MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc8ce8ab78c6cdddfd1ccd40a3b8d4d177a9ab9de871bbf9e81c54b97e29a342. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Spambot.Kelihos


Vendor detections: 18


Intelligence 18 IOCs YARA 36 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc8ce8ab78c6cdddfd1ccd40a3b8d4d177a9ab9de871bbf9e81c54b97e29a342
SHA3-384 hash: 58fc5924bb9f0c88dc0c8ffb0816d46d8355bf27a55d389a55677a45296f73b02d59a3b47d872ded5d6c88299cfec952
SHA1 hash: d188a80bbada3db531e3bf012a0193e5f4f36682
MD5 hash: 162164f804514756bb0727bc0ff70f04
humanhash: rugby-king-diet-pip
File name:SecuriteInfo.com.Trojan.PWS.Stealer.35404.19534.311
Download: download sample
Signature Spambot.Kelihos
Create hunting rule
File size:485'888 bytes
First seen:2023-08-26 03:28:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 12288:BvWbXtHkNShJxoMwUJwPQEDk1wDcERdKncNoRWhrL:BveXtHVhJ6zUJ/E9RdKcNoW
Threatray 2'827 similar samples on MalwareBazaar
TLSH T177A4DFB435451D1D5BAF0116EAF851039D7C6E2F8D2B1BE5AED654F03FBA263F80A280
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter SecuriteInfoCom
Tags:exe Spambot.Kelihos

Intelligence

File Origin
# of uploads :
1
# of downloads :
397
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.PWS.Stealer.35404.19534.311
Verdict:
Malicious activity
Analysis date:
2023-08-26 03:28:38 UTC
Tags:
amadey trojan loader kelihos smoke opendir stealer redline miner
Link:
https://app.any.run/tasks/f8ba314d-c9eb-4ad8-8651-66e5f808f631

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/444818/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.35404.19534.311.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Searching for synchronization primitives
Creating a file
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108615/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin masquerade packed shell32
Link:
https://www.filescan.io/uploads/64e9717f1d3a8c6c12173cf6/reports/7e2a42d5-5a2a-4619-89d1-f8134dab4df4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dc8ce8ab78c6cdddfd1ccd40a3b8d4d177a9ab9de871bbf9e81c54b97e29a342
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23b128e1-d46a-4780-b18e-02c39e3d694e
Result
Threat name:
Amadey, Glupteba, LummaC Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1297712
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the hosts file
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sample uses string decryption to hide its real strings
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses STUN server to do NAT traversial
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1297712 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 26/08/2023 Architecture: WINDOWS Score: 100 138 server1.dazhiruoyu.org 2->138 184 Snort IDS alert for network traffic 2->184 186 Multi AV Scanner detection for domain / URL 2->186 188 Found malware configuration 2->188 190 20 other signatures 2->190 12 SecuriteInfo.com.Trojan.PWS.Stealer.35404.19534.311.exe 3 2->12         started        15 oneetx.exe 2->15         started        17 TrustedInstaller.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 118 C:\Users\user\AppData\Local\...\newplayer.exe, PE32 12->118 dropped 120 C:\Users\user\AppData\Local\...\a22cf276.exe, PE32 12->120 dropped 21 newplayer.exe 3 12->21         started        25 a22cf276.exe 12->25         started        process6 file7 102 C:\Users\user\AppData\Local\...\oneetx.exe, PE32 21->102 dropped 206 Antivirus detection for dropped file 21->206 208 Multi AV Scanner detection for dropped file 21->208 210 Machine Learning detection for dropped file 21->210 212 Contains functionality to inject code into remote processes 21->212 27 oneetx.exe 25 21->27         started        214 Detected unpacking (changes PE section rights) 25->214 216 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->216 218 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 25->218 220 3 other signatures 25->220 32 explorer.exe 23 25->32 injected signatures8 process9 dnsIp10 148 79.137.192.18, 49723, 80 PSKSET-ASRU Russian Federation 27->148 150 45.9.74.80, 49720, 49721, 49722 FIRST-SERVER-EU-ASRU Russian Federation 27->150 156 3 other IPs or domains 27->156 122 C:\Users\user\AppData\...\religionprosig.exe, PE32+ 27->122 dropped 124 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 27->124 dropped 126 C:\Users\user\AppData\Local\...\alotdatas.exe, PE32 27->126 dropped 134 5 other malicious files 27->134 dropped 232 Antivirus detection for dropped file 27->232 234 Multi AV Scanner detection for dropped file 27->234 236 Creates an undocumented autostart registry key 27->236 246 2 other signatures 27->246 34 alotdatas.exe 13 27->34         started        37 religionprosig.exe 27->37         started        39 latestX.exe 27->39         started        48 3 other processes 27->48 152 taibi.at 32->152 154 taibi.at 189.186.63.159 UninetSAdeCVMX Mexico 32->154 158 7 other IPs or domains 32->158 128 C:\Users\user\AppData\Roaming\basiiej, PE32 32->128 dropped 130 C:\Users\user\AppData\Local\Temp\C244.exe, PE32 32->130 dropped 132 C:\Users\user\AppData\Local\Temp\9914.exe, PE32 32->132 dropped 136 2 other malicious files 32->136 dropped 238 System process connects to network (likely due to code injection or exploit) 32->238 240 Benign windows process drops PE files 32->240 242 Suspicious powershell command line found 32->242 248 2 other signatures 32->248 42 cmd.exe 32->42         started        44 cmd.exe 32->44         started        46 powershell.exe 32->46         started        50 2 other processes 32->50 file11 244 Performs DNS TXT record lookups 152->244 signatures12 process13 file14 160 Multi AV Scanner detection for dropped file 34->160 162 Detected unpacking (changes PE section rights) 34->162 164 Detected unpacking (overwrites its own PE header) 34->164 182 4 other signatures 34->182 52 alotdatas.exe 34->52         started        56 powershell.exe 34->56         started        166 Creates multiple autostart registry keys 37->166 58 cmd.exe 37->58         started        104 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 39->104 dropped 106 C:\Windows\System32\drivers\etc\hosts, ASCII 39->106 dropped 168 Suspicious powershell command line found 39->168 170 Modifies the hosts file 39->170 172 Adds a directory exclusion to Windows Defender 39->172 174 Modifies power options to not sleep / hibernate 42->174 66 5 other processes 42->66 68 6 other processes 44->68 60 conhost.exe 46->60         started        176 Antivirus detection for dropped file 48->176 178 Machine Learning detection for dropped file 48->178 180 Injects a PE file into a foreign processes 48->180 62 conhost.exe 48->62         started        70 8 other processes 48->70 64 conhost.exe 50->64         started        signatures15 process16 file17 100 C:\Windows\rss\csrss.exe, PE32 52->100 dropped 192 Creates multiple autostart registry keys 52->192 194 Drops executables to the windows directory (C:\Windows) and starts them 52->194 196 Creates an autostart registry key pointing to binary in C:\Windows 52->196 72 csrss.exe 52->72         started        77 cmd.exe 52->77         started        79 powershell.exe 52->79         started        87 2 other processes 52->87 81 conhost.exe 56->81         started        198 Suspicious powershell command line found 58->198 200 Tries to download and execute files (via powershell) 58->200 202 Uses powercfg.exe to modify the power settings 58->202 204 2 other signatures 58->204 83 powershell.exe 58->83         started        85 conhost.exe 58->85         started        signatures18 process19 dnsIp20 140 server1.dazhiruoyu.org 72->140 142 bd538037-64fd-4e03-b1df-90ac2a4fdad0.uuid.dazhiruoyu.org 72->142 146 5 other IPs or domains 72->146 108 C:\Windows\windefender.exe, PE32 72->108 dropped 110 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 72->110 dropped 112 C:\Users\...112tQuerySystemInformationHook.dll, PE32+ 72->112 dropped 116 5 other malicious files 72->116 dropped 224 Multi AV Scanner detection for dropped file 72->224 226 Detected unpacking (changes PE section rights) 72->226 228 Detected unpacking (overwrites its own PE header) 72->228 89 netsh.exe 77->89         started        92 conhost.exe 77->92         started        94 conhost.exe 79->94         started        144 ledentiste.ma 41.77.116.197 GTCOMMCA Morocco 83->144 114 C:\ProgramData\religiousplanpro.zip, Zip 83->114 dropped 96 conhost.exe 87->96         started        98 conhost.exe 87->98         started        file21 230 Uses STUN server to do NAT traversial 140->230 signatures22 process23 signatures24 222 Creates files in the system32 config directory 89->222
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc8ce8ab78c6cdddfd1ccd40a3b8d4d177a9ab9de871bbf9e81c54b97e29a342/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-08-25 21:51:44 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
30 of 37 (81.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3sgork3yy3g537i4zvakhogu2f32tk455by3x6pidrkls7rjunba._file
Verdict:
malicious
Similar samples:
3995ed61d4b3901bfacb5a8d36500664c1145c6287f8eba5f0077ef1b780355c
Spambot.Kelihos
56a337b72603f3c64d01687525a5159b7e6ca99e1218fceee30e4add7062995b
Spambot.Kelihos
6531b801cc6cbf4139616803f9d43e9b886eed6c9ca82b86bb9c461c50f673a0
Spambot.Kelihos
778c94dcddd3ab8ec8ea417f79fca412da2a555c96ac140be4a7bce9a0b406ba
Spambot.Kelihos
8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9
Spambot.Kelihos
a75c766167a44c78f3824d28780078cf2cc31522a55372958cefd5f3f093e4c1
Spambot.Kelihos
bb1aa29dca7c55add0bd5e53c735645b5cd0d5ab5105fd412026fa2c69e06191
Spambot.Kelihos
e1c4ee818b713c063ae8d21bec67faa85396ae1008e5c2d3e3dc7f19fee6a985
Spambot.Kelihos
ee366039716c1ca70c1c1744faaf2aeeae8d780c6bbd438cc0c1fef3f7a57cc7
Spambot.Kelihos
f991e808ed44c731fea1758fd6a275ec4e3ee66a5a691dbf1f9414a5faa144a1
Spambot.Kelihos
+ 2'817 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:glupteba family:smokeloader family:xmrig botnet:pub5 botnet:up3 backdoor dropper evasion loader miner persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/230826-d1w4hsgc83/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Amadey
Glupteba
Glupteba payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
xmrig
Malware Config
C2 Extraction:
45.9.74.80/0bjdn2Z/index.php
http://taibi.at/tmp/
http://01stroy.ru/tmp/
http://mal-net.com/tmp/
http://gromograd.ru/tmp/
http://kingpirate.ru/tmp/
Dropper Extraction:
https://ledentiste.ma/12/religion/religiousplanpro.zip
https://ledentiste.ma/12/religion/reliigiousplanpro.zip
Unpacked files
SH256 hash:
10404d8441ad542ad87e4c65273b85c363ff88eb1742a55761c266b03cba6239
MD5 hash:
093e62edc8ff597edff531323100aeee
SHA1 hash:
7248d21d5221aa613b5d4fb234fd794a6eb22e63
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/23e15c1b-f7a8-4311-84d4-2d100872fde9/
Parent samples :
e1c417cdc500c29e12ee68d5bc4e52314d045031b5380b7854b4b34ec9ea0abe
08e61151199e31c2cf54f12f95c8ad95ee8467bb630166800114c0b912682a74
1e662d2a9bc77dc09ff39c21dbd8f11968da7c1dea6f4bbcfc5216c0d8f8c8fd
eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7
6531b801cc6cbf4139616803f9d43e9b886eed6c9ca82b86bb9c461c50f673a0
dc8ce8ab78c6cdddfd1ccd40a3b8d4d177a9ab9de871bbf9e81c54b97e29a342
2dea8cfcd31f4675d5462c385139b59528759bee88aec34ed9d0757d289e7a34
e3cc5f126472497826ad34d0e0348d3d0a0dea126d5ec73c5ed1a6eaf8f6272d
4d7a22a1f7d76310b2c8420cb2f02ef4633cb689e4b8eaaab165731b9341163f
2d90e4d6aabf27b3e3babbb6846ed261f650f885858be57a2def6a5e361071b7
SH256 hash:
f382b70d1245e7d3eac5638c9998ec3c989d41f91dd188cd1d60697b575658d5
MD5 hash:
c04014abbcf2ce2f729916dd2d68c3b5
SHA1 hash:
43261a781a05a6c8862d8810c500b3944d23a3c4
Link:
https://www.unpac.me/results/23e15c1b-f7a8-4311-84d4-2d100872fde9/
SH256 hash:
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
MD5 hash:
f0033521f40c06dec473854c7d98fa8b
SHA1 hash:
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/23e15c1b-f7a8-4311-84d4-2d100872fde9/
Parent samples :
6aa14b8612361f8cd34a86edcf341aaee819fb9a0cc18d51165e52afdcbe5e60
68af9af3506c7a35ef60026b6662cbc1fda0b36007a6eb48a974e4d7574db21f
81d2aa64b3f784fc0dab7694d106bedbd193786ab47dd064c0c5a8714d3fcaff
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
23d2138b76775d5169145dedfaff7db5bca58b481994ced84cade8490e720fc1
f991e808ed44c731fea1758fd6a275ec4e3ee66a5a691dbf1f9414a5faa144a1
10c5faf1316a4caf9edafd41c9c5a87a346c3cceb81de7ca106eee22be3069b8
e1c417cdc500c29e12ee68d5bc4e52314d045031b5380b7854b4b34ec9ea0abe
08e61151199e31c2cf54f12f95c8ad95ee8467bb630166800114c0b912682a74
eef2be5347236331ecd365bdf33ef868b6518beb7ae94074be56f955d2a951d7
6531b801cc6cbf4139616803f9d43e9b886eed6c9ca82b86bb9c461c50f673a0
dc8ce8ab78c6cdddfd1ccd40a3b8d4d177a9ab9de871bbf9e81c54b97e29a342
2dea8cfcd31f4675d5462c385139b59528759bee88aec34ed9d0757d289e7a34
e3cc5f126472497826ad34d0e0348d3d0a0dea126d5ec73c5ed1a6eaf8f6272d
4d7a22a1f7d76310b2c8420cb2f02ef4633cb689e4b8eaaab165731b9341163f
SH256 hash:
dc8ce8ab78c6cdddfd1ccd40a3b8d4d177a9ab9de871bbf9e81c54b97e29a342
MD5 hash:
162164f804514756bb0727bc0ff70f04
SHA1 hash:
d188a80bbada3db531e3bf012a0193e5f4f36682
Link:
https://www.unpac.me/results/23e15c1b-f7a8-4311-84d4-2d100872fde9/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc8ce8ab78c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/dc8ce8ab78c6cdddfd1ccd40a3b8d4d177a9ab9de871bbf9e81c54b97e29a342

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:crime_ZZ_botnet_aicm
Create hunting rule
Author:imp0rtp3
Description:DDoS Golang Botnet sample for linux called 'aicm'
Reference:https://twitter.com/IntezerLabs/status/1401869234511175683
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Spambot.Kelihos

Executable exe dc8ce8ab78c6cdddfd1ccd40a3b8d4d177a9ab9de871bbf9e81c54b97e29a342

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2706900/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/444818/

Comments