MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3435b775a71e105224d5c642be20d68488c40b67c2cfa7762b42e6f947ee055. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3435b775a71e105224d5c642be20d68488c40b67c2cfa7762b42e6f947ee055
SHA3-384 hash: 22215f32c143e567a6bd02c06716e6b773c9cb737be8e2918445a832eb2b1a5214866649d47a32272935cb48a9f66d67
SHA1 hash: 4185ffcd330be6bba3d3050efc46d7f85f0d2469
MD5 hash: a5cd66cf1267527b6d5cb267be6c326e
humanhash: india-xray-violet-six
File name:a5cd66cf1267527b6d5cb267be6c326e.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:7'370'500 bytes
First seen:2021-10-02 11:25:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 196608:xqLUCgD4IdZ05lPyruBapPU+VhfZ7VSHBGNv/LuaY/gIh:xqdgEIo5l5ap8+vtM4N/LuhP
Threatray 586 similar samples on MalwareBazaar
TLSH T1E1763318BBE9C4F3E9029A385A1D9323A6ADC7C5062A4BF737440566CF37475472FB28
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://185.215.113.45/g4MbvE/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.215.113.45/g4MbvE/index.php https://threatfox.abuse.ch/ioc/229555/

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a5cd66cf1267527b6d5cb267be6c326e.exe
Verdict:
No threats detected
Analysis date:
2021-10-02 11:26:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b816fe89-4e20-46b7-a04b-4dac1fb54e5d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194183/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dce886d9-175b-44e0-a435-0beb4cb3daf3
Result
Threat name:
RedLine SmokeLoader Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863177
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Drops PE files with a suspicious file extension
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 495606 Sample: GSZm5q9Oxg.exe Startdate: 02/10/2021 Architecture: WINDOWS Score: 100 79 162.255.117.78 NAMECHEAP-NETUS United States 2->79 81 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->81 83 3 other IPs or domains 2->83 127 Antivirus detection for URL or domain 2->127 129 Antivirus detection for dropped file 2->129 131 Multi AV Scanner detection for dropped file 2->131 133 17 other signatures 2->133 10 GSZm5q9Oxg.exe 22 2->10         started        13 svchost.exe 1 2->13         started        15 svchost.exe 2->15         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\setup_install.exe, PE32 10->49 dropped 51 C:\Users\user\...\Wed11e71c63e52700463.exe, PE32 10->51 dropped 53 C:\Users\user\...\Wed11dd5b1ab791fb.exe, PE32 10->53 dropped 55 17 other files (7 malicious) 10->55 dropped 17 setup_install.exe 1 10->17         started        process6 dnsIp7 75 172.67.142.91 CLOUDFLARENETUS United States 17->75 77 127.0.0.1 unknown unknown 17->77 125 Adds a directory exclusion to Windows Defender 17->125 21 cmd.exe 17->21         started        23 cmd.exe 17->23         started        25 cmd.exe 17->25         started        27 13 other processes 17->27 signatures8 process9 signatures10 30 Wed11cce47b85d.exe 21->30         started        35 Wed11e71c63e52700463.exe 23->35         started        37 Wed115c4bb90b54.exe 25->37         started        135 Adds a directory exclusion to Windows Defender 27->135 39 Wed1198871d7635f23.exe 27->39         started        41 Wed11dd5b1ab791fb.exe 27->41         started        43 Wed11cd2f937f.exe 27->43         started        45 9 other processes 27->45 process11 dnsIp12 85 37.0.10.244 WKD-ASIE Netherlands 30->85 87 37.0.8.119 WKD-ASIE Netherlands 30->87 93 9 other IPs or domains 30->93 57 C:\Users\user\...\installer_394347[1].exe, PE32 30->57 dropped 59 C:\Users\user\AppData\Local\...\file1[1].exe, PE32 30->59 dropped 69 30 other files (2 malicious) 30->69 dropped 117 2 other signatures 30->117 95 2 other IPs or domains 35->95 71 12 other files (none is malicious) 35->71 dropped 99 Detected unpacking (changes PE section rights) 35->99 101 Detected unpacking (overwrites its own PE header) 35->101 103 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->103 105 Tries to steal Crypto Currency Wallets 35->105 107 Query firmware table information (likely to detect VMs) 37->107 109 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->109 119 2 other signatures 37->119 89 104.21.42.252 CLOUDFLARENETUS United States 39->89 61 C:\Users\user\AppData\Roaming\7898889.scr, PE32 39->61 dropped 63 C:\Users\user\AppData\Roaming\4958338.scr, PE32 39->63 dropped 65 C:\Users\user\AppData\Roaming\4788418.scr, PE32 39->65 dropped 111 Drops PE files with a suspicious file extension 39->111 121 3 other signatures 41->121 91 104.21.85.99 CLOUDFLARENETUS United States 43->91 67 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 43->67 dropped 113 Creates processes via WMI 43->113 97 9 other IPs or domains 45->97 73 2 other files (none is malicious) 45->73 dropped 115 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->115 123 2 other signatures 45->123 47 mshta.exe 45->47         started        file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3435b775a71e105224d5c642be20d68488c40b67c2cfa7762b42e6f947ee055/
Threat name:
Win32.Trojan.Mamson
Create hunting rule
Status:
Malicious
First seen:
2021-09-30 14:25:47 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynbvw522ohqqkisnlrscxyqnnbeiyqfwpqwpu53cwqxg7fd64bkq._file
Verdict:
malicious
Similar samples:
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
RedLineStealer
093c40a96a55be0cc76dd3f234eebc8e66f453626f0d217fce4bb91d5e5afa5c
RedLineStealer
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
RedLineStealer
987a2417a285a7e885e5acdd635d3e2dfa1cf00bb98b6a39fbc17bc7c3fb4993
RedLineStealer
a3507dc0b236809b00d1e1b8481607e75b2085a6cfeebab4d50ba816502adb29
RedLineStealer
a8d8a6f9478a60a05d3b8c57a616da20c83b99bc7877c46163fcd126bbb25409
RedLineStealer
e151a929c69d6b05b9326bdae2679e828cd8c0c6e27bfe9866976e7943630e24
RedLineStealer
+ 576 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:933 botnet:ani botnet:jamesfuck aspackv2 backdoor evasion infostealer spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211002-njvt8seden/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Download via BitsAdmin
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
Malware Config
C2 Extraction:
65.108.20.195:6774
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
https://mas.to/@bardak1ho
45.142.215.47:27643
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
078b80b059f5db99874557c13a13f9916674fef20eaac89337cb9f14ee97405e
MD5 hash:
a8bc5553733d6e68753d63747eed87d6
SHA1 hash:
f9210ad415b8d1a0c4a88b62ff6f05d0128df05e
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
9253c070a4a5ce357909556505b49ccd25b5a21789064621393a61df2dbfc515
MD5 hash:
1b0354c000633a8862638f65a19442dc
SHA1 hash:
ea04a876808c63b899895383d5dfe9c026a36853
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
d5896f8d00c6688b5b2a6f84d8ae3f3d1e136512624cb96054ca0db51af53dff
MD5 hash:
6e1cf5a21e2cbfab1a3fad4e5ff360c2
SHA1 hash:
c37f14af2efba855033d2221bbec13d436427ccd
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
b69f85ff1a7d769b53e11929e0a796e1d65d7749b2c93385178117ec2063c413
MD5 hash:
c55554ff4f4e4cbde458f44330a086b9
SHA1 hash:
5e1def702e711940963515e5414dee3ef585d2d3
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
e01840f6e7a9639865fff636d05e8060db9248cca1bc030719b5148685e9d7d5
MD5 hash:
6aca2b04670d1beeaffa6331e81eb687
SHA1 hash:
fa2df90e232c7e4611189d1b153a9336d488a01e
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
bffb5e0da99f01972d746d4bf68765ca7db0fb32e598f8fd9a92e8389f321c1f
MD5 hash:
417411e71de543ffbe76242943ba5b90
SHA1 hash:
e50f45218c6d01cb67787add25491acfead007fa
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
f3e24d07e277d4dc10685b3f2ee6758ce5f340329a80b7336af306d85fbe8413
MD5 hash:
5994115f5d26f8e0477783735eb0a0b2
SHA1 hash:
d2cd839a2497da00eb06d1110746df54b7f450d8
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee
MD5 hash:
57e3a53d7576635f94c0b7ea6b9fad43
SHA1 hash:
a43b28cd48d9efcbccc12ad2a644d6186acbd968
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
e80b12d193b19d2f1051d1dfbc84223864b4b92d16baa5c7ff0773649b1ee025
MD5 hash:
b2d575e030957cfdfb2c472086a5380a
SHA1 hash:
7dba4a2d58168e0e5281c8cd29bee381c546794c
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
7a6f2506192e9266cddbc7d2e17b7f2fa2f398aa83f0d20b267ae19b15469be7
MD5 hash:
37044c6ef79c0db385c55875501fc9c3
SHA1 hash:
29ee052048134f5aa7dd31faf7264a03d1714cf3
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
75688e96607df3ce1dd9e878cb9423a635190825f772dde4517561059bca59ad
MD5 hash:
e849cd66a188451112455c93ff4b7cac
SHA1 hash:
2659334b386da094d5c7ae10878ba3bd84980c69
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
2c21825ab8c9a3a67b6a553b676d78168582bd7fc0fb7e0216e1c74081aa4979
MD5 hash:
699a4ef8dbb17a225e4509df335a7323
SHA1 hash:
1b4cc44c8526916c8429114054a22d8f4206937c
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
dff0f27502ee2bc71c10185e9614b03876121c22d830b5592eb90702420b3506
MD5 hash:
522d2c5ddae0beb593d4b9d785e40ab0
SHA1 hash:
180830838c166486856b6495ac3d5bcfa725e9b6
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
3fd064dfa5e9ef6016845046f35b05f1b619411f469ff7e60c49772162879419
MD5 hash:
2d484c4f2224af41c813a1769a103c7f
SHA1 hash:
53a2609394d73797578ce78e06e4d4857d1082e4
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
Parent samples :
cb7d7fe72bdc9b5c0da00a175ad4354037473b71f8a9fd763d798c84c44467c0
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
SH256 hash:
393447aa843f148cd22e887d1eda74062785f0b4a6f098fbcb0d024b5aa23e4e
MD5 hash:
07f99f9e2df157ae78339603186ac280
SHA1 hash:
cb295687ae130d85061676471abcaa5f60df4198
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
1b12476c090684529d03ae7c968964350a4ed697bd58cfe0d254c9d7f73d1db7
MD5 hash:
ddd2da1794e9156d5b489cecefbfc4be
SHA1 hash:
8c2ccf5fb358f9139b721f21edd604b209fba4b1
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
4b6376fd5474ed9a729dc09a7c5375f3eda13ed5f1c0f79d47af34313375ed1b
MD5 hash:
c08025f5b62ae9aca0df275c89c01843
SHA1 hash:
2fcb88dce74ae92c25b4c7fa80bd089e6e55e055
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
e5ad583712dbd5210ce6dfc8e2ec98bb9f3846fb9326f10fa9843992c3eb81a0
MD5 hash:
291f6aff037be3177cbbe65c03ad4c55
SHA1 hash:
15f6a5390e79408bfe5b76d38d6a613eec34619c
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
SH256 hash:
c3435b775a71e105224d5c642be20d68488c40b67c2cfa7762b42e6f947ee055
MD5 hash:
a5cd66cf1267527b6d5cb267be6c326e
SHA1 hash:
4185ffcd330be6bba3d3050efc46d7f85f0d2469
Link:
https://www.unpac.me/results/84125482-13c4-406f-a35f-4688e9467654/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c3435b775a71/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3435b775a71e105224d5c642be20d68488c40b67c2cfa7762b42e6f947ee055

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194183/

Comments