MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9aa703a747507172df67af14684440e244fbe237507140eacc01726c1c0af13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 11


Intelligence 11 IOCs 5 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9aa703a747507172df67af14684440e244fbe237507140eacc01726c1c0af13
SHA3-384 hash: 2212a496a6a29e08c59a2aca1887e44c550067dc5e5d30288874224edf112de6f580df16933e4e71130a0bf8e8be8614
SHA1 hash: 4d326ec3a4fe90f0ecc9c4558e76b501a087c91c
MD5 hash: e12b3d810276e5300981cdbbe7cda010
humanhash: hamper-table-north-timing
File name:E12B3D810276E5300981CDBBE7CDA010.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:3'408'566 bytes
First seen:2021-06-10 00:50:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:x0CvLUBsgqdrjejcUAZPoxnSoKVduJiHuhWI8Z1TLCD:xpLUCg6rjejjaoWOUuoZ1TLk
Threatray 796 similar samples on MalwareBazaar
TLSH E3F53382B6A694FAE5C1003077887BB275E6E3DC0B28586737718E1D9F7E414972F29C
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://olmqmc32.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://olmqmc32.top/index.php https://threatfox.abuse.ch/ioc/80694/
http://morovz03.top/index.php https://threatfox.abuse.ch/ioc/80695/
31.31.199.24:80 https://threatfox.abuse.ch/ioc/85494/
46.243.186.8:52067 https://threatfox.abuse.ch/ioc/85580/
91.142.78.27:228 https://threatfox.abuse.ch/ioc/85806/

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E12B3D810276E5300981CDBBE7CDA010.exe
Verdict:
Malicious activity
Analysis date:
2021-06-10 03:09:16 UTC
Tags:
trojan opendir evasion loader stealer vidar netsupport unwanted danabot rat redline
Link:
https://app.any.run/tasks/74908a7d-83f1-47f7-b760-c695fa2942d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165726/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Barys-9859550-0
Create hunting rule

Win.Trojan.Jaik-9862229-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Jaik-9865266-0
Create hunting rule

Win.Malware.Jaik-9866226-0
Create hunting rule

Win.Malware.SmokeLoader-9865604-1
Create hunting rule

Win.Malware.Jaik-9867606-0
Create hunting rule

Win.Malware.Jaik-9867607-0
Create hunting rule

Win.Malware.SmokeLoader-9867452-1
Create hunting rule

Win.Malware.Jaik-9869645-0
Create hunting rule

Win.Malware.Jaik-9869675-0
Create hunting rule

Win.Malware.Jaik-9869678-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Running batch commands
Deleting a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Glupteba RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/799909
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL reload attack detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 432305 Sample: y3I4XEdM4V.exe Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 227 Multi AV Scanner detection for domain / URL 2->227 229 Antivirus detection for URL or domain 2->229 231 Antivirus detection for dropped file 2->231 233 12 other signatures 2->233 11 y3I4XEdM4V.exe 15 2->11         started        14 haleng.exe 2->14         started        process3 file4 93 C:\Users\user\AppData\...\setup_install.exe, PE32 11->93 dropped 95 C:\Users\user\AppData\Local\...\metina_6.exe, PE32 11->95 dropped 97 C:\Users\user\AppData\Local\...\metina_2.exe, PE32 11->97 dropped 101 10 other files (1 malicious) 11->101 dropped 16 setup_install.exe 1 11->16         started        99 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 14->99 dropped 20 jfiag3g_gg.exe 14->20         started        process5 dnsIp6 155 8.8.8.8 GOOGLEUS United States 16->155 157 172.67.199.99 CLOUDFLARENETUS United States 16->157 159 127.0.0.1 unknown unknown 16->159 225 Detected unpacking (changes PE section rights) 16->225 22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        26 cmd.exe 1 16->26         started        28 8 other processes 16->28 signatures7 process8 process9 30 metina_6.exe 22->30         started        35 metina_3.exe 7 24->35         started        37 metina_1.exe 90 26->37         started        39 metina_4.exe 2 28->39         started        41 metina_7.exe 28->41         started        43 metina_2.exe 1 28->43         started        45 metina_5.exe 3 2 28->45         started        dnsIp10 179 104.21.69.75 CLOUDFLARENETUS United States 30->179 119 C:\Users\user\AppData\Roaming\2829381.exe, PE32 30->119 dropped 121 C:\Users\user\AppData\Roaming\2053118.exe, PE32 30->121 dropped 123 C:\Users\user\AppData\Roaming\7758004.exe, PE32 30->123 dropped 193 Detected unpacking (changes PE section rights) 30->193 195 Detected unpacking (overwrites its own PE header) 30->195 47 2829381.exe 30->47         started        62 2 other processes 30->62 131 3 other files (1 malicious) 35->131 dropped 51 rundll32.exe 35->51         started        187 2 other IPs or domains 37->187 133 12 other files (none is malicious) 37->133 dropped 197 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->197 199 Tries to harvest and steal browser information (history, passwords, etc) 37->199 201 Tries to steal Crypto Currency Wallets 37->201 53 cmd.exe 37->53         started        125 C:\Users\user\AppData\Local\...\metina_4.tmp, PE32 39->125 dropped 55 metina_4.tmp 39->55         started        181 212.192.241.136 RAPMSB-ASRU Russian Federation 41->181 183 162.255.119.200 NAMECHEAP-NETUS United States 41->183 189 2 other IPs or domains 41->189 135 2 other files (none is malicious) 41->135 dropped 58 cmd.exe 41->58         started        64 3 other processes 41->64 127 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 43->127 dropped 203 DLL reload attack detected 43->203 205 Renames NTDLL to bypass HIPS 43->205 207 Checks if the current machine is a virtual machine (disk enumeration) 43->207 60 explorer.exe 43->60 injected 185 208.95.112.1 TUT-ASUS United States 45->185 191 3 other IPs or domains 45->191 129 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 45->129 dropped 66 2 other processes 45->66 file11 signatures12 process13 dnsIp14 137 C:\Users\user\AppData\...\WinHoster.exe, PE32 47->137 dropped 209 Detected unpacking (changes PE section rights) 47->209 211 Detected unpacking (overwrites its own PE header) 47->211 213 Creates multiple autostart registry keys 47->213 68 WinHoster.exe 47->68         started        215 Writes to foreign memory regions 51->215 217 Allocates memory in foreign processes 51->217 219 Creates a thread in another existing process (thread injection) 51->219 70 svchost.exe 51->70 injected 73 svchost.exe 51->73 injected 85 3 other processes 53->85 161 198.54.126.101 NAMECHEAP-NETUS United States 55->161 139 C:\Users\user\AppData\...\67________F.exe, PE32 55->139 dropped 141 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 55->141 dropped 143 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 55->143 dropped 145 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->145 dropped 75 67________F.exe 55->75         started        79 PZJZBONRDQVWU1ZX0EAMYP7I.exe 58->79         started        81 conhost.exe 58->81         started        83 WinHoster.exe 60->83         started        163 172.67.188.69 CLOUDFLARENETUS United States 62->163 147 C:\ProgramData\44\vcruntime140.dll, PE32 62->147 dropped 149 C:\ProgramData\44\sqlite3.dll, PE32 62->149 dropped 151 C:\ProgramData\44\softokn3.dll, PE32 62->151 dropped 153 4 other files (none is malicious) 62->153 dropped 221 Injects a PE file into a foreign processes 62->221 87 6 other processes 64->87 223 Tries to harvest and steal browser information (history, passwords, etc) 66->223 file15 signatures16 process17 dnsIp18 235 Sets debug register (to hijack the execution of another thread) 70->235 237 Modifies the context of a thread in another process (thread injection) 70->237 89 svchost.exe 70->89         started        167 198.54.116.159 NAMECHEAP-NETUS United States 75->167 169 13.107.4.50 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 75->169 177 2 other IPs or domains 75->177 103 C:\Program Files (x86)\...\Sijaecysupe.exe, PE32 75->103 dropped 105 C:\...\Sijaecysupe.exe.config, XML 75->105 dropped 107 C:\Users\user\AppData\...\Xuzhucajone.exe, PE32 75->107 dropped 115 2 other files (none is malicious) 75->115 dropped 239 Detected unpacking (overwrites its own PE header) 75->239 241 Creates multiple autostart registry keys 75->241 171 35.198.40.70 GOOGLEUS United States 79->171 173 35.198.59.251 GOOGLEUS United States 79->173 175 47.254.169.135 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 79->175 109 C:\Users\user\AppData\Local\...\file[1].exe, PE32 79->109 dropped 111 C:\Users\user\AppData\Local\...\null[1], PE32 79->111 dropped 113 C:\Users\user\AppData\...\infostati2[1].exe, PE32 79->113 dropped 117 5 other files (none is malicious) 79->117 dropped file19 signatures20 process21 dnsIp22 165 198.13.62.186 AS-CHOOPAUS United States 89->165 243 Query firmware table information (likely to detect VMs) 89->243 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9aa703a747507172df67af14684440e244fbe237507140eacc01726c1c0af13/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-05 02:16:14 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgvhaotuoudrolpwplyunbcebyse7prdoudridvmyalsnqoav4jq._file
Verdict:
malicious
Similar samples:
12bbe24de7cb5efda944526935ce54a013d93d99b366b9f74a19828ddc987ebc
CryptBot
170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52
CryptBot
1ac6d1275df2a3c1c7331666e29259aaecc303f6be32f9248c3c6bc5d2638e55
CryptBot
3d30ffd438512742fc01ca5df9c4b9d0deb9f908ef56e7dd3e284eec904f517d
CryptBot
76695f6c444b5dc5e8f8104ece90e45aa711df868faa0f0d88b730a8da54fc09
CryptBot
9329d5d88208298ef930bd5f126aec96ac18c08933872b36bdbbf041a6cb462a
CryptBot
97fe546f4790b24b92895fd102ab528c84187dde94b00e4efc16e78dba9f80a4
CryptBot
b11bd18587058601cde1be46ec722f2ddc96fddd976f3a263e4d0358e8e08865
CryptBot
b412a43bbd6598818a0fe157f513fc8d74e67430b53b8f29eaefdceb57e7b80b
CryptBot
bc5e3b9e7638a68bbb36387281fedc1bedb12d67575b9242a47c0bf0c8f3c265
CryptBot
+ 786 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:plugx family:redline family:smokeloader family:vidar aspackv2 backdoor discovery dropper evasion infostealer loader persistence stealer trojan upx
Link:
https://tria.ge/reports/210610-5vwzn75k1x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
Checks for common network interception software
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Glupteba
Glupteba Payload
MetaSploit
PlugX
RedLine
SmokeLoader
Malware Config
C2 Extraction:
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Unpacked files
SH256 hash:
f7a22d383fb7c74e0e9b4b3907eeaf44acae4fe4a741face453d107eadd9ccfe
MD5 hash:
aabc7a3044ba7ea1594c0eab199d9547
SHA1 hash:
8d4143739f9c32c66ad6ac096cec8b6725f20218
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
4739d353297aa19f07825612eb05ff6287a5fdd070e18efe54e85f4a072cbea7
MD5 hash:
c7bbc9eabb785b39bab583534c7caed5
SHA1 hash:
e8d4109eee18a54bad6dcea59e62e145c80e4883
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
1bb1e726362311c789fdfd464f12e72c279fb3ad639d27338171d16e73360e7c
MD5 hash:
428557b1005fd154585af2e3c721e402
SHA1 hash:
3fc4303735f8355f787f3181d69450423627b5c9
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
664003cbe6a433ee57676929e973a5efe2644429ceeb348323ff70ed93e94d1e
MD5 hash:
890a74f18cc8b987518fe98e44c7b486
SHA1 hash:
af1381401d6ff9a3c7469ffad2fd5838890a4d95
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
62d39086402e4667160bd50cca366c72b6d9ab5b16cb5c244908a63b779e656b
MD5 hash:
d1e9b5d2a0e97a7c7c07e8eb53140470
SHA1 hash:
60b9e9430018b710c5ecc8bbcfbb75d73ac8e47a
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
Parent samples :
cc03001bc0a55b5ae872d210e94470745edb6d9465a87ea276a414c16ae6080a
76695f6c444b5dc5e8f8104ece90e45aa711df868faa0f0d88b730a8da54fc09
26483f30ef585dd1a6b988d2cbfb474adf6d45f91d6ed22dfd8474c1a374c1cc
aa38af0f16d1e18d0e9e3ce186b7b4505fce90d26dcb925108c1923df691bd38
c2f28c09684df67950e22ac326f6e523f02db15fcc822244f8889b76fbd86ad7
0050d1508b9d3b6063d3b9775000b2cc8529678c7bed0800502f38e15b9471eb
2507f070a5e9c57e22b5c3ce3b54fade48f9aba2d444fa7d0c48146a94309e06
a9aa703a747507172df67af14684440e244fbe237507140eacc01726c1c0af13
7b3d5985d238ea05b76ff24b955e265f6690468672c2319d5282f7b849ad9bd1
bb4467968b3ebcf62143386d30f030358e06f90a340422d71e822a6c79d350ef
SH256 hash:
65f2f25605293e7bf58f784719bacd988560acbc9785ae54317c39c5303c43f0
MD5 hash:
1a709dd18eb2fcfff50f0255b89d430b
SHA1 hash:
fbc73199d8f4c26bfe7b902d5aa183bbbbc0fa85
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
16124fbcd8e2adcbddbc59292e8aed1457b1d7010457967fb0eb5e902cab8c54
MD5 hash:
0924f287cd3f256ac4cb3605dd105ffc
SHA1 hash:
e10eb9fec8dd000f29a5013d1806fc6b018ea341
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
d19808c396ba4a44568024be9266beee7442d26da23c2a372f7707c0b8232d8a
MD5 hash:
244925bfacb9a951c3cb1bf346b8372c
SHA1 hash:
d02440131939fe73f6e6ae161ffb98cb1e8e1f11
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
a15eab5c5626903112bf10d0d04cd0d3f6f1347d91bbba6a171fcdb02224d1e4
MD5 hash:
fd441f7b5f388affcebdf80d4609cb09
SHA1 hash:
cea1593d4ac1e37296f137f5f6a88c3fff3abfa5
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
41fb3f2fee25b6a5f83f29813563ebe72ef29109109708648ef6358f74ca18d3
MD5 hash:
4c8478c27fa11f6ba5717beb460b88bc
SHA1 hash:
c88e99cfb67c2e65c275218e8783ed2aab98db2e
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
eb3691d3a707c8b1d5b45402ef3344d7e6388eaac64065a13cf5c9afa53a2b01
MD5 hash:
3038ae600c1657fad2fdc1a3072820d2
SHA1 hash:
6a855667f0219302dbe1ab2c80feb56c8822051b
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
32ecbb31b795b66ace206da2ca93e22f05a002d070ba5a5965bf89c0c91beb82
MD5 hash:
be891367a9a7f020097506d3e964bd08
SHA1 hash:
4ae27f5a2ec7c7aa26ca725d79397e4645c807c6
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
f61908be2b7b1a5e43bf6ef0178e340432bcbd0248586ee44d54f43567dd961b
MD5 hash:
5946ff40bcd03210956d28c0cdc4a5ab
SHA1 hash:
3636c7737e6a5c7b27d2e7a624d6b62e5740c1a4
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
03beb420a213b04667bfe5df56c118196246a17630c1219f8fd31af3a2f1dd20
MD5 hash:
eeac75541f613dcf290c5632c42f981f
SHA1 hash:
c9b33f7fe553357ecfe9a2ea65669fe1c95968ed
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
5e446afce79f22cfc15f89218d58e0bfb589949d01280c17584bd53db21d3bf8
MD5 hash:
37d982cc9e71fef148116e75858924cf
SHA1 hash:
0d486ebbb296e150ba1c4e52534cec30461c69d4
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
61b93eefdb37dd47f2144d1e610ae9df2d7977c6f2f8ba6b382cc5b317bb63e4
MD5 hash:
5197345bb11fc78a473630cfe4dd4552
SHA1 hash:
2e2573bafe2f5bcc48a508baefd07e67d56220b1
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
dc63856d42f2b5a3929026f79f0ded022a9ab176f1b6add47f1a9844ccd18fe5
MD5 hash:
7ef895afd464b566a9f3a0e129e9bf33
SHA1 hash:
b66d356db8aa574f7b87150ed010ef043eb5bb91
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
SH256 hash:
a9aa703a747507172df67af14684440e244fbe237507140eacc01726c1c0af13
MD5 hash:
e12b3d810276e5300981cdbbe7cda010
SHA1 hash:
4d326ec3a4fe90f0ecc9c4558e76b501a087c91c
Link:
https://www.unpac.me/results/97b88963-0efe-4dbf-b752-a2994a261f3b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nymaim
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9aa703a747507172df67af14684440e244fbe237507140eacc01726c1c0af13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165726/

Comments