MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c54ca1df46d817348c9bdf18f857459d7ca05c51f7f309e4d4de085136e3ed76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c54ca1df46d817348c9bdf18f857459d7ca05c51f7f309e4d4de085136e3ed76
SHA3-384 hash: 4ce59eb53516bc6b0f0af8fdc220c0496ed53152cf335f14fc3785a2c1bff20f038b0672dfb62fec3f8083ea0bcddac7
SHA1 hash: e0d7d4a7d21328802b4892c037cc02817b5eb01c
MD5 hash: 09d5cb1ce36967235ccae5c7e5d81ddc
humanhash: florida-oregon-east-butter
File name:C54CA1DF46D817348C9BDF18F857459D7CA05C51F7F30.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:5'288'496 bytes
First seen:2021-11-23 22:31:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 98304:xcCvLUBsg61jkvigDhMPv6OKI6U/AZCZ3aBahoLqr3xuJD/mm2pHnK/WF:xBLUCg61ovigDhMFKa/AZCZKR+ITmm2h
Threatray 2'034 similar samples on MalwareBazaar
TLSH T12B36334075641DBCDCC41470ED8DBFBC64FE87890A3249536B458D873FBAA8A631A39E
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
185.92.74.18:3391

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.92.74.18:3391 https://threatfox.abuse.ch/ioc/253714/

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C54CA1DF46D817348C9BDF18F857459D7CA05C51F7F30.exe
Verdict:
No threats detected
Analysis date:
2021-11-23 22:33:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6f91f00f-46fb-4366-ac71-8098568c8938

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Malware.Socelars-9901327-1
Create hunting rule

Win.Malware.Socelars-9901374-1
Create hunting rule

Win.Malware.Socelars-9901388-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
DNS request
Sending an HTTP GET request
Reading critical registry keys
Launching cmd.exe command interpreter
Query of malicious DNS domain
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys mokes overlay packed
Link:
https://www.filescan.io/uploads/619d6be7f36138de3f382796/reports/79c1bea7-3e1a-4204-8bdc-cd4759c434fb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/883605c5-0ca1-40f8-a362-3c001ecd64e5
Result
Threat name:
Cookie Stealer RedLine SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895090
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Cookie Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 527568 Sample: C54CA1DF46D817348C9BDF18F85... Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 80 91.121.67.60 OVHFR France 2->80 82 toa.mygametoa.com 34.64.183.91 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 2->82 84 104.21.75.46 CLOUDFLARENETUS United States 2->84 108 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->108 110 Antivirus detection for URL or domain 2->110 112 Antivirus detection for dropped file 2->112 114 19 other signatures 2->114 11 C54CA1DF46D817348C9BDF18F857459D7CA05C51F7F30.exe 21 2->11         started        14 rundll32.exe 2->14         started        16 WmiPrvSE.exe 2->16         started        signatures3 process4 file5 68 C:\Users\user\AppData\...\setup_install.exe, PE32 11->68 dropped 70 C:\Users\user\...\Thu00fdc3759fedb.exe, PE32 11->70 dropped 72 C:\Users\user\AppData\...\Thu00eba3fc844.exe, PE32+ 11->72 dropped 74 16 other files (11 malicious) 11->74 dropped 18 setup_install.exe 1 11->18         started        22 rundll32.exe 14->22         started        process6 dnsIp7 86 127.0.0.1 unknown unknown 18->86 88 hsiens.xyz 18->88 116 Performs DNS queries to domains with low reputation 18->116 118 Adds a directory exclusion to Windows Defender 18->118 24 cmd.exe 18->24         started        26 cmd.exe 18->26         started        28 cmd.exe 18->28         started        33 12 other processes 18->33 120 Writes to foreign memory regions 22->120 122 Allocates memory in foreign processes 22->122 124 Creates a thread in another existing process (thread injection) 22->124 30 svchost.exe 22->30 injected signatures8 process9 signatures10 35 Thu00d9e1a46022.exe 24->35         started        38 Thu003065c4d5755.exe 26->38         started        40 Thu001c15152004.exe 28->40         started        152 System process connects to network (likely due to code injection or exploit) 30->152 154 Adds a directory exclusion to Windows Defender 33->154 42 Thu0025255cd1c.exe 4 33->42         started        46 Thu00cd3aa43fee183d.exe 7 33->46         started        48 Thu00a10ea680ad3.exe 33->48         started        50 8 other processes 33->50 process11 dnsIp12 126 Antivirus detection for dropped file 35->126 128 Detected unpacking (changes PE section rights) 35->128 130 Machine Learning detection for dropped file 35->130 146 4 other signatures 35->146 52 explorer.exe 35->52 injected 132 Multi AV Scanner detection for dropped file 38->132 134 Sample uses process hollowing technique 38->134 136 Injects a PE file into a foreign processes 38->136 104 3 other IPs or domains 42->104 76 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 42->76 dropped 138 Creates processes via WMI 42->138 94 45.9.20.13 DEDIPATH-LLCUS Russian Federation 46->94 140 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 46->140 57 WerFault.exe 46->57         started        96 162.159.133.233 CLOUDFLARENETUS United States 48->96 98 cdn.discordapp.com 162.159.134.233, 443, 49746, 49752 CLOUDFLARENETUS United States 48->98 100 136.144.41.58 WORLDSTREAMNL Netherlands 50->100 102 ip-api.com 208.95.112.1, 49751, 80 TUT-ASUS United States 50->102 106 9 other IPs or domains 50->106 142 May check the online IP address of the machine 50->142 144 Tries to harvest and steal browser information (history, passwords, etc) 50->144 59 mshta.exe 50->59         started        61 mshta.exe 50->61         started        file13 signatures14 process15 dnsIp16 90 64.32.26.89 ST-BGPUS United States 52->90 92 91.195.240.101 SEDO-ASDE Germany 52->92 66 C:\Users\user\AppData\Roaming\wvfsjie, PE32 52->66 dropped 148 Benign windows process drops PE files 52->148 150 Hides that the sample has been downloaded from the Internet (zone.identifier) 52->150 63 cmd.exe 59->63         started        file17 signatures18 process19 file20 78 C:\Users\user\AppData\Local\...\BEDAQQT.ExE, PE32 63->78 dropped
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c54ca1df46d817348c9bdf18f857459d7ca05c51f7f309e4d4de085136e3ed76/
Threat name:
Win32.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-10-17 20:05:12 UTC
File Type:
PE (Exe)
Extracted files:
220
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yvgkdx2g3altjde334mpqv2ftv6kaxcr67zqtzgu3yefcnxd5v3a._file
Verdict:
malicious
Similar samples:
44e401aaf0b52528aa033257c1a1b8a09a2b10edf26edaafcef0f45a2c40e885
GCleaner
63301a39b93b63acab80e0a05b909f733d792c7ae829a0a207d2fa2e1498158f
GCleaner
a7dfdd77617ff0d9ab80e43a147683d595b231369ddf9c18d2c4bf68d5133d3a
GCleaner
bc2cce5055f9411c04edeee699d7161c257574b4c5540351b647d8a52de9540c
GCleaner
e34fc70bee3b2e9051e1115f1053aec2bbd3555a8d71600e90890662ea718ff1
GCleaner
f2433dfba69148a0c3a5a5951d360b6c3c045090de06f11e273f13ccd01c42f3
GCleaner
fe3ae99417e0d632995ad5ceeccc4c0b308b8a30d2c93031f15837b607b8552b
GCleaner
+ 2'024 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader botnet:ani botnet:she aspackv2 backdoor infostealer spyware stealer suricata trojan
Link:
https://tria.ge/reports/211123-2fyzdabdfq/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Drops file in System32 directory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Executes dropped EXE
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
suricata: ET MALWARE ClipBanker Variant Activity (POST)
Malware Config
C2 Extraction:
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
135.181.129.119:4805
194.104.136.5:46013
Unpacked files
SH256 hash:
1b1662a7c0682f10168d920f78fc3e2239009879344064507524426769e269c5
MD5 hash:
47337a3c18539b0e076f9ec32e2de5ac
SHA1 hash:
f5ac231ca81a98d728a000ca1fd164ca6f18507a
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
51083f1071cc6c67bc643417a0be92c3190a044f6cb0d913bb8afb01adc08f3f
MD5 hash:
59073d016866002414aa2c915f8d1f6e
SHA1 hash:
dc285bc11154c5d4b932514934bd16c71b2a3938
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
d95b8e2d8bf52369a369cf6ee5366297a8984380210d7eea29a82cf53b8501fa
MD5 hash:
4da644a647b164089629ff894110d9cf
SHA1 hash:
8f29d97853790d852203c0921c39609ee8c6b27e
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
642f5d31e9797e4509429807009ee2871ac9826b5b513ff229956a3d87ed1f8e
MD5 hash:
488029d7287523022a3a3c0fad808e36
SHA1 hash:
1f28a900f11d99b0f6e65cf3b1e63b0bd22f45db
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
62d45826f9094cc54eae33468bffd97699e9b37fca30eaf58e0889b84a8ec98a
MD5 hash:
c1dd8182f9b228be6dfb93dba7b13002
SHA1 hash:
1b498e0b03d31a69d7e5d76ff8448cae31c7c204
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
f87ca8592a4a54c3e76b76444ffeb0b9878f27510ad5e8029e644b3904e6178d
MD5 hash:
a815ba3840c69cdfd4e1f3e184624ac6
SHA1 hash:
f571c24c05c78a560265ec1dcf73341071abd9fb
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
43da19a0f18ca201ee3f213e30699e121bbe812bb14e405344dfe43e52b95d6a
MD5 hash:
c83860b0db60b9f69468301ee2a58fca
SHA1 hash:
d826cc0323eb208e36b3e9ef00225430c6f031e1
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
63402602d709a038f08460df6d88368f1c1ddd0f70131f48d247795aa65b7c0c
MD5 hash:
82ac141ef6b2128ee117d38051d96e22
SHA1 hash:
d7771efa62bd72c874693bfb4015a08e05b13db6
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
32ca903a0aeb549f6bbc97bea9efaa2cd135ece7595bc3061fafd6b0fd3a7d61
MD5 hash:
a9d0441e37ea5cf823e8c0f2230c4d22
SHA1 hash:
c3b12003591cfbdaf894c04e5d963841ec34edc7
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
684e26f10ac97897d71b217e1e2e4016a9547afae2830791b8405c2f7ddda23c
MD5 hash:
7d5420b628932aabddafc6f6a905865e
SHA1 hash:
bfc7ae6825a9ef8bdd2f9cc42b922219be4d584b
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
f64c777abab289837042feb8d86b12a83d48147591fee7c56853f4a9a7c8f6f7
MD5 hash:
d99f11897ec2e7dab1012bda897ca99f
SHA1 hash:
bfa60604743bfb97d965ebef9c7620708690f15f
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
702be20b914e79b98fd4f211dd3163806e9f5b75bed0e3faa10fe4b20cdd24d2
MD5 hash:
6298ddd017d373e15bc3fab3ccc23a4a
SHA1 hash:
77b89d4ea7add642c33942b3579fe8946290f112
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
72afc4799d3472e878d0e5f0d62d7773b64f16e02dfed5e110110faa61b2e73d
MD5 hash:
2a116485c902072e8a9bb572a57224f5
SHA1 hash:
6dbf055c5c97864742a22f1bf9189a8181ed46b9
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
018857f1776a7b86701118d4b36e2eedffb4939f0d31ff4ae49277888d342c1b
MD5 hash:
6694d4fd66984ef96fa37dabc84aadaf
SHA1 hash:
4ab19642b608c931db9fee1ae406b0d8d4db0c5a
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
57d6a6655fc78877adf15b4742e26aa2b9312ee464f1004b2639d3d94c6ed5fa
MD5 hash:
30a8ec3af98a673b3a250beb52f9ddd8
SHA1 hash:
440f7903ef11b2af03bb5acecfc51ab0ac35c7ea
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
caafff86cdef2ee4b6a64ba6d82db388bb61664629ffa2df0094014b35b699db
MD5 hash:
de50c9ad8a3b0115c44dda6d94c79a87
SHA1 hash:
3d0072ec010f0a5d2222ddef9da002c3151f227f
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
b7400825df4e2e22e14b51b60809bb7706cd5f8c0c758c08dbb7f97ef3bd0597
MD5 hash:
1651d2eee32c15f79fd5f2e42551f4dc
SHA1 hash:
f254b220184e991792401f4818bcae33ac37ad4f
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
193e48123404352aa554036a4ade29811012f712e4f767e881a342fcd876a7f2
MD5 hash:
fd3e8817c4a04991558513c5e39b4c84
SHA1 hash:
0d804c772406f54a33d2bd77efe3b802a1f2bdb4
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
be340ba0387792abebb9de640674349a6c650d36371d630781a79815735891a3
MD5 hash:
e2d5edc2e000fbbb4f5cc4b357d5597f
SHA1 hash:
2a9545adf0295bc60d2a8b4500cfc4f47d083391
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
73810cb6f73259f9cdd58ac8fa1449a8e8e1e474ea6bca16c16dd2b687897eb2
MD5 hash:
bc466eeabfea7fe3605789a61fd65181
SHA1 hash:
75bb6525091300504f1b43adc3c44a0293f5dd9c
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
213401726351f214e4cde3243c1a88d3a0c68596da6ea27390f46b1d5c79b4e3
MD5 hash:
35c03fc85e9c2df120537d656df16770
SHA1 hash:
f42881f0cbe940d733d36e3759de427bdddb429e
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
SH256 hash:
c54ca1df46d817348c9bdf18f857459d7ca05c51f7f309e4d4de085136e3ed76
MD5 hash:
09d5cb1ce36967235ccae5c7e5d81ddc
SHA1 hash:
e0d7d4a7d21328802b4892c037cc02817b5eb01c
Link:
https://www.unpac.me/results/4c77b1a7-58e8-481e-8408-b76264cca3e8/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c54ca1df46d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c54ca1df46d817348c9bdf18f857459d7ca05c51f7f309e4d4de085136e3ed76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Arechclient2
Create hunting rule
Author:ditekSHen
Description:Detects Arechclient2 RAT
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208830/

Comments