MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7304ff0966068d305da031f9da60c5b0ebe32ac43533d27f50190f1ba549347. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GCleaner


Vendor detections: 17


Intelligence 17 IOCs 5 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7304ff0966068d305da031f9da60c5b0ebe32ac43533d27f50190f1ba549347
SHA3-384 hash: 6da22d8894564baec6668d2e2e20755940dfda2bc33bd4dcc7852ef2e14b556521cadeed984f43967f7af998a66b4dbd
SHA1 hash: 0a598d94482ab95fe1ecd2a0741eb39b7d7defb2
MD5 hash: d13d7a330bd2b99acb5c445bb14ab499
humanhash: angel-pip-ceiling-pip
File name:C7304FF0966068D305DA031F9DA60C5B0EBE32AC43533.exe
Download: download sample
Signature GCleaner
Create hunting rule
File size:4'574'891 bytes
First seen:2021-12-04 18:00:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JBXla3AAETAqudq6cO49DHn2yg7BCeoxGGiXUdv4J:JnPAquwz9b9pgXAwJ
Threatray 3'442 similar samples on MalwareBazaar
TLSH T12A26334111B8E8B3CFD6BE3D04616B75BE2AC726F051FD8237500B89A948FE9C56B9C1
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe gcleaner


Avatar
abuse_ch
GCleaner C2:
23.88.118.113:23817

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.88.118.113:23817 https://threatfox.abuse.ch/ioc/259023/
91.241.19.213:46284 https://threatfox.abuse.ch/ioc/259048/
http://ads-postback.biz/check.php https://threatfox.abuse.ch/ioc/259050/
http://194.180.174.40/ https://threatfox.abuse.ch/ioc/259462/
79.141.164.155:7655 https://threatfox.abuse.ch/ioc/259463/

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-20 05:54:47 UTC
Tags:
trojan evasion loader stealer vidar raccoon opendir
Link:
https://app.any.run/tasks/ce93765e-b84b-43c7-9a9d-1ea7b6372be1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211354/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Launching a process
DNS request
Searching for synchronization primitives
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/830/overview
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61abacdffa72c81b5b0b673a/reports/03a767ac-b6d3-4cec-b9c2-9765cb8ab042/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ba1a25c-bcfc-4259-ad7b-f82889608109
Result
Threat name:
Raccoon RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/901478
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 533954 Sample: C7304FF0966068D305DA031F9DA... Startdate: 04/12/2021 Architecture: WINDOWS Score: 100 68 149.154.167.99 TELEGRAMRU United Kingdom 2->68 70 163.181.57.226 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 2->70 72 12 other IPs or domains 2->72 92 Multi AV Scanner detection for domain / URL 2->92 94 Antivirus detection for URL or domain 2->94 96 Antivirus detection for dropped file 2->96 98 20 other signatures 2->98 10 C7304FF0966068D305DA031F9DA60C5B0EBE32AC43533.exe 10 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\setup_installer.exe, PE32 10->46 dropped 13 setup_installer.exe 23 10->13         started        process6 file7 48 C:\Users\user\AppData\...\setup_install.exe, PE32 13->48 dropped 50 C:\Users\user\AppData\...\Tue20ac538d4a24.exe, PE32 13->50 dropped 52 C:\Users\user\AppData\...\Tue208d5a2e61b0.exe, PE32 13->52 dropped 54 18 other files (9 malicious) 13->54 dropped 16 setup_install.exe 1 13->16         started        process8 dnsIp9 66 127.0.0.1 unknown unknown 16->66 88 Adds a directory exclusion to Windows Defender 16->88 90 Disables Windows Defender (via service or powershell) 16->90 20 cmd.exe 16->20         started        22 cmd.exe 16->22         started        24 cmd.exe 16->24         started        26 6 other processes 16->26 signatures10 process11 signatures12 29 Tue2046207032.exe 20->29         started        34 Tue2064c324db92f.exe 22->34         started        36 Tue205ab5626e61c.exe 24->36         started        100 Adds a directory exclusion to Windows Defender 26->100 102 Disables Windows Defender (via service or powershell) 26->102 38 Tue208d5a2e61b0.exe 26->38         started        40 Tue20ac538d4a24.exe 16 2 26->40         started        42 powershell.exe 25 26->42         started        44 powershell.exe 23 26->44         started        process13 dnsIp14 74 37.0.10.199 WKD-ASIE Netherlands 29->74 76 185.215.113.208 WHOLESALECONNECTIONSNL Portugal 29->76 84 24 other IPs or domains 29->84 56 C:\Users\...\fV8Yy29W0CfN2SqKnt2t6q68.exe, PE32 29->56 dropped 58 C:\Users\...\UAMzFtVVH7NU5YUXl7htAFjK.exe, PE32+ 29->58 dropped 60 C:\Users\...\DSpk0iW_yyW9nOTv7xgj06r9.exe, PE32 29->60 dropped 64 51 other files (18 malicious) 29->64 dropped 104 Antivirus detection for dropped file 29->104 106 Creates HTML files with .exe extension (expired dropper behavior) 29->106 108 Tries to harvest and steal browser information (history, passwords, etc) 29->108 110 Disable Windows Defender real time protection (registry) 29->110 112 Machine Learning detection for dropped file 34->112 114 Sample uses process hollowing technique 34->114 86 2 other IPs or domains 36->86 62 C:\Users\user\AppData\...\Tue208d5a2e61b0.tmp, PE32 38->62 dropped 116 Obfuscated command line found 38->116 78 8.8.8.8 GOOGLEUS United States 40->78 80 104.21.51.48 CLOUDFLARENETUS United States 40->80 82 192.168.2.1 unknown unknown 40->82 118 Detected unpacking (changes PE section rights) 40->118 file15 signatures16
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c7304ff0966068d305da031f9da60c5b0ebe32ac43533d27f50190f1ba549347/
Threat name:
Win32.Trojan.Antiloadr
Create hunting rule
Status:
Malicious
First seen:
2021-10-19 22:48:46 UTC
File Type:
PE (Exe)
Extracted files:
422
AV detection:
37 of 45 (82.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4ye74ewmbungbo2ampz3jqmlmhl4mvminjt2j7vagipdosusndq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0d054d4b3068ea7f877963a9be8a71581cb0396a309f65e0a95a45ac1e758d62
GCleaner
7af33e5528ab8a8f45ee7b8c4dd24b4014feaa6e1d310458fdc53f95ea9f8a04
GCleaner
7e890b0ee04f14d8989db2a0a853c06741112c432030b63457fe866600b44749
GCleaner
81c62d3a5523b804ee83aadc9ca7d648fa028073d8f8e6f0d39123ca402d739e
GCleaner
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
GCleaner
a5e44dd81280a7fbef17c18e528c9df4b1289144fbc107d011af282a69cc3062
GCleaner
d7b0380241e4d47fc00e72faa08831b51b0ae360d5ccc45717f39f3106c3020a
GCleaner
+ 3'432 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:socelars botnet:2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 botnet:chris botnet:fucker2 botnet:media18 aspackv2 backdoor infostealer stealer suricata trojan
Link:
https://tria.ge/reports/211204-wlwhjsbdfj/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE Suspicious Download Setup_ exe
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
194.104.136.5:46013
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
91.121.67.60:2151
135.181.129.119:4805
Unpacked files
SH256 hash:
03c7096f04ff5c60e9cc2f959fd2b412137ab04e131c54295edf86e6c73a9427
MD5 hash:
93477906b5ba6f5b376b21d4bf810752
SHA1 hash:
7dc227ed554b97276fd3385faa9f9af9cc9da18a
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
dad89b9cca7c412934236ee99619455ba50a99a63bb21413d4fcd79ae441daae
MD5 hash:
b180ba09c71fbee514daead02222c158
SHA1 hash:
d633a5334d29660175f7f6cb3509033e34fc0167
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
f60bd1658ad05f37e2777cb49ea63588ac24f6e18c3f631d7b11e7a6819e75ed
MD5 hash:
81760d3d0914159e7d6836166efce6bf
SHA1 hash:
15789eee76b780a0bde70071ecb0a738dea445b6
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
31c5fbbf2c420eec04c859d1de4cc968a521042c89b37259d22860c1f06b82c3
MD5 hash:
3810282ac410423b0677032702a2dceb
SHA1 hash:
13ba7a447efe3900b02ecb2aa17ac23068a56a74
Detections:
win_raccoon_auto
Create hunting rule
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
Parent samples :
c7304ff0966068d305da031f9da60c5b0ebe32ac43533d27f50190f1ba549347
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
SH256 hash:
57357e1d304ed1c4db3d22dbbd6a01327237d1fad37437db58f0a7d97a3d7ba3
MD5 hash:
42c09e2ff1923e01e6b465436b1d176f
SHA1 hash:
6fc4b58ff71392865812ba14a6b469ddec5df7d4
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
Parent samples :
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
51a78b5f1799ffe27a1412e5eaa89e46dc32482e140c46ddafcd4c248e701b07
MD5 hash:
74c38bb6084f0c955a35c2355f6d9bc9
SHA1 hash:
ff3911cf479e9932acbb4148918b1e10e368b13a
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
b7fd0c0227a445847a051fe986bc517e2b136682d98dbe5349e2bc75e0e9e4ec
MD5 hash:
c950dfa870dc50ce6e1e2fcaeb362de4
SHA1 hash:
fc1fb7285afa8d17010134680244a19f9da847a1
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
117f84e539a868321a15ac63d56dbe02f2d88b435a275095af59ae2fa5f01692
MD5 hash:
5973529559962fc9572497bc7c85b050
SHA1 hash:
f24bfeac21ca95f59df761ee2ee163df1f698aa1
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
27a9228747973ae9649e8717a2ff77916346560644e734ef2ed946f2767fb128
MD5 hash:
de1b3c28ea026c0ede620dd78199ddc5
SHA1 hash:
ee402371a36bff44c765323ccd8c7e4a56bc8d12
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
7b9ef5b70b8a93279e5328caa0637cc3534042c6f72f851894870822bde79e70
MD5 hash:
1867a19085a94ded33cf50711a25111d
SHA1 hash:
e0f0220a13ac8173ec861cd59c3f41b3922a064c
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
d626180356047eff85c36abbc7a1752c4f962d79070ffc7803b8db2af3be9be5
MD5 hash:
26278caf1df5ef5ea045185380a1d7c9
SHA1 hash:
df16e31d1dd45dc4440ec7052de2fc026071286c
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
a158b606115cb2f2784817c767c16ed0fb2a0edd0d6e359f9e750acf198c422b
MD5 hash:
9bc7f69674b15820adf00f3c6cd8679f
SHA1 hash:
ccdafab71dc9db4fedf60b731c5fcd11c90d5815
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
4d7bf2038b241cc664c74c6e979f5fe95434613b0e1cfb6484417cb61793ffb9
MD5 hash:
3dab7aa5329772c930838683b5599fec
SHA1 hash:
6ef7d0cdedbd1520c1b346a9467aa5837eca679d
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
7c70948fb0ab4df19061262a6f3b7808ccfebb9c00000a1bc3f975b7e6b80017
MD5 hash:
d6ce91eaa2ef5f50b7a0acdc801cfed6
SHA1 hash:
56164b3a1b6b31e3ed0e8a83e89127115f966c45
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
a8ca735fa0547d147076d00309acbe79009bc0f1f7d172d94ee2f033cf221665
MD5 hash:
d00a1168f43f14691c73f94ca1d85e7f
SHA1 hash:
4990ad52aa36558d41e4bc682b210024512fb7ba
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
05ea82ceaaefab3de133e2ed57319799ffb4cf73a98938db65826272f479dd82
MD5 hash:
16e5520c9acef1fcd3ab35522cd9afa8
SHA1 hash:
451af975bb1a56e7344d2eafec8bd6e60d4c41ab
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
174f4f8146a8998395b38774f52063130304ab214257d10badc37464578c8c1d
MD5 hash:
7dc5f09dde69421bd8581b40d994ccd7
SHA1 hash:
23788ae65ec05a9e542636c6c4e1d9d6be26d05c
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
cd36dcab44921cbfd3912ab894fce86aa1bf84f4f1cac4f6f870e99831ef12bc
MD5 hash:
11136dfe0fc459d2e849060d3bcfb0da
SHA1 hash:
04df971d81b6cc4d8082762ecacaf98a586c7069
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
0cddd277bd0f1f5510538c0bd9b1cff4c5cd01c5caee8eb9d06b9baa88519052
MD5 hash:
6449aa2e023c5931ac91815ca54225ed
SHA1 hash:
65b5f4df2c28472469ddf924e6b0d0a61394c612
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
f88e2926a7aff6788062ace2d4999d73a4de253d8758c262e7f674088ec4bbde
MD5 hash:
9c27633bcdf8507a59b7a283a3b2b490
SHA1 hash:
102ab66902788948457c3cd715fbd3a2650f1933
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
2010b113bce681120cbdbe50fd2c3393587d723b97d13a5777429570621bb339
MD5 hash:
ae22fdfdaf90dc3174ebe91333125e1e
SHA1 hash:
3a62fed1ee6e36ca58c3ec19d0a4ae9f9eb0e2b8
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
Parent samples :
40c4d06433a2db2e570b3302e01c5c2ebe51efb59473a5b08cb132ab6af8638b
6aa0d341cee633c2783960687c79d951bf270924df527ac4a99b6bfabf28d4ae
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
0cc82eba0f92824807acfec362e96c2933cb894e9a220194a3eae627e4007f26
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
SH256 hash:
5f19fbadd8af1e8e0860b84b3b1a4fcc4897c1a4f017b09ff889caef2b6e2f5a
MD5 hash:
9a4c419b347fcec513313d770514059d
SHA1 hash:
057b0caed604a7ae2e8ebce44f5342781da953db
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
8a09138384ebd9b11786d4f5dc8e9e826dfdf674a9feb17974cda07ed1f0ebe1
MD5 hash:
673aa6def8e2cbfac96df308faa6da2b
SHA1 hash:
27200f330d414768b5c23e1b5fa33541e0c35c52
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
fcc18547ec688960ce6c4b01712ea680cabf851bdc95786be2d3bce651f4a018
MD5 hash:
e99907c408e9340cee8fff942f7f3e09
SHA1 hash:
4fa4d581c45fc0203db9e1218b7aaccef631e20e
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
SH256 hash:
c7304ff0966068d305da031f9da60c5b0ebe32ac43533d27f50190f1ba549347
MD5 hash:
d13d7a330bd2b99acb5c445bb14ab499
SHA1 hash:
0a598d94482ab95fe1ecd2a0741eb39b7d7defb2
Link:
https://www.unpac.me/results/ae987ac0-c0f1-4a70-9e84-cb08721bd912/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c7304ff09660/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7304ff0966068d305da031f9da60c5b0ebe32ac43533d27f50190f1ba549347

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_onlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects onlyLogger loader variants
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/211354/

Comments