MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
SHA3-384 hash: 98bf6cc98058e13ce2016ceffbf05e7238b8b32e77a9d63b87cc28b2b4f1e91b37d21d7bffcb202a0a48ab1cd2053eb8
SHA1 hash: fc09525a2f93bf089d0b02c5220e7ee452e64747
MD5 hash: 269d7e74e4b21a2fc0e66907c77fc0bc
humanhash: yankee-gee-blue-mirror
File name:HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'545'295 bytes
First seen:2023-01-22 15:15:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 24576:Eg5ks+W8y6AFZexyuCkfHGFV01gUSvriQMbOyK2jYR2J11RaLNBDj:EgrHa0ZAhIVQFSv2LtwRG11R+F
TLSH T1A46533D406C1C057CFF38A3332F0167960E8A52A29686A8E5FB4B4BE6E521778C5F742
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://65.109.208.142/

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe
Verdict:
Malicious activity
Analysis date:
2023-01-22 15:15:55 UTC
Tags:
evasion trojan socelars stealer loader smoke gcleaner miner
Link:
https://app.any.run/tasks/0fd962f8-1c72-4c92-af1c-6d9ea1ae9ed0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/355622/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Dropper.Chapak-9884592-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Searching for the window
Moving a recently created file
Sending a custom TCP request
Running batch commands
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Reading critical registry keys
Creating a process with a hidden window
Connecting to a non-recommended domain
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Query of malicious DNS domain
Blocking the Windows Defender launch
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62269/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys graftor overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63cd533355448934068519e5/reports/191aebc0-6dc5-4a48-8b4f-2c102dc45953/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cdbfe468-3b1b-45fc-b0b1-ffa10022f753
Result
Threat name:
Fabookie, Nymaim, PrivateLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156528
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Fabookie
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 789260 Sample: HEUR-Trojan.Win32.Chapak.ge... Startdate: 22/01/2023 Architecture: WINDOWS Score: 100 190 45.12.253.98 CMCSUS Germany 2->190 192 transfer.sh 2->192 194 ipinfo.io 2->194 226 Snort IDS alert for network traffic 2->226 228 Malicious sample detected (through community Yara rule) 2->228 230 Antivirus detection for URL or domain 2->230 232 20 other signatures 2->232 15 HEUR-Trojan.Win32.Chapak.gen-e6ea98b046b11a35.exe 10 2->15         started        18 jhgvesi 2->18         started        21 kagnseix.exe 2->21         started        23 svchost.exe 6 24 2->23         started        signatures3 process4 file5 170 C:\Users\user\AppData\...\setup_installer.exe, PE32 15->170 dropped 25 setup_installer.exe 10 15->25         started        210 Multi AV Scanner detection for dropped file 18->210 212 DLL reload attack detected 18->212 214 Detected unpacking (changes PE section rights) 18->214 224 5 other signatures 18->224 216 Detected unpacking (overwrites its own PE header) 21->216 218 Writes to foreign memory regions 21->218 220 Allocates memory in foreign processes 21->220 222 Injects a PE file into a foreign processes 21->222 29 WerFault.exe 23->29         started        31 WerFault.exe 23->31         started        33 WerFault.exe 23->33         started        signatures6 process7 file8 152 C:\Users\user\AppData\...\setup_install.exe, PE32 25->152 dropped 154 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 25->154 dropped 156 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 25->156 dropped 158 5 other files (4 malicious) 25->158 dropped 306 Multi AV Scanner detection for dropped file 25->306 35 setup_install.exe 1 25->35         started        signatures9 process10 dnsIp11 196 127.0.0.1 unknown unknown 35->196 198 wxkeww.xyz 35->198 128 C:\Users\user\...\karotima_2.exe (copy), PE32 35->128 dropped 130 C:\Users\user\...\karotima_1.exe (copy), PE32 35->130 dropped 252 Multi AV Scanner detection for dropped file 35->252 254 Detected unpacking (changes PE section rights) 35->254 256 Performs DNS queries to domains with low reputation 35->256 40 cmd.exe 1 35->40         started        42 cmd.exe 1 35->42         started        44 conhost.exe 35->44         started        47 WerFault.exe 24 9 35->47         started        file12 signatures13 process14 signatures15 49 karotima_1.exe 4 33 40->49         started        54 karotima_2.exe 1 42->54         started        312 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 44->312 314 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 44->314 316 Queries memory information (via WMI often done to detect virtual machines) 44->316 process16 dnsIp17 184 privacy-tools-for-you-453.com 49->184 186 212.193.30.115, 49711, 49754, 80 SPD-NETTR Russian Federation 49->186 188 17 other IPs or domains 49->188 118 C:\Users\...\qONJoeAIslTYekNcXsGzMDUc.exe, PE32 49->118 dropped 120 C:\Users\...\iNCtZNtWbAWILaLNkOilTwXe.exe, PE32 49->120 dropped 122 C:\Users\...\gi6LdCksj87JE5uZTwAlKvqZ.exe, PE32 49->122 dropped 126 12 other malicious files 49->126 dropped 234 Drops PE files to the document folder of the user 49->234 236 May check the online IP address of the machine 49->236 238 Creates HTML files with .exe extension (expired dropper behavior) 49->238 240 Disable Windows Defender real time protection (registry) 49->240 56 T6rATuk9k3utZ4rO_79xF3mf.exe 49->56         started        60 Gi9FkNQJOzrrWHRP8VRPbnQb.exe 49->60         started        62 gi6LdCksj87JE5uZTwAlKvqZ.exe 49->62         started        67 6 other processes 49->67 124 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 54->124 dropped 242 DLL reload attack detected 54->242 244 Detected unpacking (changes PE section rights) 54->244 246 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 54->246 250 4 other signatures 54->250 64 explorer.exe 54->64 injected file18 248 Performs DNS queries to domains with low reputation 184->248 signatures19 process20 dnsIp21 134 C:\Windows\Temp\321.exe, PE32 56->134 dropped 136 C:\Windows\Temp\123.exe, PE32 56->136 dropped 280 Multi AV Scanner detection for dropped file 56->280 282 Drops executables to the windows directory (C:\Windows) and starts them 56->282 69 123.exe 56->69         started        72 321.exe 56->72         started        138 C:\Users\...behaviorgraphi9FkNQJOzrrWHRP8VRPbnQb.tmp, PE32 60->138 dropped 284 Obfuscated command line found 60->284 74 Gi9FkNQJOzrrWHRP8VRPbnQb.tmp 60->74         started        286 Writes to foreign memory regions 62->286 288 Allocates memory in foreign processes 62->288 290 Injects a PE file into a foreign processes 62->290 77 vbc.exe 62->77         started        86 2 other processes 62->86 172 finbelportal.com 103.224.182.242, 49753, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 64->172 174 ww16.finbelportal.com 91.195.240.112, 49757, 80 SEDO-ASDE Germany 64->174 180 5 other IPs or domains 64->180 140 C:\Users\user\AppData\Roaming\rtgvesi, PE32 64->140 dropped 142 C:\Users\user\AppData\Roaming\jhgvesi, PE32 64->142 dropped 292 System process connects to network (likely due to code injection or exploit) 64->292 294 Benign windows process drops PE files 64->294 296 Hides that the sample has been downloaded from the Internet (zone.identifier) 64->296 176 star-mini.c10r.facebook.com 157.240.253.35, 443, 49767, 49768 FACEBOOKUS United States 67->176 178 iueg.aappatey.com 45.66.159.142, 49772, 49775, 49785 ENZUINC-US Russian Federation 67->178 182 3 other IPs or domains 67->182 144 C:\Users\user\AppData\...\svcupdater.exe, PE32 67->144 dropped 146 C:\Users\user\AppData\Local\...\vx5iXEhR.cpl, PE32 67->146 dropped 148 C:\Users\user\AppData\Local\...\kagnseix.exe, PE32 67->148 dropped 150 C:\Users\user\AppData\Local\...\6892109.dll, PE32 67->150 dropped 298 Detected unpacking (changes PE section rights) 67->298 300 Detected unpacking (overwrites its own PE header) 67->300 302 Uses netsh to modify the Windows network and firewall settings 67->302 304 Modifies the windows firewall 67->304 80 5Z5TaftyK4SaeSNCZHUF6glt.exe 67->80         started        82 cmd.exe 67->82         started        84 control.exe 67->84         started        88 6 other processes 67->88 file22 signatures23 process24 dnsIp25 258 Multi AV Scanner detection for dropped file 69->258 260 Writes to foreign memory regions 69->260 262 Allocates memory in foreign processes 69->262 90 vbc.exe 69->90         started        94 conhost.exe 69->94         started        96 WerFault.exe 69->96         started        264 Injects a PE file into a foreign processes 72->264 98 conhost.exe 72->98         started        160 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 74->160 dropped 162 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 74->162 dropped 164 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 74->164 dropped 168 6 other files (5 malicious) 74->168 dropped 100 finalrecovery.exe 74->100         started        208 185.244.181.112, 33056, 49788 BELCLOUDBG Russian Federation 77->208 266 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 77->266 268 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 77->268 270 Tries to steal Crypto Currency Wallets 77->270 272 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 80->272 274 Maps a DLL or memory area into another process 80->274 276 Checks if the current machine is a virtual machine (disk enumeration) 80->276 278 Creates a thread in another existing process (thread injection) 80->278 166 C:\Windows\SysWOW64\...\kagnseix.exe (copy), PE32 82->166 dropped 103 conhost.exe 82->103         started        105 rundll32.exe 84->105         started        107 conhost.exe 88->107         started        109 4 other processes 88->109 file26 signatures27 process28 dnsIp29 200 51.210.137.6, 47909, 49794 OVHFR France 90->200 308 Tries to harvest and steal browser information (history, passwords, etc) 90->308 310 Tries to steal Crypto Currency Wallets 90->310 202 45.12.253.56, 49759, 80 CMCSUS Germany 100->202 204 45.12.253.72, 49760, 80 CMCSUS Germany 100->204 206 45.12.253.75, 49763, 80 CMCSUS Germany 100->206 132 C:\Users\user\AppData\...\Bv1kV9vR3zrb7.exe, PE32 100->132 dropped 111 Bv1kV9vR3zrb7.exe 100->111         started        114 rundll32.exe 105->114         started        file30 signatures31 process32 signatures33 318 Multi AV Scanner detection for dropped file 111->318 116 rundll32.exe 114->116         started        process34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 19:40:00 UTC
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=43vjrmcgwendl35avqjeh5qzb72nijd2gv4e4znj72vpjemk454q._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:nullmixer family:privateloader family:smokeloader aspackv2 backdoor dropper evasion loader spyware stealer trojan
Link:
https://tria.ge/reports/230122-sngwdsab7t/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Executes dropped EXE
Detects Smokeloader packer
Modifies Windows Defender Real-time Protection settings
NullMixer
PrivateLoader
SmokeLoader
Malware Config
C2 Extraction:
http://wxkeww.xyz/
Unpacked files
SH256 hash:
5da0d850941091855ce3a6f48447d2873452443282751fe376c104ef65a45efa
MD5 hash:
5df4d842ec44f8e63168ecb7cafd7e42
SHA1 hash:
cba084a866650d9a06d7dd1873f26ad3ba483163
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/98a14c7a-5d83-4355-864b-a5982b0ea5dc/
Parent samples :
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
f6085d410443542324a7c227b2c12113ead32b3fd21257d652cfc632c45483bd
MD5 hash:
ad8f481f8014bf6643065b046b9d9407
SHA1 hash:
77d4611efccc3f96bf3b97d47e9c7ec1c5a4a0a1
Link:
https://www.unpac.me/results/98a14c7a-5d83-4355-864b-a5982b0ea5dc/
SH256 hash:
c9d5525b2f2b76087121039ee1c23ed35508e60f653479722ec64ea3a064878e
MD5 hash:
9108ad5775c76cccbb4eadf02de24f5d
SHA1 hash:
82996bc4f72b3234536d0b58630d5d26bcf904b0
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/98a14c7a-5d83-4355-864b-a5982b0ea5dc/
Parent samples :
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
9ff44c4da853cdbe606d2cfe4d04b410c3ae603acf0f1d3f75195b6236e0e123
MD5 hash:
80e74cf9f38c5712c6c2432a509c8bc7
SHA1 hash:
62ccdca04b3685728ce7f1a785cc01f3a3f3b3dc
Link:
https://www.unpac.me/results/98a14c7a-5d83-4355-864b-a5982b0ea5dc/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/98a14c7a-5d83-4355-864b-a5982b0ea5dc/
SH256 hash:
660a29f558d87bc0abcd828dcb4a5eecf3f9416f1da10543519bf89bc5239b40
MD5 hash:
55e5a2a5f8f4970ef8f197af63a089d5
SHA1 hash:
979fe44314e5b513ef9e9025724ed66d53597204
Link:
https://www.unpac.me/results/98a14c7a-5d83-4355-864b-a5982b0ea5dc/
SH256 hash:
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
MD5 hash:
269d7e74e4b21a2fc0e66907c77fc0bc
SHA1 hash:
fc09525a2f93bf089d0b02c5220e7ee452e64747
Link:
https://www.unpac.me/results/98a14c7a-5d83-4355-864b-a5982b0ea5dc/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6ea98b046b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:Detect_Tofsee
Create hunting rule
Author:@malgamy12
Description:Detect_Tofsee
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Tofsee
Create hunting rule
Author:ditekSHen
Description:Detects Tofsee
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:tofsee_yhub
Create hunting rule
Author:Billy Austin
Description:Detects Tofsee botnet, also known as Gheg
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Tofsee_26124fe4
Create hunting rule
Author:Elastic Security
Rule name:win_tofsee_w0
Create hunting rule
Author:akrasuski1
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355622/

Comments