MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCLeaner


Vendor detections: 15


Intelligence 15 IOCs 2 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
SHA3-384 hash: b05057a6bf5b9bda527d9f6dcab56ba6671bd27fc3f8b873064c3e0729ca99410927d620303671ea723dc7c50e35264e
SHA1 hash: b470ce0c7eef14185924dcc1128a9c74c5ab1817
MD5 hash: eb3c88615df7d160a4659ffef1e6d1fd
humanhash: timing-maine-white-steak
File name:A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe
Download: download sample
Signature GCLeaner
Create hunting rule
File size:3'465'690 bytes
First seen:2022-08-15 16:05:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:9gcoVeAOjDmCspEDNb3uvYkTX4DKpr41duynFTVBwbZfCPaP45FTcXB1RAKc:yeAOjDtbMR4ruyTBwt6PIkFTQ13c
TLSH T1EDF53328C2396373F5C1D938861D8070B5542F41426E829E9A54BDDBF43EAEAFE43753
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
65.21.253.238:47495

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
65.21.253.238:47495 https://threatfox.abuse.ch/ioc/843322/
109.107.181.244:41535 https://threatfox.abuse.ch/ioc/843323/

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://www.google.com/
Verdict:
Malicious activity
Analysis date:
2021-08-28 12:17:43 UTC
Tags:
trojan loader rat redline evasion stealer vidar opendir
Link:
https://app.any.run/tasks/9b492c96-03da-4fa6-b83c-386e75f55b94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298763/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a window
DNS request
Creating a process with a hidden window
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29011/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
arkeistealer barys emotet glupteba overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62fa6fa5810e2831b74cefbc/reports/0d5fe2df-5a96-4841-bfe6-15af11b79719/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/440dbb82-1538-4b7d-aab2-d04b5cf4923d
Result
Threat name:
Nymaim, PrivateLoader, Vidar, Xmrig, onl
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1051700
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Connects to a pastebin service (likely for C&C)
Disable Windows Defender real time protection (registry)
DNS related to crypt mining pools
Found C&C like URL pattern
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Nymaim
Yara detected onlyLogger
Yara detected PrivateLoader
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 684214 Sample: A412840C44DB8BCA039CE13176D... Startdate: 15/08/2022 Architecture: WINDOWS Score: 100 123 s.lletlee.com 2->123 125 xmr-eu2.nanopool.org 2->125 127 17 other IPs or domains 2->127 175 Snort IDS alert for network traffic 2->175 177 Malicious sample detected (through community Yara rule) 2->177 179 Antivirus detection for URL or domain 2->179 187 16 other signatures 2->187 12 A412840C44DB8BCA039CE13176D7D6B9BE9B2CBD1EF81.exe 10 2->12         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        20 8 other processes 2->20 signatures3 181 May check the online IP address of the machine 123->181 183 Connects to a pastebin service (likely for C&C) 123->183 185 Performs DNS queries to domains with low reputation 125->185 process4 dnsIp5 121 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->121 dropped 23 setup_installer.exe 16 12->23         started        26 Sat08cc4f657fdcfb808.exe 15->26         started        169 System process connects to network (likely due to code injection or exploit) 17->169 171 Performs DNS queries to domains with low reputation 17->171 129 127.0.0.1 unknown unknown 20->129 131 s.lletlee.com 20->131 133 remotenetwork.xyz 20->133 173 Changes security center settings (notifications, updates, antivirus, firewall) 20->173 30 WerFault.exe 20->30         started        32 WerFault.exe 20->32         started        34 WerFault.exe 20->34         started        36 2 other processes 20->36 file6 signatures7 process8 dnsIp9 95 C:\Users\user\AppData\...\setup_install.exe, PE32 23->95 dropped 97 C:\Users\user\...\Sat08cc4f657fdcfb808.exe, PE32 23->97 dropped 99 C:\Users\user\AppData\...\Sat0896a250f5.exe, PE32 23->99 dropped 107 11 other files (5 malicious) 23->107 dropped 38 setup_install.exe 1 23->38         started        161 212.193.30.115, 49885, 49925, 50054 SPD-NETTR Russian Federation 26->161 163 37.0.10.214, 80 WKD-ASIE Netherlands 26->163 165 4 other IPs or domains 26->165 101 C:\Users\user\AppData\...\Service[1].exe, PE32 26->101 dropped 103 C:\Users\...\Yw_DzkC74NMBvgrhQTO_wKmP.exe, PE32 26->103 dropped 105 C:\Users\...\YBa6V64ihFVK_bB_Lc0SFqTu.exe, PE32 26->105 dropped 109 7 other files (none is malicious) 26->109 dropped 205 Tries to harvest and steal browser information (history, passwords, etc) 26->205 207 Disable Windows Defender real time protection (registry) 26->207 file10 signatures11 process12 dnsIp13 143 s.lletlee.com 38->143 145 hsiens.xyz 38->145 201 Performs DNS queries to domains with low reputation 38->201 203 Adds a directory exclusion to Windows Defender 38->203 42 cmd.exe 38->42         started        44 cmd.exe 38->44         started        46 cmd.exe 38->46         started        48 9 other processes 38->48 signatures14 process15 signatures16 51 Sat0847b92f504.exe 42->51         started        55 Sat080cfbcc640c1c7.exe 44->55         started        57 Sat082b14fb3528.exe 46->57         started        167 Adds a directory exclusion to Windows Defender 48->167 60 Sat0896a250f5.exe 48->60         started        62 Sat0850ddaa28772a884.exe 48->62         started        64 Sat082056aadb8e0a.exe 48->64         started        66 2 other processes 48->66 process17 dnsIp18 85 C:\Users\user\AppData\Local\Temp\3002.exe, PE32 51->85 dropped 87 C:\Users\user\AppData\Local\Temp\2.exe, PE32 51->87 dropped 89 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 51->89 dropped 93 4 other files (none is malicious) 51->93 dropped 189 Multi AV Scanner detection for dropped file 51->189 68 2.exe 51->68         started        72 3002.exe 51->72         started        74 Chrome 5.exe 51->74         started        81 3 other processes 51->81 91 C:\Users\user\...\Sat080cfbcc640c1c7.tmp, PE32 55->91 dropped 191 Obfuscated command line found 55->191 77 Sat080cfbcc640c1c7.tmp 55->77         started        147 s.lletlee.com 57->147 155 4 other IPs or domains 57->155 193 Performs DNS queries to domains with low reputation 57->193 149 iplogger.org 148.251.234.83, 443, 49869, 49871 HETZNER-ASDE Germany 60->149 151 2no.co 148.251.234.93, 443, 49854, 49870 HETZNER-ASDE Germany 60->151 157 4 other IPs or domains 60->157 195 May check the online IP address of the machine 60->195 197 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 62->197 79 explorer.exe 62->79 injected 153 Registry-Web-Suspension-1912215664.us-east-1.elb.amazonaws.com 23.21.244.74, 443, 49746, 49747 AMAZON-AESUS United States 66->153 159 6 other IPs or domains 66->159 file19 signatures20 process21 dnsIp22 135 s.lletlee.com 68->135 137 qwertys.info 68->137 199 Multi AV Scanner detection for dropped file 68->199 111 C:\Users\user\AppData\...\services64.exe, PE32+ 74->111 dropped 83 cmd.exe 74->83         started        139 the-flash-man.com 77->139 141 best-link-app.com 77->141 113 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 77->113 dropped 115 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 77->115 dropped 117 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 77->117 dropped 119 C:\Users\user\AppData\Local\...\setup_2.tmp, PE32 81->119 dropped file23 signatures24 process25
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-08-28 23:58:28 UTC
File Type:
PE (Exe)
Extracted files:
135
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uqjiidce3of4ua444eyxnv6wxg7jwlf5d34b5oc42lymsgapmuiq._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:privateloader family:vidar botnet:706 aspackv2 loader main stealer
Link:
https://tria.ge/reports/220815-tj3gzafff4/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger payload
Vidar Stealer
OnlyLogger
PrivateLoader
Vidar
Malware Config
C2 Extraction:
http://37.0.10.214/proxies.txt
http://37.0.10.244/server.txt
http://wfsdragon.ru/api/setStats.php
37.0.10.237
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
https://eduarroma.tumblr.com/
Unpacked files
SH256 hash:
f40df33696579c8b1e52905f3d11c970dc78440ee5842b9f4af3753d3310aa74
MD5 hash:
38ee89c417d30822717a95accf741d39
SHA1 hash:
1f22dc2b1f3057ac96ec6bae92381a0a9449eaf3
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
835c9b5e60ebf50a888e851d1c7218d436490613ec04a04055b73fbddf73edf3
MD5 hash:
6961557695f34a53cf8224be7c265fbe
SHA1 hash:
f52d34d0b1dbd181f2acb21f42d875d514afb6f7
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
SH256 hash:
64ffc8a9ef49470c23de2952972cf796f9a081f902e0b35f7bdc270a9784f06a
MD5 hash:
5f61cabf346884d12876eaefad9da7ba
SHA1 hash:
f18ea2dfe4e3e5e3a803c5d08945a1200ed84130
Detections:
win_privateloader_a0
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
Parent samples :
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
SH256 hash:
a865e7f45f6fa9e783ab52cd1e041b7005cb7470a3e160b72057073c44b6f099
MD5 hash:
f28e8d29e54836d1a031df6f49b4cc7b
SHA1 hash:
89e5728f39ad935241ffb48c1b2fa31624d00957
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
SH256 hash:
fbffb84931a267fab6c24cf08723fa029cb85c2315f01d5b1f41922350adb831
MD5 hash:
052270e8e9cfb3512932e0df484caef4
SHA1 hash:
85305fee690beea8458bab5d55d0368c47340501
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
SH256 hash:
94e24d5346efd71b25ce2a585150f90e93ba11c6af1b3db72879a327b9abfad4
MD5 hash:
dce6c588cd2350ab47ef5d4d9a18524c
SHA1 hash:
773e68caae9e503e84fc0cab00a78a0a8938a914
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
SH256 hash:
7df0b5b088a31bdc67ec27021db2d5989d6fc94b687a8c9ca2e99d37d48bcf7c
MD5 hash:
73b349cee038050c112cb9baade84a05
SHA1 hash:
6efb55d022314386d28dd1d3fa03d475f0ddf3fc
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
SH256 hash:
b9f3d51b6635374a1590c61c9cdb961a862ffd29e2ca1b4b97295811213046c1
MD5 hash:
25ac95beb9a0959e462d32be14fb48b4
SHA1 hash:
2bae5741c3e3ea74e89b79f08bfdffda498385be
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
SH256 hash:
c2b229f448cd6494e633aca2253b1f8b082f85b4e6d43b0ba805678da8d4e74c
MD5 hash:
104eb42937b9ba64fcb07f8e6a161163
SHA1 hash:
1c361e0f7516559504d0c2f0cf9b31e039cfe53b
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
SH256 hash:
395e1909895c9b1dc0fec0a5998ace1d3026bd3b825bf4e597e46fb125479e8e
MD5 hash:
32d5b7c3df40caac17bdd45bef05a012
SHA1 hash:
e76a5db390526fcf56cff5fddea724d854bbc64c
Detections:
win_privateloader_a0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
SH256 hash:
8a11baef6b5934f4faa7769373774ff0d155c7aa48ad403dae654232cdff23a9
MD5 hash:
e3869b984892d7ce54bb3378cddbbe59
SHA1 hash:
e3b440706885e0e410fb5c051f1d889797f2849d
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
SH256 hash:
5b8913ba5fc4c70c0bd484b16d7236e8ccb507971db095c721124c3df6f10ca1
MD5 hash:
d4c7fb92322bd8c69ba36664e276bbd5
SHA1 hash:
ac7d2ea0e9f9c5f8af5cfdd46c704a6f98496a97
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
SH256 hash:
357f97b67fa4a8debd6679787457423fc866015cd78f7f4bddeb114c98f69fb2
MD5 hash:
30450992d88c0fe4608d7292d329be8c
SHA1 hash:
598ca3a37951018c2a70bd3688d78923a4fb593a
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
SH256 hash:
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
MD5 hash:
eb3c88615df7d160a4659ffef1e6d1fd
SHA1 hash:
b470ce0c7eef14185924dcc1128a9c74c5ab1817
Link:
https://www.unpac.me/results/1d5cdcdc-45a7-4b7c-b4e1-4a2e650d234b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298763/

Comments