MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df872b0b7c336241db1a1ff9e83100d6ffb2b898a46c0c7b37a47dcbd002b056. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs 4 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df872b0b7c336241db1a1ff9e83100d6ffb2b898a46c0c7b37a47dcbd002b056
SHA3-384 hash: 873a02d3acf3b858d84fa2c6fa626043c245f6c8df7edd0d6323f77053fd13806b46c30f81f3fb54e0df872c6515af02
SHA1 hash: f4afe14c1b392514350f4495c44f998d3f19128f
MD5 hash: 718b5089505fed92d1a44dc0dbeb36dc
humanhash: berlin-cola-spring-bakerloo
File name:718B5089505FED92D1A44DC0DBEB36DC.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'907'816 bytes
First seen:2021-07-29 18:40:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcBszOxu3gCpbwOXh+1b4yFjErlsV6SP5iWyZ9KFFdZyZmj9MJ0yEwJ84vLRaBtf:xSizpbwOxKb4y8sVwWyZ0aZw9zCvLUBN
Threatray 245 similar samples on MalwareBazaar
TLSH T19CD533227BE282FBDAA14132E60A5BF270FDD3C6192415977380831E5F7ECA1D16F469
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
109.234.34.165:22204

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
109.234.34.165:22204 https://threatfox.abuse.ch/ioc/163783/
45.14.49.117:14251 https://threatfox.abuse.ch/ioc/163787/
185.230.143.16:32115 https://threatfox.abuse.ch/ioc/163855/
141.136.0.181:80 https://threatfox.abuse.ch/ioc/164561/

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175134/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89de3b31-6cca-4241-858f-7271702dabe6
Result
Threat name:
Backstage Stealer RedLine SmokeLoader So
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824081
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Backstage Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 456493 Sample: ErGfibAynh.exe Startdate: 29/07/2021 Architecture: WINDOWS Score: 100 147 45.136.151.102 ENZUINC-US Latvia 2->147 149 172.67.176.199 CLOUDFLARENETUS United States 2->149 213 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->213 215 Multi AV Scanner detection for domain / URL 2->215 217 Antivirus detection for URL or domain 2->217 219 17 other signatures 2->219 13 ErGfibAynh.exe 15 2->13         started        signatures3 process4 file5 119 C:\Users\user\AppData\...\setup_install.exe, PE32 13->119 dropped 121 C:\Users\user\AppData\Local\...\sonia_7.txt, PE32+ 13->121 dropped 123 C:\Users\user\AppData\Local\...\sonia_6.txt, PE32 13->123 dropped 125 10 other files (none is malicious) 13->125 dropped 16 setup_install.exe 1 13->16         started        process6 dnsIp7 145 watira.xyz 104.21.47.76, 49721, 80 CLOUDFLARENETUS United States 16->145 107 C:\Users\user\AppData\...\sonia_5.exe (copy), PE32 16->107 dropped 109 C:\Users\user\AppData\...\sonia_4.exe (copy), PE32 16->109 dropped 111 C:\Users\user\AppData\...\sonia_3.exe (copy), PE32 16->111 dropped 113 4 other files (2 malicious) 16->113 dropped 209 Detected unpacking (changes PE section rights) 16->209 211 Performs DNS queries to domains with low reputation 16->211 21 cmd.exe 1 16->21         started        23 cmd.exe 1 16->23         started        26 cmd.exe 16->26         started        28 5 other processes 16->28 file8 signatures9 process10 signatures11 30 sonia_5.exe 21->30         started        227 Submitted sample is a known malware sample 23->227 229 Obfuscated command line found 23->229 231 Uses ping.exe to sleep 23->231 233 Uses ping.exe to check the status of other devices and networks 23->233 35 sonia_1.exe 2 23->35         started        37 sonia_6.exe 26->37         started        39 sonia_4.exe 15 8 28->39         started        41 sonia_3.exe 90 28->41         started        43 sonia_2.exe 1 28->43         started        45 sonia_7.exe 28->45         started        process12 dnsIp13 151 37.0.11.9, 49724, 80 WKD-ASIE Netherlands 30->151 153 103.155.92.19 TWIDC-AS-APTWIDCLimitedHK unknown 30->153 157 10 other IPs or domains 30->157 127 C:\Users\...\yT4uiTsYcpTGWechvrqB9xrS.exe, PE32 30->127 dropped 129 C:\Users\...\t8aEW56yVXnMyVbv_RfJHioY.exe, PE32 30->129 dropped 131 C:\Users\...\rxXbBpOYfFKqveSuBHbXev0B.exe, PE32 30->131 dropped 137 37 other files (22 malicious) 30->137 dropped 177 Drops PE files to the document folder of the user 30->177 179 May check the online IP address of the machine 30->179 181 Creates HTML files with .exe extension (expired dropper behavior) 30->181 183 Disable Windows Defender real time protection (registry) 30->183 47 rxXbBpOYfFKqveSuBHbXev0B.exe 30->47         started        62 5 other processes 30->62 185 Creates processes via WMI 35->185 52 sonia_1.exe 35->52         started        54 cmd.exe 37->54         started        159 2 other IPs or domains 39->159 133 C:\Users\user\AppData\Roaming\8424147.exe, PE32 39->133 dropped 139 3 other files (none is malicious) 39->139 dropped 187 Detected unpacking (changes PE section rights) 39->187 56 7229174.exe 39->56         started        58 8424147.exe 39->58         started        64 2 other processes 39->64 161 3 other IPs or domains 41->161 141 6 other files (none is malicious) 41->141 dropped 189 Detected unpacking (overwrites its own PE header) 41->189 191 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->191 193 Tries to steal Crypto Currency Wallets 41->193 135 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 43->135 dropped 195 DLL reload attack detected 43->195 197 Renames NTDLL to bypass HIPS 43->197 199 Checks if the current machine is a virtual machine (disk enumeration) 43->199 60 explorer.exe 43->60 injected 155 208.95.112.1 TUT-ASUS United States 45->155 163 2 other IPs or domains 45->163 143 3 other files (none is malicious) 45->143 dropped 66 2 other processes 45->66 file14 signatures15 process16 dnsIp17 165 74.114.154.22 AUTOMATTICUS Canada 47->165 89 C:\ProgramData\vcruntime140.dll, PE32 47->89 dropped 91 C:\ProgramData\softokn3.dll, PE32 47->91 dropped 93 C:\ProgramData\nss3.dll, PE32 47->93 dropped 103 3 other files (none is malicious) 47->103 dropped 201 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 47->201 203 Tries to harvest and steal browser information (history, passwords, etc) 47->203 205 Tries to steal Crypto Currency Wallets 47->205 167 live.goatgame.live 172.67.222.125, 443, 49725 CLOUDFLARENETUS United States 52->167 95 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 52->95 dropped 68 conhost.exe 52->68         started        70 cmd.exe 54->70         started        73 conhost.exe 54->73         started        169 172.67.145.153 CLOUDFLARENETUS United States 56->169 97 C:\ProgramData\49\vcruntime140.dll, PE32 56->97 dropped 99 C:\ProgramData\49\sqlite3.dll, PE32 56->99 dropped 105 5 other files (none is malicious) 56->105 dropped 101 C:\Users\user\AppData\...\WinHoster.exe, PE32 58->101 dropped 207 Detected unpacking (changes PE section rights) 58->207 171 194.226.139.141 RUSAGRO-ASRU Russian Federation 62->171 173 77.220.213.35 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 62->173 75 conhost.exe 64->75         started        file18 signatures19 process20 signatures21 221 Obfuscated command line found 70->221 223 Uses ping.exe to sleep 70->223 77 Triste.exe.com 70->77         started        79 PING.EXE 70->79         started        82 findstr.exe 70->82         started        process22 dnsIp23 85 Triste.exe.com 77->85         started        175 127.0.0.1 unknown unknown 79->175 115 C:\Users\user\AppData\...\Triste.exe.com, Targa 82->115 dropped file24 process25 file26 117 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 85->117 dropped 225 Injects a PE file into a foreign processes 85->225 signatures27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df872b0b7c336241db1a1ff9e83100d6ffb2b898a46c0c7b37a47dcbd002b056/
Threat name:
Win32.Trojan.ArkeiStealer
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 02:54:30 UTC
AV detection:
30 of 46 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=36dswc34gnredwy2d746qmia2373foeyurway6zxur64xuacwbla._file
Verdict:
unknown
Similar samples:
5492e3416a525e99e343354634250dd8d9c0620547803e67b3831fd3193bec3e
RedLineStealer
8040940621af7b77ecbb66d16ca8fc924900960d48665247aa3f77d4de560c9a
RedLineStealer
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
RedLineStealer
9f502d67a0bf8c88a2569789a6ac21bd3bf80840b5eabcabffb6c493f7ba475e
RedLineStealer
bb7dead4d3da28e16ef45d0019cd42bbd3c4e3454c3042867e7f64aee2439912
RedLineStealer
c7dac0da25d58206459be8af996568547c3df0f76149c741e607249af4c47a67
RedLineStealer
e9f1bfdfb6c8229f57b9bec5149d4dc3af2c148ffb694d8ae32ceeca1530d1fe
RedLineStealer
f84ae3bdd7a26957eebe4e4893718bd512960c013a8aa4903998af16072c0041
RedLineStealer
+ 235 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:932 aspackv2 backdoor discovery evasion infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210729-rf78rxaxn2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
autoit_exe
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/Kelihos.F exe Download 2
Malware Config
C2 Extraction:
https://shpak125.tumblr.com/
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
109.234.34.165:22204
https://xeronxikxxx.tumblr.com/
Unpacked files
SH256 hash:
c204948f88c6d384b39069c2c5c69ed62105ee73f391ff105b3e36081f12fc5d
MD5 hash:
cd8b4ea3aa92a0ed9eee929b3585c711
SHA1 hash:
da430a7a38bd3c7ad75ab6e9ed4a4ca6a077ac54
Link:
https://www.unpac.me/results/f0d3309c-e6a9-4588-83f4-1832db2bd119/
Parent samples :
5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
SH256 hash:
89a0227ef833a2742f7dd46be36e61b178a8b47846fd3cf557c8b9991b7cfb67
MD5 hash:
55bf2bbdd87ec3ac709c6a247f4a28b4
SHA1 hash:
6df7d9af3a7b2da1c91aff955a4c5aadbe2d13cb
Link:
https://www.unpac.me/results/f0d3309c-e6a9-4588-83f4-1832db2bd119/
Parent samples :
5e440e04f382464db10245c9f730d64d839368ef763bb564deadcacafb24e32b
ab479d019576efd4dd391e0bf3fc1bedb10367e1ece7157d609a283873a43645
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
e3135f01a3b76a91bb1082fd5b53259fe2d59eb6ab550fcc6fa6c866412920f8
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
55f22aa33b837e543e8a58408ed843e41515292dead43b57b2ae42b735c34f11
d0037be72720bb05c0207342411a883b883c8f4a371c6c7e6bacd9cff5615df7
20e1bc5813941642186774cd0aa40989c3d119d7a70b7a6be5d3d8df6185c020
cd53d44c68b4b58f88aa945ca38dd18e0a66c3f0854f5868fbea4345f7819fb4
e026bc9a0b7ac31a86cdbbd88e2b2be5236ba81b469723007c8b3c1d9461198f
e461562a06f4c2cea8cc91d9fc6fd75f393b79030d6463169f71b0ff2f6b7ded
8f8b341230323b995c1cde1d534031092bfddb56411dac43d155e5366681e1c7
SH256 hash:
3136aed515809f99777ca8c03399d080413ba2d553dce69b19dd894d10ef9ac6
MD5 hash:
46467590f74558e51bd49233c34d03c0
SHA1 hash:
ca412332cdce9dfa2c07b6fc00e2f524dd89e977
Link:
https://www.unpac.me/results/f0d3309c-e6a9-4588-83f4-1832db2bd119/
SH256 hash:
944d0036c359c3406803a1b8ebb0f434e9a53bf443cce4a92038202cbfd71655
MD5 hash:
e392bc384c98ddd5dd55794a096ab787
SHA1 hash:
afd2c5471065d10ee67d89b037360d80b9474885
Link:
https://www.unpac.me/results/f0d3309c-e6a9-4588-83f4-1832db2bd119/
SH256 hash:
62a55fe169c776651d2c4061597373cc19a9fd89660eb1c6d0a17c0231cb7e18
MD5 hash:
7dd2640ec31132a5496cad4094d5077f
SHA1 hash:
76aa4cdafa07236e3869192d3a253d29e77644ba
Link:
https://www.unpac.me/results/f0d3309c-e6a9-4588-83f4-1832db2bd119/
SH256 hash:
6ea92579c10ff6128399ec8092b44388da56b89e83103797601d334d6c866ca0
MD5 hash:
f14bcba48fb3817154228ed4cf9df6cb
SHA1 hash:
26ae758142d6dd0d69d5f4ff127a0d9c633b6690
Link:
https://www.unpac.me/results/f0d3309c-e6a9-4588-83f4-1832db2bd119/
SH256 hash:
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
MD5 hash:
c0d18a829910babf695b4fdaea21a047
SHA1 hash:
236a19746fe1a1063ebe077c8a0553566f92ef0f
Link:
https://www.unpac.me/results/f0d3309c-e6a9-4588-83f4-1832db2bd119/
SH256 hash:
752cf61d7e4b646c7e622e4a15704ee6447729041ec9987003bd53aa0eb45fcb
MD5 hash:
dc24e11e3540fae0a012684247a1f5ae
SHA1 hash:
1f6f1e6ec0f9d4cc63e2d30d2b5982fe9f27081f
Link:
https://www.unpac.me/results/f0d3309c-e6a9-4588-83f4-1832db2bd119/
SH256 hash:
11df0df73ea2dd167018151f5cf2ea3f0dcb6fc4dfb2e9831b18a6705b0e9d25
MD5 hash:
f837fb56b265a7e6fa5ea966984dbc92
SHA1 hash:
7e54da64fe510b7f8c0f686278947c3b3839e18c
Link:
https://www.unpac.me/results/f0d3309c-e6a9-4588-83f4-1832db2bd119/
SH256 hash:
11c0a320ddfb4351785663d9b617bf1300bdfc3ad3b5e1ae4990429ffe327621
MD5 hash:
c326845c8e0499b1a6208b183c49b6f4
SHA1 hash:
0142d5feafd3e536ac196e1929cee60d51b5c44d
Link:
https://www.unpac.me/results/f0d3309c-e6a9-4588-83f4-1832db2bd119/
SH256 hash:
d97f6c9a42157b01cdd6ac11ea6fff45a3a8d4c4483d1ba3d68c47761a242224
MD5 hash:
1347606800fd85705b595296aa3d8db3
SHA1 hash:
9ea2b85c750ddb4ae1f61bc2ef0bb3ef0aeeee0f
Link:
https://www.unpac.me/results/f0d3309c-e6a9-4588-83f4-1832db2bd119/
SH256 hash:
df872b0b7c336241db1a1ff9e83100d6ffb2b898a46c0c7b37a47dcbd002b056
MD5 hash:
718b5089505fed92d1a44dc0dbeb36dc
SHA1 hash:
f4afe14c1b392514350f4495c44f998d3f19128f
Link:
https://www.unpac.me/results/f0d3309c-e6a9-4588-83f4-1832db2bd119/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df872b0b7c336241db1a1ff9e83100d6ffb2b898a46c0c7b37a47dcbd002b056

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICOIUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175134/

Comments