MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5203487f0bbd037f06aeda5aad3c304f9217260659212afc6be5ad85a35fcb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OskiStealer


Vendor detections: 10


Intelligence 10 IOCs 4 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5203487f0bbd037f06aeda5aad3c304f9217260659212afc6be5ad85a35fcb7
SHA3-384 hash: abdd93e760197cc4db07a683a7af0a74c17b412ee879a934eaafdd80ff9fd28fceaea5982d20a9ef2567e911261fc16c
SHA1 hash: 0a5d3022910c6e6c5898fc4dbb910d16aaf7b19d
MD5 hash: 9fdbef65cc23db119d0a7b158ffbfa5a
humanhash: ten-juliet-magnesium-thirteen
File name:9FDBEF65CC23DB119D0A7B158FFBFA5A.exe
Download: download sample
Signature OskiStealer
Create hunting rule
File size:2'849'503 bytes
First seen:2021-07-18 12:15:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer)
ssdeep 49152:xcByPkZVi7iKiF8cUvFyP/ctQ82txhogAWSSo9MlxANIUsf6q2hJAUntvEwJ84vh:xcri7ixZUvFyPb8272ZSoqUCUsf6q2v/
Threatray 179 similar samples on MalwareBazaar
TLSH T1FDD533223BC6D0F7E70321395E903FA6A1F5D35C1A2648DBBB80D61E4F259D6802976B
Reporter abuse_ch
Tags:exe OskiStealer


Avatar
abuse_ch
OskiStealer C2:
http://wymesc72.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://wymesc72.top/index.php https://threatfox.abuse.ch/ioc/160942/
http://morjed07.top/index.php https://threatfox.abuse.ch/ioc/160943/
188.34.152.197:62942 https://threatfox.abuse.ch/ioc/160957/
http://x-vpn.ug/hfV3vDtt/index.php https://threatfox.abuse.ch/ioc/160958/

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9FDBEF65CC23DB119D0A7B158FFBFA5A.exe
Verdict:
No threats detected
Analysis date:
2021-07-18 12:16:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/761ad31f-f8d8-4a43-b5c3-2b2b17713c1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172404/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Dropper.Cookiesstealer-9875148-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/989a2fbd-7aa1-4412-a8b3-66f63d1b73b4
Result
Threat name:
Backstage Stealer Cookie Stealer Oski Re
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817916
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Backstage Stealer
Yara detected Cookie Stealer
Yara detected Oski Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450327 Sample: BrCi5pJr8J.exe Startdate: 18/07/2021 Architecture: WINDOWS Score: 100 166 google.vrthcobj.com 2->166 224 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->224 226 Found malware configuration 2->226 228 Antivirus detection for URL or domain 2->228 230 23 other signatures 2->230 13 BrCi5pJr8J.exe 16 2->13         started        signatures3 process4 file5 106 C:\Users\user\AppData\...\setup_install.exe, PE32 13->106 dropped 108 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 13->108 dropped 110 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 13->110 dropped 112 11 other files (none is malicious) 13->112 dropped 16 setup_install.exe 1 13->16         started        process6 dnsIp7 162 motiwa.xyz 172.67.193.180, 49723, 80 CLOUDFLARENETUS United States 16->162 164 127.0.0.1 unknown unknown 16->164 210 Detected unpacking (changes PE section rights) 16->210 212 Performs DNS queries to domains with low reputation 16->212 20 cmd.exe 1 16->20         started        22 cmd.exe 1 16->22         started        24 cmd.exe 1 16->24         started        26 6 other processes 16->26 signatures8 process9 process10 28 arnatic_5.exe 4 50 20->28         started        33 arnatic_4.exe 14 5 22->33         started        35 arnatic_6.exe 24->35         started        37 arnatic_2.exe 1 26->37         started        39 arnatic_7.exe 26->39         started        41 arnatic_1.exe 2 26->41         started        43 2 other processes 26->43 dnsIp11 184 103.155.92.207 TWIDC-AS-APTWIDCLimitedHK unknown 28->184 186 136.144.41.201 WORLDSTREAMNL Netherlands 28->186 194 9 other IPs or domains 28->194 114 C:\Users\...\y4zHdTAkpvvLJ0jwlkzXaSm7.exe, PE32 28->114 dropped 116 C:\Users\...\sXXajOH18rIgzUgZCiQ2a6az.exe, PE32 28->116 dropped 118 C:\Users\...\sCwLCEDb4JdVPZwx51toa7HE.exe, PE32 28->118 dropped 128 27 other files (17 malicious) 28->128 dropped 232 Drops PE files to the document folder of the user 28->232 234 May check the online IP address of the machine 28->234 236 Disable Windows Defender real time protection (registry) 28->236 188 cdn.discordapp.com 162.159.135.233, 443, 49722 CLOUDFLARENETUS United States 33->188 120 C:\Users\user\AppData\Local\...\LzmwAqmV.exe, PE32 33->120 dropped 238 Detected unpacking (overwrites its own PE header) 33->238 45 LzmwAqmV.exe 33->45         started        196 3 other IPs or domains 35->196 122 C:\Users\user\AppData\Roaming\4225097.exe, PE32 35->122 dropped 124 C:\Users\user\AppData\Roaming\8553231.exe, PE32 35->124 dropped 130 2 other files (none is malicious) 35->130 dropped 48 4225097.exe 35->48         started        51 5777623.exe 35->51         started        54 2270699.exe 35->54         started        126 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 37->126 dropped 240 DLL reload attack detected 37->240 242 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->242 244 Renames NTDLL to bypass HIPS 37->244 246 Checks if the current machine is a virtual machine (disk enumeration) 37->246 56 explorer.exe 37->56 injected 248 Injects a PE file into a foreign processes 39->248 58 arnatic_7.exe 39->58         started        250 Creates processes via WMI 41->250 60 arnatic_1.exe 41->60         started        190 176.111.174.254 WILWAWPL Russian Federation 43->190 192 olegf9844.tumblr.com 74.114.154.22, 443, 49725 AUTOMATTICUS Canada 43->192 62 WerFault.exe 43->62         started        file12 signatures13 process14 dnsIp15 132 C:\Users\user\AppData\Local\...\playfile.exe, PE32 45->132 dropped 134 C:\Users\user\AppData\...\OLKbrowser.exe, PE32 45->134 dropped 136 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 45->136 dropped 146 2 other files (none is malicious) 45->146 dropped 64 playfile.exe 45->64         started        68 OLKbrowser.exe 45->68         started        70 jhuuee.exe 45->70         started        75 2 other processes 45->75 200 Query firmware table information (likely to detect VMs) 48->200 202 Tries to detect sandboxes and other dynamic analysis tools (window names) 48->202 204 Hides threads from debuggers 48->204 206 Tries to detect sandboxes / dynamic malware analysis system (registry check) 48->206 168 104.21.19.209 CLOUDFLARENETUS United States 51->168 138 C:\ProgramData\70\vcruntime140.dll, PE32 51->138 dropped 148 6 other files (none is malicious) 51->148 dropped 140 C:\Users\user\AppData\...\WinHoster.exe, PE32 54->140 dropped 170 185.125.18.50 QS-ASRU Russian Federation 58->170 208 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 58->208 142 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 60->142 dropped 73 conhost.exe 60->73         started        144 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 62->144 dropped file16 signatures17 process18 dnsIp19 92 C:\Users\user\AppData\Local\...\svchost.exe, PE32 64->92 dropped 214 Writes to foreign memory regions 64->214 216 Allocates memory in foreign processes 64->216 218 Sample uses process hollowing technique 64->218 220 Drops PE files with benign system names 64->220 77 svchost.exe 64->77         started        222 Injects a PE file into a foreign processes 68->222 82 conhost.exe 68->82         started        172 208.95.112.1 TUT-ASUS United States 70->172 174 157.240.17.35 FACEBOOKUS United States 70->174 176 88.218.92.148 ENZUINC-US Netherlands 70->176 94 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 70->94 dropped 96 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 70->96 dropped 84 jfiag3g_gg.exe 70->84         started        178 91.241.19.12 REDBYTES-ASRU Russian Federation 75->178 180 65.21.181.5 CP-ASDE United States 75->180 182 3 other IPs or domains 75->182 98 C:\Users\user\AppData\...\pl_installer[1].exe, PE32 75->98 dropped 100 C:\Users\user\AppData\...\91946473799.exe, PE32 75->100 dropped 102 C:\Users\user\AppData\...\04311944422.exe, PE32 75->102 dropped 104 4 other files (none is malicious) 75->104 dropped 86 chenh.exe 75->86         started        88 conhost.exe 75->88         started        file20 signatures21 process22 dnsIp23 198 198.54.114.131 NAMECHEAP-NETUS United States 77->198 150 C:\ProgramData\sqlite3.dll, PE32 77->150 dropped 152 C:\ProgramData\softokn3.dll, PE32 77->152 dropped 154 C:\ProgramData\msvcp140.dll, PE32 77->154 dropped 160 2 other files (none is malicious) 77->160 dropped 252 System process connects to network (likely due to code injection or exploit) 77->252 254 Tries to harvest and steal browser information (history, passwords, etc) 84->254 156 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 86->156 dropped 158 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 86->158 dropped 90 conhost.exe 86->90         started        file24 signatures25 process26
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e5203487f0bbd037f06aeda5aad3c304f9217260659212afc6be5ad85a35fcb7/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 09:21:11 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4uqdjb7qxpidp4dk5ws2vu6dat4sc4tamwjbfl6gxznnqwrv7s3q._file
Verdict:
unknown
Similar samples:
036d1b5b7a9bc9526fb0825cebe7b937ef0a8e00428a4ffc15eeb41858efc854
OskiStealer
1385c3d747eed12e6e8712a8e32820f6dce44531423d81e2e5763c16f7eb38ff
OskiStealer
30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e
OskiStealer
3c167530a131f9dc899b73b9eac971b38e44d41cf291893fde8e575602c2b846
OskiStealer
48643d9ccc694960fb84f505524d0f148a0331a7e2569171ff3999dd60bc7154
OskiStealer
5ee314a1b864135945e39b2f0e3d3e10ae603256e0e152a159650f2ad142fcca
OskiStealer
885c540ea597bed7e1d4b8fd3670bc66e821368ba0df789c53a5fd2cb96ed33f
OskiStealer
b035ee9ead48cdfdfa1d7110cc84204df3571d6843aedc4c44edc73f59b013c0
OskiStealer
efea5e4af45434b028bbb6f0f45e57d74cc37a0d46ba85921f456806d48bc97c
OskiStealer
f3c2f58838f82805e8b2fad088523958db89bc6c34b1e27760f881d8d1bcc36e
OskiStealer
+ 169 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:oski family:raccoon family:redline family:smokeloader family:socelars family:vidar botnet:865 botnet:933 botnet:ani botnet:aninew botnet:cana01 aspackv2 backdoor discovery evasion infostealer persistence spyware stealer themida trojan upx
Link:
https://tria.ge/reports/210718-cnw5slf86n/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Oski
Process spawned unexpected child process
Raccoon
RedLine
RedLine Payload
SmokeLoader
Socelars
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://olegf9844.tumblr.com/
176.111.174.254:56328
akedauiver.xyz:80
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
a343345.me
https://sslamlssa1.tumblr.com/
Unpacked files
SH256 hash:
42ca6e15a792e7d81a2f0211392fcf29623f1dfda3159325b9ce8e2cef6e640b
MD5 hash:
dcb89de182013699d3a559b9d85053b4
SHA1 hash:
b4433c6aa54a7d3ce4956ca1f49378857da19ccb
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
0e5b7261da6bf316e2b84530027356e038e78b25c2d86a108db65bf348059763
MD5 hash:
b6acd0bab75d614405a3ec3e9750cc19
SHA1 hash:
aafe902736ec80d904165853f077d3520ebd2876
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
9432641ffc06c783ff8a7cd55f33948730f7e00bb2782564f580ba104c817ee2
MD5 hash:
975d1be4341522d562c0a6effde08e2f
SHA1 hash:
8aff3e0abc92a9f01e9aefd1b1fc421bfd82e4f9
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
5a580d590efe50a4072580e030ff03a2bdc9cb5bb6424c8167e6cdc106662d80
MD5 hash:
9b8888a96bb81b13d824f42811dd73e4
SHA1 hash:
7a15193d26b0e2fb5f1894fee476aeb6987b2d5f
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
65e857b77577451c4894c0e9b8f3acc64906472b9bf980d76cb209b5b17a6e04
MD5 hash:
385b2e02d14579a16a0f73d48d266191
SHA1 hash:
248abbcee3367b48a98002560f521472b78d51e4
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
140687c607a8adee38572a2b5b5b12dcf4c5eecfa5d2428d34f09b627a71e6bd
MD5 hash:
0b1df2ab5308c2e8927f9adeac08c657
SHA1 hash:
10212be3c4b01016525039786e3f28909be1b96a
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
09e4e7eaa8f614888e2539539c3ec2309f6e699a4c73989d3402b59644267e3b
MD5 hash:
c4b138a1dd9ff17538ef0d91a5906145
SHA1 hash:
a3560902e8ac5b47dc0e2c3a505850225ca002f4
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
ea42603dea1b74bfff94b23fb910d6f115ba53fb85fcf2ad02a5d779d42d0a7b
MD5 hash:
67c2ade011b8e04054b7841f96f7377f
SHA1 hash:
75d182076b791b3318ea8427ce3ec927e4b08cd9
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
5da0d850941091855ce3a6f48447d2873452443282751fe376c104ef65a45efa
MD5 hash:
5df4d842ec44f8e63168ecb7cafd7e42
SHA1 hash:
cba084a866650d9a06d7dd1873f26ad3ba483163
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
Parent samples :
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
216591f499d58329a39f3c034b82f3b608a68729cac1db1f3cbb527b92fb11ca
MD5 hash:
9c2fbb7221a57de012bbeb2ae11c0eff
SHA1 hash:
85583e56703f2c1746ab78ae899dfaa4b131f06d
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
3c33e130ffc0a583909982f29c38bffb518ae0fd0ef7397855906beef3cd993d
MD5 hash:
4a1a271c67b98c9cfc4c6efa7411b1dd
SHA1 hash:
e2325cb6f55d5fea29ce0d31cad487f2b4e6f891
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
58bd9f39b9b0cc9f4b527932fda2cf29720701db005899e70b5d9d2c215c180d
MD5 hash:
98c6725dae57c0c01e26e2b93f049b70
SHA1 hash:
b584d62ddc78c7db7b01590588f29e9bd383e784
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
964a078a303bd67657b686eff96ce74093453375bda7872b2ad0ad62a896eada
MD5 hash:
ce3ec8cbc46811f4d734a18d0ae7a531
SHA1 hash:
81144b88c135736797fea5eab311e5009004cea2
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
b8b6b9f22146943d4e8b71d7656117e60e5a5f6e19fa4af164b2f8a678c78b69
MD5 hash:
acdf8e15fc747f13c24f37e343f03c8e
SHA1 hash:
242eb23c4a8e513dba0848c90b988e5d7508db07
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
9717f526bf9c56a5d06ccd0fb71eef0579d26b7100d01665b76d8fdd211b48bd
MD5 hash:
dbc3e1e93fe6f9e1806448cd19e703f7
SHA1 hash:
061119a118197ca93f69045abd657aa3627fc2c5
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
44bc2785594483172a5ceadbe744c67b5521669870aa138672994d97e1870414
MD5 hash:
f9703597014c58a43a80f95410b712f9
SHA1 hash:
f2afb638e7e02b9217fa8724691ff0517f1eb5f5
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
SH256 hash:
e5203487f0bbd037f06aeda5aad3c304f9217260659212afc6be5ad85a35fcb7
MD5 hash:
9fdbef65cc23db119d0a7b158ffbfa5a
SHA1 hash:
0a5d3022910c6e6c5898fc4dbb910d16aaf7b19d
Link:
https://www.unpac.me/results/c431a3f7-b244-4d16-af46-912e66f39054/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5203487f0bbd037f06aeda5aad3c304f9217260659212afc6be5ad85a35fcb7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172404/

Comments