MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b36eee28fcc8c8e6a9ca2075093de6bd151a267a9f9098c9fde0932e6457097e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b36eee28fcc8c8e6a9ca2075093de6bd151a267a9f9098c9fde0932e6457097e
SHA3-384 hash: cf7f64499754e73627310e9d1731f4acd77c7c1e3bff38d0e0b4696bf7c94256fead8aaca590b0d5a53d2db4962b02c2
SHA1 hash: ffedab5d437c6a5d1990d5205f8ccbf3ac85b948
MD5 hash: ac526dac15bde2bd49b9fd467c730e3b
humanhash: alabama-happy-august-two
File name:ac526dac15bde2bd49b9fd467c730e3b.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:12'545'720 bytes
First seen:2021-12-04 09:46:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xyLUCgJTEqg2mERfg+u6QF1/W+hJSc5Z4xKpWUYULMIya0zVu5bAyR5Bin8M6:xydglRfg+pGvl5Zo+BlLMIyEbVBbn
Threatray 787 similar samples on MalwareBazaar
TLSH T11BC63385F80563B7D906EC308B44EE37BB75937D7736E1CBA6D18968A6381CB140263B
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
http://ads-postback.biz/check.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ads-postback.biz/check.php https://threatfox.abuse.ch/ioc/259050/

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ac526dac15bde2bd49b9fd467c730e3b.exe
Verdict:
No threats detected
Analysis date:
2021-12-04 09:48:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4d2a0e9e-036d-403b-bd04-8028427316b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211267/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching cmd.exe command interpreter
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Launching a process
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/778/overview
Behaviour
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys overlay packed
Link:
https://www.filescan.io/uploads/61ab39174d8e6f3a5e0f424f/reports/b80faaf5-94fa-473f-9043-36c69f3ea8e6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a1cf224-cb46-43fc-a8ca-2a068a324845
Result
Threat name:
Amadey Raccoon RedLine SmokeLoader Socel
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901375
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 533853 Sample: XPCIJGAZa6.exe Startdate: 04/12/2021 Architecture: WINDOWS Score: 100 61 ip-api.com 208.95.112.1, 49716, 80 TUT-ASUS United States 2->61 63 193.38.54.238 SERVERIUS-ASNL Russian Federation 2->63 65 15 other IPs or domains 2->65 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Antivirus detection for URL or domain 2->81 83 Antivirus detection for dropped file 2->83 85 26 other signatures 2->85 9 XPCIJGAZa6.exe 25 2->9         started        signatures3 process4 file5 41 C:\Users\user\AppData\...\setup_install.exe, PE32 9->41 dropped 43 C:\Users\user\AppData\...\Wed15f83eb77d.exe, PE32 9->43 dropped 45 C:\Users\user\...\Wed15f0210e0781ad.exe, PE32 9->45 dropped 47 20 other files (13 malicious) 9->47 dropped 12 setup_install.exe 1 9->12         started        process6 signatures7 117 Adds a directory exclusion to Windows Defender 12->117 119 Disables Windows Defender (via service or powershell) 12->119 15 cmd.exe 12->15         started        17 cmd.exe 12->17         started        19 cmd.exe 12->19         started        21 11 other processes 12->21 process8 signatures9 24 Wed1579d7dbd40de51.exe 15->24         started        29 Wed15c401857ac1a.exe 17->29         started        31 Wed157ff15767131.exe 19->31         started        87 Adds a directory exclusion to Windows Defender 21->87 89 Disables Windows Defender (via service or powershell) 21->89 33 Wed159885289d58013.exe 21->33         started        35 Wed15f83eb77d.exe 21->35         started        37 Wed15c6a30186c4a.exe 21->37         started        39 6 other processes 21->39 process10 dnsIp11 67 qoto.org 51.91.13.105, 443, 49710 OVHFR France 24->67 69 159.69.92.223, 49711, 80 HETZNER-ASDE Germany 24->69 71 192.168.2.1 unknown unknown 24->71 49 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 24->49 dropped 51 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 24->51 dropped 53 C:\Users\user\AppData\...\freebl3[1].dll, PE32 24->53 dropped 59 9 other files (none is malicious) 24->59 dropped 91 Detected unpacking (changes PE section rights) 24->91 93 Detected unpacking (overwrites its own PE header) 24->93 95 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->95 115 2 other signatures 24->115 73 185.215.113.44 WHOLESALECONNECTIONSNL Portugal 29->73 97 Query firmware table information (likely to detect VMs) 29->97 99 Machine Learning detection for dropped file 29->99 101 Tries to detect sandboxes / dynamic malware analysis system (registry check) 29->101 55 C:\Users\user\...\Wed157ff15767131.tmp, PE32 31->55 dropped 103 Antivirus detection for dropped file 31->103 105 Obfuscated command line found 31->105 75 iplogger.org 5.9.162.45, 443, 49709, 49714 HETZNER-ASDE Germany 33->75 77 www.listincode.com 149.28.253.196, 443, 49708 AS-CHOOPAUS United States 33->77 107 May check the online IP address of the machine 33->107 109 Sample uses process hollowing technique 35->109 111 Injects a PE file into a foreign processes 35->111 57 C:\Users\user\...\Wed15c6a30186c4a.tmp, PE32 37->57 dropped 113 Adds a directory exclusion to Windows Defender 39->113 file12 signatures13
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b36eee28fcc8c8e6a9ca2075093de6bd151a267a9f9098c9fde0932e6457097e/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 02:54:47 UTC
File Type:
PE (Exe)
Extracted files:
182
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wnxo4kh4zdeonkokeb2qsppgxukrujt2t6ijrsp54cjs4zcxbf7a._file
Verdict:
malicious
Similar samples:
22be97159484e7213af523470521ce27c372f44c2deee2cf61bd0145392b8680
GCleaner
29051151777a6f7f0e7ebeab85ed7eaed71029fbbb088785f8598798093e1735
GCleaner
956c25ec50bb0668d3bb6b037303a585a9bf98d9da02029aa2f9e0740ee0af75
GCleaner
a3507dc0b236809b00d1e1b8481607e75b2085a6cfeebab4d50ba816502adb29
GCleaner
a7ae2843ba9ab452c9588cb8a3cd0a1dc4d66d72d23416238af3e256ac269a89
GCleaner
e151a929c69d6b05b9326bdae2679e828cd8c0c6e27bfe9866976e7943630e24
GCleaner
+ 777 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:raccoon family:redline family:socelars family:vidar botnet:efc20640b4b1564934471e6297b87d8657db774a aspackv2 discovery evasion infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/211204-lr7snadeg6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Download via BitsAdmin
Enumerates processes with tasklist
Gathers network information
Gathers system information
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks for any installed AV software in registry
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
NirSoft WebBrowserPassView
Nirsoft
Amadey
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://www.wgqpw.com/
185.215.113.35/d2VxjasuwS/index.php
Unpacked files
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
db51913dcbd74a51e46f4d8dca34ddaf44a928fd5250b34858b9d165dd68eca4
MD5 hash:
74f0d39f05f13a059791497a61471842
SHA1 hash:
f5c39e3b0429cba32f009b191d12b590378aa51e
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
cf1ed8957d4825743d39f19529138de7131ca8f506440ddc1774f4640dffc599
MD5 hash:
ded1c6e8c89148495fc19734e47b664d
SHA1 hash:
3a444aeacd154f8d66bca8a98615765c25eb3d41
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
Parent samples :
3f947f5a849f11be9079a5c2418240e2faf7e53b63662c85b92fad8f47ea4d09
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
SH256 hash:
0d5b389013ab6041e48e2eb464d1ec6500bd6c9f847a8ed84806d1d891fea0c2
MD5 hash:
f823621529fe24300df6320452a12efc
SHA1 hash:
c52e10a16c897a74420debb64bd64dbda7387a39
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
376bf69f01fe65802f1ec35b8715067687c4bd47937154fc4c3903b06fe89a92
MD5 hash:
feea5b4bc6a46188e7998b53b668d6fe
SHA1 hash:
ff73a76d88ba96baba23acf669ab2fb61e541916
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
a174e0d67eca3a59399994a54a44f4f2b7584f286dcf3cdb7a80f1ef83c010c6
MD5 hash:
b3b683d8cb51a926977080d7f7cf4bf5
SHA1 hash:
82eb466d03c72417f1a3f1320ccb732899af5e88
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
fef7035989f56b8ab573adb9d3d91363668af7b0b71d4cb44d52f941fde3ad4f
MD5 hash:
b712d9cd25656a5f61990a394dc71c8e
SHA1 hash:
f981a7bb6085d3b893e140e85f7df96291683dd6
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
6c2682e9bba89deeab5834e8b714a1c8a211a5cf92437c01f722e15dc513ba4a
MD5 hash:
86a4cfe4625860dd0fe13076aa05231b
SHA1 hash:
eca354049a32716a9ed0bd7042f4bc827d94b075
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
60d39812eace3b7d29879c793a5d9d2fbf7e857d0d4e41b8387362fe3ab1cc24
MD5 hash:
c11e07ec3683986f0b1c2e61e4d5a95a
SHA1 hash:
df7a32dc6e5b288d1f239556071adcc7729b91bd
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
346bce2e52140e47948fe32d8eca990d2c58cf36c3f9da6d34f3e093769a55d7
MD5 hash:
f2ad83f3ed4a6e739451c2798fffaf9c
SHA1 hash:
de98545564ee86e9e8ebee0f8b0970319a348e7a
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
ee3f9178db420242904907580f747192d070ba5f893bc24d7cdc9e2d68df0f8a
MD5 hash:
0a95d1e59bd1fa933d9e7d74a0635532
SHA1 hash:
dcd82a0d49126a118cabea10eca518ba41422e5c
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
ee2cc85a8e1972a29ce67ab0218d5daa8fc9b67f36111c71eccaf6da05219d19
MD5 hash:
f6271f82a952f96ba9271a4a27c9f22f
SHA1 hash:
d12708b9e39a0cd06add96316b65f1668d6a1246
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
57ae3da2a51d1a69c3199ab852dee76dec76607096d2f3913248ae718bcf8756
MD5 hash:
d0530f7e74ee9a549b305e8052de7ddf
SHA1 hash:
cf44d7938c2b537e551d0669444c6c7fe3e7826c
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
451c693481de62b1a2768050df0e7aba4d7eaa2c70ef924ccc5992f947d27b70
MD5 hash:
2fa2b1760a549b8a8988fbf66c0204ab
SHA1 hash:
cf0a32127dd6d688fbebd56f6c2b672455b5683d
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
e7d8ec41a709a89760528e61accaf34c5ec1275e5546a7d0c77ee552a9d9b665
MD5 hash:
3656c70ae67acb6ce95b1aa1c4edf34c
SHA1 hash:
c40af14d3e95507edfca6b7820cf4a60ea672209
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
def1b82b30e31e63d97488978f3bf6eb0063cb4c966d7be6f03524fcbe191a2b
MD5 hash:
81f6c157cc0c9fc8ab1d43afce9e5f1a
SHA1 hash:
a78079015796191bbd70770ef069cfd8c224343b
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
81cb92caea9893cec0ff4948f636f5ab9566a0df515763f7d55391bb270778da
MD5 hash:
853120b5e772b841efebd478b4399947
SHA1 hash:
8fc822f3ab5c4930d9f95f36876b90dd316ef6a1
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
dd02381131f8a05763ecea07f1b7a33ab25cb6c1929ad7504844d91ab02339c3
MD5 hash:
4f695725b279b1443978d7d7c08e3d6a
SHA1 hash:
5dde4adda5c541e1b35c372265c4930cfe115c0c
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
53a13d9b85c62c225f80677e7e84f0e4b3980c0695a7606212176326f2ee72e0
MD5 hash:
ba4548a88c431f3b9e3777e165a62f60
SHA1 hash:
412ca7d19a5bbc44fe0382a59f1bbae0eb1be44d
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
2ac2f22f376075b29c0b6c787c57ce9a70ef0727bfb1617c3bfb94198bfa7640
MD5 hash:
f9c6d895abb9e1dac411cf78baeb5dfb
SHA1 hash:
16445ba3e98d44624eb922f7d28ca1b7bbcce1bd
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
32003c7e5625a458c5a8ae7d95cd5ceb2f480070caef23bd7dd0a5e9ed253287
MD5 hash:
2204b3394618855ee4bdf56d0e78fa9d
SHA1 hash:
158cf5ffd362143d64d8bbd696974e93c708ec61
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
4726f2f7977598c84954d393966c6cc5f9a259dd6f43b7c329ab89b95eb75d82
MD5 hash:
802ce6129fd8158c6d1bd18bab2ca325
SHA1 hash:
10ea7ee448231fc14aeccc22e9aba82c6388b7fb
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
6ecaba189f108ba0dc83214fa41e43307fdc79147717f2ac68cd832181db9666
MD5 hash:
70768beb1a282fc79ecf19a0a73286f5
SHA1 hash:
e40e4b259715e740c83e3cc27a5654ea3c7bfa37
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
cd981497f6f4dd9354107206d7b2c13e09516f448e89de8786d65377fab16a62
MD5 hash:
21478aa41b2021c6053604f28304ce26
SHA1 hash:
6e38cce2438875c6720883fa79f3d44645888813
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
7220a2744aaaf6402dd13d7388f6f5ce61898ad555df7bcc56a201f489831e6c
MD5 hash:
f5c34d2363f159e3273b62abc9ceec4a
SHA1 hash:
0e4ac7b2718704122a5b05d3fb31b70e59a609ec
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
ab4ceb7444c48cb85b7ae4ce0d50f49ab5449cfbc7182e0bc0346d48c9ebd260
MD5 hash:
9004ef0472eaf0fa1875e0d13c655203
SHA1 hash:
74f4acc382e95836269b7645f9a9d112c8c98aff
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
bc29bc0841dea0bf8f88712ee214895d7cd2dff18b243287bc0887f66f2e009a
MD5 hash:
d156ee2a2eeea57813af859298306fa8
SHA1 hash:
5e8d27cebb1ceed207c5f73d16aadb4fc8f80101
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
SH256 hash:
b36eee28fcc8c8e6a9ca2075093de6bd151a267a9f9098c9fde0932e6457097e
MD5 hash:
ac526dac15bde2bd49b9fd467c730e3b
SHA1 hash:
ffedab5d437c6a5d1990d5205f8ccbf3ac85b948
Link:
https://www.unpac.me/results/56065b18-8aa3-43e7-baec-3259fbb4b81c/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b36eee28fcc8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b36eee28fcc8c8e6a9ca2075093de6bd151a267a9f9098c9fde0932e6457097e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/211267/

Comments