MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a65e8cca4d7424ebda6db2a1b8dc9ae880aaf05bfa841bf5644e761b9deda75a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiamondFox


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a65e8cca4d7424ebda6db2a1b8dc9ae880aaf05bfa841bf5644e761b9deda75a
SHA3-384 hash: 96219587d56a8f5c09598fc217c1a3c9f30bd3f1671a50aaadcfc7151da8397e2acd29f9efd84a0366c7e290b900db3f
SHA1 hash: 508e4e158c930c7e9245d6f0519dd89c850bef0e
MD5 hash: 99afd1005c22fbb949c0e539016b5baf
humanhash: fix-potato-bakerloo-skylark
File name:99AFD1005C22FBB949C0E539016B5BAF.exe
Download: download sample
Signature DiamondFox
Create hunting rule
File size:2'639'759 bytes
First seen:2021-07-20 04:06:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:EgIrT4JTEPnAdaD5kWb78mcPOvdA3MLpTlVspZUJ2E5yAiflDU:JeqEPn4Y/8nPOFA0prKWcHU
Threatray 190 similar samples on MalwareBazaar
TLSH T1B1C533943591A28AF8908C70BD3E9753FE98C914B874B3EE3F11BCDC6F968014B94DA5
Reporter abuse_ch
Tags:DiamondFox exe


Avatar
abuse_ch
DiamondFox C2:
45.144.29.134:26392

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.144.29.134:26392 https://threatfox.abuse.ch/ioc/161270/

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
99AFD1005C22FBB949C0E539016B5BAF.exe
Verdict:
No threats detected
Analysis date:
2021-07-20 04:09:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/acd87cbf-c518-4af9-bc91-be3f03062091

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172681/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a7a6ee3-be33-454c-b5db-ffb669d25699
Result
Threat name:
Backstage Stealer RedLine SmokeLoader Vi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818642
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Backstage Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 451053 Sample: xAC6nZjT3T.exe Startdate: 20/07/2021 Architecture: WINDOWS Score: 100 112 176.113.115.136 SELECTELRU Russian Federation 2->112 114 91.241.19.12 REDBYTES-ASRU Russian Federation 2->114 116 6 other IPs or domains 2->116 146 Antivirus detection for URL or domain 2->146 148 Antivirus detection for dropped file 2->148 150 Multi AV Scanner detection for dropped file 2->150 152 13 other signatures 2->152 12 xAC6nZjT3T.exe 10 2->12         started        15 svchost.exe 1 2->15         started        signatures3 process4 file5 96 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->96 dropped 17 setup_installer.exe 15 12->17         started        process6 file7 56 C:\Users\user\AppData\...\setup_install.exe, PE32 17->56 dropped 58 C:\Users\user\AppData\Local\...\sonia_7.txt, PE32+ 17->58 dropped 60 C:\Users\user\AppData\Local\...\sonia_6.txt, PE32 17->60 dropped 62 10 other files (none is malicious) 17->62 dropped 20 setup_install.exe 1 17->20         started        process8 dnsIp9 118 8.8.8.8 GOOGLEUS United States 20->118 120 172.67.186.105 CLOUDFLARENETUS United States 20->120 122 127.0.0.1 unknown unknown 20->122 154 Detected unpacking (changes PE section rights) 20->154 24 cmd.exe 20->24         started        26 cmd.exe 1 20->26         started        28 cmd.exe 1 20->28         started        30 5 other processes 20->30 signatures10 process11 process12 32 sonia_6.exe 24->32         started        37 sonia_3.exe 89 26->37         started        39 sonia_2.exe 1 28->39         started        41 sonia_4.exe 14 5 30->41         started        43 sonia_1.exe 2 30->43         started        45 sonia_5.exe 30->45         started        47 sonia_7.exe 30->47         started        dnsIp13 98 136.144.41.201 WORLDSTREAMNL Netherlands 32->98 100 37.0.11.41 WKD-ASIE Netherlands 32->100 102 11 other IPs or domains 32->102 64 C:\Users\...\mxWf8e5gluRtGTpyCSdcbc81.exe, PE32 32->64 dropped 66 C:\Users\...\mjhKsMhj7YDWUOh__kmVdPqc.exe, PE32 32->66 dropped 68 C:\Users\...\ixFwhERb_lJWfBYlkXme2m_Z.exe, PE32 32->68 dropped 74 35 other files (26 malicious) 32->74 dropped 124 Drops PE files to the document folder of the user 32->124 126 Disable Windows Defender real time protection (registry) 32->126 104 2 other IPs or domains 37->104 76 12 other files (none is malicious) 37->76 dropped 128 Detected unpacking (changes PE section rights) 37->128 130 Detected unpacking (overwrites its own PE header) 37->130 132 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->132 144 2 other signatures 37->144 70 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 39->70 dropped 134 DLL reload attack detected 39->134 136 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 39->136 138 Renames NTDLL to bypass HIPS 39->138 140 Checks if the current machine is a virtual machine (disk enumeration) 39->140 106 2 other IPs or domains 41->106 72 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 41->72 dropped 49 LzmwAqmV.exe 41->49         started        142 Creates processes via WMI 43->142 52 sonia_1.exe 43->52         started        108 2 other IPs or domains 45->108 78 4 other files (none is malicious) 45->78 dropped 110 3 other IPs or domains 47->110 80 4 other files (none is malicious) 47->80 dropped file14 signatures15 process16 file17 82 C:\Users\user\AppData\...\Chrome Update.exe, PE32+ 49->82 dropped 84 C:\Users\user\AppData\Local\Temp\zhangd.exe, PE32 49->84 dropped 86 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 49->86 dropped 94 3 other files (none is malicious) 49->94 dropped 88 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 52->88 dropped 90 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 52->90 dropped 92 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 52->92 dropped 54 conhost.exe 52->54         started        process18
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a65e8cca4d7424ebda6db2a1b8dc9ae880aaf05bfa841bf5644e761b9deda75a/
Threat name:
Win32.Trojan.Doina
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 01:07:30 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uzpizssnoqsoxwtnwkq3rxe25cakv4c37kcbx5lejz3bxhpnu5na._file
Verdict:
unknown
Similar samples:
0bfeff80f0a3f724a9ed3d36d1ae8f957a2df82e778e31203421dece1af586b9
DiamondFox
20ed0f1b402d630a3e131e9e788c57a74d348bcc358e1c0e6f5fd112ad838ab3
DiamondFox
2263fd1332612187cb951793ae3b34b74bd815da95d82b9d04d1fd6facb8311b
DiamondFox
356e6444780389e9a1432eb575cea622a01bab5d8331f1c3b13046ca8209d06b
DiamondFox
510d3eadc5652908d47db79067009b04cf4e9234720f052e90cc7d18ffad0b20
DiamondFox
5c5a71fd5e122ae176b592ae080a18f61b38653ab9405e1724dfe053ddbf6d1c
DiamondFox
6bb22351b0b468f3b05880df6e8a61f7ed792d90af19163e703a2c649b53cb14
DiamondFox
d09cb69744c809f1e48fda7e9ab5623852a42fc6f2cf79547ecc3329871e84ca
DiamondFox
e10f5bc4cb6610bd2aee334a581f2a9872b16c830bdce2f67ffe3cf57bf0b065
DiamondFox
+ 180 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:vidar botnet:933 botnet:aninew aspackv2 backdoor discovery evasion infostealer persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/210720-wve47banks/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs .reg file with regedit
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Nirsoft
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://sslamlssa1.tumblr.com/
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
akedauiver.xyz:80
Unpacked files
SH256 hash:
c7b04fbcec4fb07d04eb36f20866ac6d95709281a96db8ea2b8266ae40361818
MD5 hash:
911a3105c863639fb5310046dd547221
SHA1 hash:
da492d8c31a760318513da006c8f4f8b766ae724
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
SH256 hash:
2a90c166dfdd8c515ae4138a0c8b30b4011ace0b83c229ce291e3b592edd2802
MD5 hash:
61cf41057c09bd7b801e18ac34bb2862
SHA1 hash:
c9a3ad6be1e2f85a9afc4c918e141b771512224a
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
SH256 hash:
ef83a2c9f244da974619a0acd227cbe73541970196f8a1b48955d7f434c53568
MD5 hash:
f29a39b4b679a526b5bc9e66ae65be19
SHA1 hash:
a52ee9a8722ec74091c5c2c559703f7c677530d6
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
SH256 hash:
fef028c6eca2d0addeb19dacedcc97cd34f73a4ab8056ddc287dd86551b5c707
MD5 hash:
cfcd04cb50a5d48b368c76a353a8b58a
SHA1 hash:
7d76e8474b4b70d4f8e62653361c7b451a8f2fd2
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
Parent samples :
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
70e50de48c85c25259cf5247205792b0eb339ca700867c2a9a3ecfa7c4fca156
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
67cd381d1702cb66cc450e13b1e8a27a3ff8c6713af8a925945b1cb449247578
ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
SH256 hash:
89a0227ef833a2742f7dd46be36e61b178a8b47846fd3cf557c8b9991b7cfb67
MD5 hash:
55bf2bbdd87ec3ac709c6a247f4a28b4
SHA1 hash:
6df7d9af3a7b2da1c91aff955a4c5aadbe2d13cb
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
Parent samples :
5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
d0037be72720bb05c0207342411a883b883c8f4a371c6c7e6bacd9cff5615df7
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
e026bc9a0b7ac31a86cdbbd88e2b2be5236ba81b469723007c8b3c1d9461198f
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
8f8b341230323b995c1cde1d534031092bfddb56411dac43d155e5366681e1c7
SH256 hash:
c72496b09c4a85bd941cc94c3b49d12e541cbf96cd223910bc0dea3f1b5139fd
MD5 hash:
fe8f0a317ab12ea514c3d7835b939032
SHA1 hash:
eb4667e672eb5d4b037b60b0b44e674378f3d523
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
SH256 hash:
6096bfd19f701c9985ad0beb5c4e998dc76950cb2a4a80b4a32ddf7a2dbd8c47
MD5 hash:
3245c67c3afac177cc418ab0f4bca8cf
SHA1 hash:
fcfe7e8cd83afd908c1106be34a3bf4cb8cbc86b
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
SH256 hash:
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60
MD5 hash:
6765fe4e4be8c4daf3763706a58f42d0
SHA1 hash:
cebb504bfc3097a95d40016f01123b275c97d58c
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
SH256 hash:
53379b36716f384e530dae9ec883c459d0c12f0260116614a0482ded7d9b5ba9
MD5 hash:
ec149486075982428b9d394c1a5375fd
SHA1 hash:
63c94ed4abc8aff9001293045bc4d8ce549a47b8
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
Parent samples :
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
SH256 hash:
a0a30765d8de60813e2afee8d8045c6ef32ebdd81edd20e9b4d16cd7e470d24f
MD5 hash:
1c6c5449a374e1d3acecbf374dfcbb03
SHA1 hash:
3af9b2a06e52c6eaa666b3b28df942097f16b078
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
SH256 hash:
0a1004d8782b7d724b2bd274873b5acbdac1dfaad623616b372014c3f434b21d
MD5 hash:
0d309557c3547582cc72e3a66816039c
SHA1 hash:
100644e8e1c952e5e060b824f75a1c95595ea6fd
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
SH256 hash:
a65e8cca4d7424ebda6db2a1b8dc9ae880aaf05bfa841bf5644e761b9deda75a
MD5 hash:
99afd1005c22fbb949c0e539016b5baf
SHA1 hash:
508e4e158c930c7e9245d6f0519dd89c850bef0e
Link:
https://www.unpac.me/results/688d194e-6b42-495a-b66d-adf3c2709008/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a65e8cca4d7424ebda6db2a1b8dc9ae880aaf05bfa841bf5644e761b9deda75a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172681/

Comments