatey.com 2->175 177 32 other IPs or domains 2->177 193 Snort IDS alert for network traffic 2->193 195 Multi AV Scanner detection for domain / URL 2->195 197 Malicious sample detected (through community Yara rule) 2->197 201 23 other signatures 2->201 13 A3F0B643265E9895B3291658516CE2B34EB06D585BD8E.exe 16 2->13         started        16 services64.exe 2->16         started        19 svchost.exe 2->19         started        21 svchost.exe 2->21         started        signatures3 199 Tries to resolve many domain names, but no domain seems valid 175->199 process4 file5 127 C:\Users\user\AppData\...\setup_install.exe, PE32 13->127 dropped 129 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 13->129 dropped 131 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 13->131 dropped 133 11 other files (10 malicious) 13->133 dropped 23 setup_install.exe 1 13->23         started        191 Multi AV Scanner detection for dropped file 16->191 27 WerFault.exe 19->27         started        29 WerFault.exe 19->29         started        31 WerFault.exe 19->31         started        33 5 other processes 19->33 signatures6 process7 dnsIp8 185 127.0.0.1 unknown unknown 23->185 187 s.lletlee.com 23->187 189 2 other IPs or domains 23->189 213 Multi AV Scanner detection for dropped file 23->213 215 Performs DNS queries to domains with low reputation 23->215 217 Adds a directory exclusion to Windows Defender 23->217 35 cmd.exe 23->35         started        37 cmd.exe 1 23->37         started        39 cmd.exe 1 23->39         started        41 8 other processes 23->41 signatures9 process10 signatures11 44 Sat206392947d84b17c4.exe 35->44         started        48 Sat208156b88b27e.exe 37->48         started        51 Sat2024d3820ee4.exe 39->51         started        219 Adds a directory exclusion to Windows Defender 41->219 53 Sat20683ca4bfc.exe 41->53         started        55 Sat20e00186478169.exe 41->55         started        57 Sat2013f25740dc61c92.exe 12 41->57         started        59 3 other processes 41->59 process12 dnsIp13 109 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 44->109 dropped 111 C:\Users\user\AppData\...\jzhang-game.exe, PE32 44->111 dropped 113 C:\Users\user\AppData\Local\Temp\jhuuee.exe, PE32+ 44->113 dropped 123 4 other malicious files 44->123 dropped 221 Multi AV Scanner detection for dropped file 44->221 61 chrome3.exe 44->61         started        65 jzhang-game.exe 44->65         started        68 Pubdate.exe 44->68         started        78 4 other processes 44->78 145 212.193.30.115, 49701, 49706, 80 SPD-NETTR Russian Federation 48->145 153 18 other IPs or domains 48->153 115 C:\Users\...\vpAt7xQFg8XlAQvgySgqkQPR.exe, PE32 48->115 dropped 117 C:\Users\...\q3UFJH8pSAnHs4O1qnLpUsKg.exe, PE32 48->117 dropped 119 C:\Users\...\prDkHcMejXEr0XPo0iTgdtwH.exe, PE32 48->119 dropped 125 13 other malicious files 48->125 dropped 223 May check the online IP address of the machine 48->223 225 Creates HTML files with .exe extension (expired dropper behavior) 48->225 227 Tries to harvest and steal browser information (history, passwords, etc) 48->227 229 Disable Windows Defender real time protection (registry) 48->229 231 Detected unpacking (changes PE section rights) 51->231 233 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 51->233 235 Maps a DLL or memory area into another process 51->235 245 2 other signatures 51->245 70 explorer.exe 51->70 injected 147 remotepc3.xyz 53->147 155 5 other IPs or domains 53->155 237 Performs DNS queries to domains with low reputation 53->237 121 C:\Users\user\...\Sat20e00186478169.tmp, PE32 55->121 dropped 239 Obfuscated command line found 55->239 72 Sat20e00186478169.tmp 55->72         started        149 eduarroma.tumblr.com 74.114.154.22, 443, 49697 AUTOMATTICUS Canada 57->149 241 Detected unpacking (overwrites its own PE header) 57->241 74 WerFault.exe 57->74         started        76 WerFault.exe 57->76         started        80 2 other processes 57->80 151 a.goatgame.co 59->151 157 3 other IPs or domains 59->157 file14 243 Tries to resolve many domain names, but no domain seems valid 151->243 signatures15 process16 dnsIp17 135 C:\Users\user\AppData\...\services64.exe, PE32+ 61->135 dropped 247 Multi AV Scanner detection for dropped file 61->247 82 services64.exe 61->82         started        87 cmd.exe 61->87         started        159 a.goatgame.co 65->159 167 2 other IPs or domains 65->167 249 Performs DNS queries to domains with low reputation 65->249 89 conhost.exe 65->89         started        161 193.56.146.78 LVLT-10753US unknown 68->161 91 conhost.exe 68->91         started        137 C:\Users\user\AppData\Roaming\fifcjdf, PE32 70->137 dropped 251 Benign windows process drops PE files 70->251 169 2 other IPs or domains 72->169 139 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 72->139 dropped 141 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 72->141 dropped 143 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 72->143 dropped 163 s.lletlee.com 78->163 165 194.145.227.161, 80 CLOUDPITDE Ukraine 78->165 171 9 other IPs or domains 78->171 93 WerFault.exe 78->93         started        95 WerFault.exe 78->95         started        file18 253 Tries to resolve many domain names, but no domain seems valid 163->253 signatures19 process20 dnsIp21 179 github.com 140.82.121.3, 443, 49699 GITHUBUS United States 82->179 181 raw.githubusercontent.com 185.199.110.133, 443, 49703 FASTLYUS Netherlands 82->181 183 sanctam.net 82->183 105 C:\Users\user\AppData\...\sihost64.exe, PE32+ 82->105 dropped 107 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 82->107 dropped 203 Injects code into the Windows Explorer (explorer.exe) 82->203 205 Writes to foreign memory regions 82->205 207 Allocates memory in foreign processes 82->207 211 3 other signatures 82->211 97 cmd.exe 82->97         started        209 Uses schtasks.exe or at.exe to add and modify task schedules 87->209 99 conhost.exe 87->99         started        101 schtasks.exe 87->101         started        file22 signatures23 process24 process25 103 conhost.exe 97->103         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 12:51:03 UTC
File Type:
PE (Exe)
Extracted files:
109
AV detection:
28 of 39 (71.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=upylmqzgl2mjlmzjczmfc3hcwnhla3kylpmou575mh62e2ix4dmq._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:gcleaner family:nullmixer family:onlylogger family:privateloader family:smokeloader family:vidar family:xmrig botnet:706 aspackv2 backdoor dropper evasion loader main miner spyware stealer trojan upx
Link:
https://tria.ge/reports/230130-3hpddseg8v/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Executes dropped EXE
UPX packed file
OnlyLogger payload
Vidar Stealer
XMRig Miner payload
Detect Fabookie payload
Detects Smokeloader packer
Fabookie
GCleaner
Modifies Windows Defender Real-time Protection settings
NullMixer
OnlyLogger
PrivateLoader
SmokeLoader
Vidar
xmrig
Malware Config
C2 Extraction:
http://hsiens.xyz/
http://37.0.10.214/proxies.txt
http://37.0.10.244/server.txt
http://wfsdragon.ru/api/setStats.php
37.0.10.237
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
https://eduarroma.tumblr.com/
194.145.227.161
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
SH256 hash:
aafc69d03ed7357afe5ace72217e769a49791b0d275fe5e432180903cce805be
MD5 hash:
5491cf213d898b6e6b0addbd4dc4f073
SHA1 hash:
138528e384217d5cecf44cb12fc29a8d77bbfbd6
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
SH256 hash:
64ffc8a9ef49470c23de2952972cf796f9a081f902e0b35f7bdc270a9784f06a
MD5 hash:
5f61cabf346884d12876eaefad9da7ba
SHA1 hash:
f18ea2dfe4e3e5e3a803c5d08945a1200ed84130
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
Parent samples :
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
SH256 hash:
73da66c2fde854dbf12d00038c01ad53a3fdd05eb82bcc3fecb156a9153d86cd
MD5 hash:
d02349be4e8b4c3984cead7e44ab899d
SHA1 hash:
e4373520d7177908c63ad21c5889111957724ebc
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
SH256 hash:
24da4be8c1d9ca77f30cfea2e4fa4113d2be3497a1efba8c2465605dccf20166
MD5 hash:
698f103458a664e57eae14b914673934
SHA1 hash:
71f6f414b92fc5daf178e5b0d49a24fd4890439b
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
SH256 hash:
eb97bd9ab0539b21f0be447002d004efeec3133811022f73516cb7627f3b5fc1
MD5 hash:
ab73cc413405209fcf52577c34c2c8a3
SHA1 hash:
6bb120fa23e1198528f251efe74bdd27f67c47d2
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
SH256 hash:
603c61184bc21390d64d8fe234f3b5928bb38384bd382aa0466980909b7ed60b
MD5 hash:
427aa284f4b287435f555b948ea061ce
SHA1 hash:
3d087b25e1fedf107abb78c337b965a9bdea8c1d
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
SH256 hash:
2acb8755c41be6a14f877ccad3d370301f6fd59f1d702dca04d14d1b11c601ef
MD5 hash:
f0104f8fad0be146e9eee798d4f448a3
SHA1 hash:
8f143bf766c20e2d790106f0132299d22c0603c7
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
SH256 hash:
669bea78836e225738cb3159a7018976194ff482335ba2a37a6256ffd6037024
MD5 hash:
dbc1e09a3ffe0b66d4dcb05fd696c175
SHA1 hash:
5e535e931526c4b9e8f9f1faca7964d29107a08a
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
SH256 hash:
6d1a16a1aa27314f9cb103bd99e4b61c92f02bbac63f822f91f6c4dc4e8ae11c
MD5 hash:
5dbfd367dc61435fc8eaaa8a04290f42
SHA1 hash:
cf67f02a2ed531817a34257ec03d344dfd902903
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
SH256 hash:
0dd1564223eab45f3e492ba93c0c2aa812513130ce160551c0af6cfb14be4b05
MD5 hash:
8d6c79f89f0bf32d86c0b2f60ac3a3bb
SHA1 hash:
f59ab7bc103470d787660f641fbb161b9ec23a3b
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
SH256 hash:
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
MD5 hash:
90decbf1c4cd7b40b83a9099face9926
SHA1 hash:
49e01952ea790c9ded556fb023a9f8a62a4b30c2
Link:
https://www.unpac.me/results/8f4935cf-d8e9-4a0b-b57d-9f1ab46793ba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Vidar_114258d5
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Vidar_9007feb2
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/358467/

Comments