MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
SHA3-384 hash: acf7a1c94e81db09586e7f628f24658be867ac6e140f388f8c9ffc3196889c7ee805090cd22f13209247fba1da9d185c
SHA1 hash: 2d47c7c03448828b032c7c9b9774a87406e5fc2f
MD5 hash: 67230006b6b5131c6f77907948a822ce
humanhash: michigan-johnny-fanta-tango
File name:DEAF22C4CADD171EF59FC8E6299D26BD4679B965D2409.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:2'606'374 bytes
First seen:2022-06-05 05:31:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBTPkZVi7iKiF8cUvFyPx64lXqnZbl7pok0rn0EwJ84vLRaBtIl9mT2oYYldhHn:xPri7ixZUvFyPDlXqnZVpokACvLUBsKP
TLSH T195C533613FD6C0FBD6661130AB802FB575FAC3D8071008D76754BA1D4FB89A5D03BAAA
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:CoinMiner exe


Avatar
abuse_ch
CoinMiner C2:
http://zfko.org/test3/get.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://zfko.org/test3/get.php https://threatfox.abuse.ch/ioc/656056/

Intelligence

File Origin
# of uploads :
1
# of downloads :
425
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DEAF22C4CADD171EF59FC8E6299D26BD4679B965D2409.exe
Verdict:
No threats detected
Analysis date:
2022-06-05 05:34:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb78794d-afc2-48f2-ad60-3dbb7cd0552b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276702/
Detection(s):
SecuriteInfo.com.Variant.Zusy.354347.UNOFFICIAL
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Packed.SmokeLoader-9880490-1
Create hunting rule

Win.Malware.Jaik-9882967-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Moving a file to the %temp% subdirectory
Running batch commands
Sending a custom TCP request
DNS request
Creating a window
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult barys overlay packed shell32.dll upatre
Link:
https://www.filescan.io/uploads/629c3fd4b672a91e793f07eb/reports/fe74b615-eb6b-4612-93b6-06bcd38be74b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1327cd7-7822-4c48-8375-bc9e46896a9c
Result
Threat name:
Nitol, PrivateLoader, RedLine, SmokeLoad
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1006797
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Nitol
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 639293 Sample: DEAF22C4CADD171EF59FC8E6299... Startdate: 05/06/2022 Architecture: WINDOWS Score: 100 115 google.vrthcobj.com 2->115 117 vzsbmWfbWDDQwzaIQDclCwgTcaw.vzsbmWfbWDDQwzaIQDclCwgTcaw 2->117 119 3 other IPs or domains 2->119 147 Snort IDS alert for network traffic 2->147 149 Malicious sample detected (through community Yara rule) 2->149 151 Antivirus detection for URL or domain 2->151 155 16 other signatures 2->155 11 DEAF22C4CADD171EF59FC8E6299D26BD4679B965D2409.exe 15 2->11         started        15 rundll32.exe 2->15         started        signatures3 153 System process connects to network (likely due to code injection or exploit) 115->153 process4 dnsIp5 135 192.168.2.1 unknown unknown 11->135 103 C:\Users\user\AppData\...\setup_install.exe, PE32 11->103 dropped 105 C:\Users\user\AppData\Local\...\arnatic_7.txt, PE32+ 11->105 dropped 107 C:\Users\user\AppData\Local\...\arnatic_6.txt, PE32 11->107 dropped 109 10 other files (5 malicious) 11->109 dropped 17 setup_install.exe 1 11->17         started        22 rundll32.exe 15->22         started        file6 process7 dnsIp8 111 motiwa.xyz 99.83.154.118, 49745, 80 AMAZON-02US United States 17->111 113 127.0.0.1 unknown unknown 17->113 77 C:\Users\user\...\arnatic_6.exe (copy), PE32 17->77 dropped 79 C:\Users\user\...\arnatic_5.exe (copy), PE32 17->79 dropped 81 C:\Users\user\...\arnatic_4.exe (copy), PE32 17->81 dropped 83 4 other files (2 malicious) 17->83 dropped 157 Detected unpacking (changes PE section rights) 17->157 159 Performs DNS queries to domains with low reputation 17->159 24 cmd.exe 1 17->24         started        26 cmd.exe 1 17->26         started        28 cmd.exe 1 17->28         started        37 5 other processes 17->37 161 Writes to foreign memory regions 22->161 163 Allocates memory in foreign processes 22->163 165 Creates a thread in another existing process (thread injection) 22->165 30 svchost.exe 22->30 injected 33 svchost.exe 22->33 injected 35 svchost.exe 22->35 injected 39 6 other processes 22->39 file9 signatures10 process11 signatures12 41 arnatic_5.exe 24->41         started        46 arnatic_2.exe 1 26->46         started        48 arnatic_6.exe 28->48         started        201 System process connects to network (likely due to code injection or exploit) 30->201 203 Sets debug register (to hijack the execution of another thread) 30->203 205 Modifies the context of a thread in another process (thread injection) 30->205 50 svchost.exe 30->50         started        52 arnatic_1.exe 2 37->52         started        54 arnatic_4.exe 14 2 37->54         started        56 arnatic_3.exe 12 37->56         started        58 arnatic_7.exe 37->58         started        process13 dnsIp14 131 15 other IPs or domains 41->131 93 C:\Users\...\w1nL7kPJDj5mFJqh3RoggIP6.exe, PE32 41->93 dropped 95 C:\Users\...\jnYZXG6aI_X0qZV10N0UEr_T.exe, PE32 41->95 dropped 97 C:\Users\...\iW1FnSUU8DsMVPTd7ltAUO6N.exe, PE32+ 41->97 dropped 101 15 other files (14 malicious) 41->101 dropped 167 Drops PE files to the document folder of the user 41->167 169 May check the online IP address of the machine 41->169 171 Creates HTML files with .exe extension (expired dropper behavior) 41->171 173 Disable Windows Defender real time protection (registry) 41->173 60 59tTPqCoIfgyBu5qU_ZzIZ89.exe 41->60         started        63 BP6vYolDM91WzXhpM53SKeL_.exe 41->63         started        99 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 46->99 dropped 175 DLL reload attack detected 46->175 177 Detected unpacking (changes PE section rights) 46->177 179 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 46->179 189 4 other signatures 46->189 66 explorer.exe 46->66 injected 121 music-s.xyz 48->121 133 2 other IPs or domains 48->133 181 Performs DNS queries to domains with low reputation 48->181 123 google.vrthcobj.com 50->123 183 Query firmware table information (likely to detect VMs) 50->183 185 Creates processes via WMI 52->185 69 arnatic_1.exe 52->69         started        125 cdn.discordapp.com 162.159.134.233, 443, 49747, 49751 CLOUDFLARENETUS United States 54->125 187 Detected unpacking (overwrites its own PE header) 54->187 127 sslamlssa1.tumblr.com 74.114.154.22, 443, 49749 AUTOMATTICUS Canada 56->127 71 WerFault.exe 56->71         started        129 s.lletlee.com 58->129 73 WerFault.exe 58->73         started        file15 signatures16 process17 dnsIp18 191 Detected unpacking (changes PE section rights) 60->191 193 Detected unpacking (overwrites its own PE header) 60->193 137 memorial.asvp.org.br 186.202.153.98, 443, 49980 LocawebServicosdeInternetSABR Brazil 63->137 139 tiny.one 104.21.234.38, 443, 49977 CLOUDFLARENETUS United States 63->139 141 conceitosseg.com 91.195.240.117, 49927, 49928, 49933 SEDO-ASDE Germany 66->141 143 telanganadigital.com 66->143 145 2 other IPs or domains 66->145 85 C:\Users\user\AppData\Roaming\rsjscvc, PE32 66->85 dropped 195 System process connects to network (likely due to code injection or exploit) 66->195 197 Benign windows process drops PE files 66->197 199 Hides that the sample has been downloaded from the Internet (zone.identifier) 66->199 87 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 69->87 dropped 89 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 69->89 dropped 91 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 69->91 dropped 75 conhost.exe 69->75         started        file19 signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89/
Threat name:
Win32.Downloader.ShortLoader
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 11:09:27 UTC
File Type:
PE (Exe)
Extracted files:
148
AV detection:
22 of 26 (84.62%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=32xsfrgk3ulr55m7zdtcthjgxvdhtolf2jajpjeodt4pfa5a5oeq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:redline family:vidar botnet:933 botnet:mx botnet:top aspackv2 discovery evasion infostealer persistence ransomware spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220605-f8aatsgeb3/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates processes with tasklist
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
Malware Config
C2 Extraction:
185.215.113.75:81
193.106.191.222:23196
http://zfko.org/test3/get.php
https://sslamlssa1.tumblr.com/
Unpacked files
SH256 hash:
c7b04fbcec4fb07d04eb36f20866ac6d95709281a96db8ea2b8266ae40361818
MD5 hash:
911a3105c863639fb5310046dd547221
SHA1 hash:
da492d8c31a760318513da006c8f4f8b766ae724
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
SH256 hash:
2a90c166dfdd8c515ae4138a0c8b30b4011ace0b83c229ce291e3b592edd2802
MD5 hash:
61cf41057c09bd7b801e18ac34bb2862
SHA1 hash:
c9a3ad6be1e2f85a9afc4c918e141b771512224a
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
SH256 hash:
ef83a2c9f244da974619a0acd227cbe73541970196f8a1b48955d7f434c53568
MD5 hash:
f29a39b4b679a526b5bc9e66ae65be19
SHA1 hash:
a52ee9a8722ec74091c5c2c559703f7c677530d6
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
SH256 hash:
5da0d850941091855ce3a6f48447d2873452443282751fe376c104ef65a45efa
MD5 hash:
5df4d842ec44f8e63168ecb7cafd7e42
SHA1 hash:
cba084a866650d9a06d7dd1873f26ad3ba483163
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
Parent samples :
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
fef028c6eca2d0addeb19dacedcc97cd34f73a4ab8056ddc287dd86551b5c707
MD5 hash:
cfcd04cb50a5d48b368c76a353a8b58a
SHA1 hash:
7d76e8474b4b70d4f8e62653361c7b451a8f2fd2
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
Parent samples :
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
70e50de48c85c25259cf5247205792b0eb339ca700867c2a9a3ecfa7c4fca156
6f6585d3df024c6e411a075d856c79cc7a70e5509006e53dcaafeb8fc418fdf8
67cd381d1702cb66cc450e13b1e8a27a3ff8c6713af8a925945b1cb449247578
ca6b067a980f478a2829c6d326936c449f284e93bf64201bfecf0015937b09e9
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
SH256 hash:
bb5bef0787b5d09feedda645d4e1e0e16054cb39ac1678e740bb67dbd13eee31
MD5 hash:
a267bc17fa0bfaf16f273c7ff31ca061
SHA1 hash:
d7379da19e954b912f92d9e90112b113c54b4b4c
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
SH256 hash:
3c33e130ffc0a583909982f29c38bffb518ae0fd0ef7397855906beef3cd993d
MD5 hash:
4a1a271c67b98c9cfc4c6efa7411b1dd
SHA1 hash:
e2325cb6f55d5fea29ce0d31cad487f2b4e6f891
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
SH256 hash:
755a4266245c52bcd0328044c8a0908b2daafbad140cee06830b991493f21f60
MD5 hash:
6765fe4e4be8c4daf3763706a58f42d0
SHA1 hash:
cebb504bfc3097a95d40016f01123b275c97d58c
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
SH256 hash:
973237e44d330222a664b284f62b8c5d41e24bcb50972ea66032cf45a6941469
MD5 hash:
858d32f4eec0d8d03e615c2a3e756a05
SHA1 hash:
6d7bbb97494a9f0ca310e7b978ddd11b4ee0369d
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
SH256 hash:
9dceb98897449301abae8c813d58776486d69386c163fc83303514b80b6a325f
MD5 hash:
16e73f43112876b00b9719fc5004642c
SHA1 hash:
4660cc23492c3c8f5c5cda919fc3261df65d385f
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
SH256 hash:
922eae111138253f28662773cc7ec7de84df131ceb315fc299f64bba401f7fa4
MD5 hash:
e3028d6556dde2a4c0f02e4a44f1936f
SHA1 hash:
22f635be28c38df8c9a534f28e64adf8b5b74354
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
SH256 hash:
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
MD5 hash:
67230006b6b5131c6f77907948a822ce
SHA1 hash:
2d47c7c03448828b032c7c9b9774a87406e5fc2f
Link:
https://www.unpac.me/results/b00feb9f-ec49-472d-8ce8-96c1d1e58625/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276702/

Comments