MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
SHA3-384 hash: edf7af5e79703201dba5df38523a2a609171bafab794105fc0f62efefef1b79ef9838b67fe82b5a4615916181f644168
SHA1 hash: f72522e2e319c982956d5a80d83e9b97009e64e7
MD5 hash: 71bc1eae25cf249a565579d41f76bce6
humanhash: four-autumn-kentucky-tennis
File name:f08f77c93c18f55c22c54418b22c4e658d1272f838572.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:16'212'441 bytes
First seen:2025-07-06 05:10:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e0a0e8f80bbd1a9c0078e57256f1c3d (5 x GCleaner, 4 x LummaStealer, 3 x CoinMiner)
ssdeep 393216:UBMfOh2fPqDNwMiuaZ8bZwjd+izpUzyateZmbP+ywi+uX:g0Oh23RuaZ8Vw/wyKeXir
TLSH T192F6334AE7E400BDF0F7D9B4DDA71903E37A7C9853718A4F03A447999F932A1AE64720
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 8eccf87171e4cc8e (1 x Formbook)
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Formbook C2:
45.201.0.222:1000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.201.0.222:1000 https://threatfox.abuse.ch/ioc/1553961/

Intelligence

File Origin
# of uploads :
1
# of downloads :
29
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rl_f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
Verdict:
Malicious activity
Analysis date:
2025-07-06 05:13:57 UTC
Tags:
evasion auto-reg auto-startup xworm
Link:
https://app.any.run/tasks/d7a315ca-18bb-4643-8ab8-6057c924eb88

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12492/
Detection(s):
SecuriteInfo.com.Variant.Tedy.742456.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686a0574c9eb97473766e2a1
Tags:
vmdetect asyncrat
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
DNS request
Connection attempt
Sending an HTTP GET request
Creating a process with a hidden window
Creating a file in the %AppData% directory
Launching a process
Connection attempt to an infection source
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Query of malicious DNS domain
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df614aa6-9ee2-48ce-84ba-4973e45ebee4
Result
Threat name:
RDPWrap Tool, StormKitty, SugarDump, XWo
Create hunting rule
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1729377
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected BrowserPasswordDump
Yara detected RDPWrap Tool
Yara detected RUNPE
Yara detected StormKitty Stealer
Yara detected SugarDump
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/71bc1eae25cf249a565579d41f76bce6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015/
Threat name:
ByteCode-MSIL.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-05-19 16:14:35 UTC
File Type:
PE+ (Exe)
Extracted files:
843
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6chxpsj4dd2vyiwfiqmlelcomwgre4xyhblsuiddpfsulptneakq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm rat trojan
Link:
https://tria.ge/reports/250706-fvctssan4v/
Behaviour
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Detect Xworm Payload
Xworm
Xworm family
Malware Config
C2 Extraction:
dudn.xyz:1000
Verdict:
Malicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/bb97113d-f7d0-4ffa-9370-4d7122928fc6
Unpacked files
SH256 hash:
f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
MD5 hash:
71bc1eae25cf249a565579d41f76bce6
SHA1 hash:
f72522e2e319c982956d5a80d83e9b97009e64e7
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
64a0a588bfb057c877f42773976fd6952be90eafd373b3d0595fe20a8faccd74
MD5 hash:
1c3b5af02f308c2d61314fe6344a7434
SHA1 hash:
5a0278ad2d2cd2437044e4d8b5e998533982293b
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
60b19320a6fb573c6bc5fe32b0f9d5f9874876a680dfcad05271edb17389d48f
MD5 hash:
e0713e49460cf9570c1b4873d98e0d5b
SHA1 hash:
d29011604ffbf75d945e745891ae0ff7255ca56a
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
861ad4bbf682b35affda23fab92c8db945f3fa34f78177843c87802d1fd02020
MD5 hash:
9c6a68742ea7abf802940e7f1502e20f
SHA1 hash:
54418c9537830772fc5a7a441867829ec533828f
Detections:
win_infy_auto
Create hunting rule
RDPWrap
Create hunting rule
RDPWrap
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
Parent samples :
ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
663bb8fd085cf61f0204f2f5a9cbed5c5d1eb08aebbb6dbb47702c328b44c3e2
fc16a364530103595b8d36d6c3e7f00a08bf5783c6860bf63bcdbeb90b6c78f8
f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6
SH256 hash:
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
MD5 hash:
461ade40b800ae80a40985594e1ac236
SHA1 hash:
b3892eef846c044a2b0785d54a432b3e93a968c8
Detections:
RDPWrap
Create hunting rule
RDPWrap
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
Parent samples :
ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
663bb8fd085cf61f0204f2f5a9cbed5c5d1eb08aebbb6dbb47702c328b44c3e2
fc16a364530103595b8d36d6c3e7f00a08bf5783c6860bf63bcdbeb90b6c78f8
f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6
SH256 hash:
4c19d053751a68b30c045119642964268659bf79bd066046c32ddb875ec339eb
MD5 hash:
b52ac2b928342ee016739834af802beb
SHA1 hash:
1d4d62475d6ab667fdbc68a46177b7ae01c2ddeb
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
dc465e71efeedccab536911ae5c47b30a7ab5de2d69da06d2ec83b60f8a005c5
MD5 hash:
318d2c1081da520aee6b06ca5edc7cb7
SHA1 hash:
59b8ab83546cee719f83e3d3c0208d8d18044460
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
MD5 hash:
3288c284561055044c489567fd630ac2
SHA1 hash:
11ffeabbe42159e1365aa82463d8690c845ce7b7
Detections:
RDPWrap
Create hunting rule
RDPWrap
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
Parent samples :
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
SH256 hash:
2f33ed67124a2225104726cb59f001e5ff4d78b0d88a650ced997890b515a73b
MD5 hash:
51b15fc8de1a07851f648ffe4362e5ca
SHA1 hash:
b8215e0a97424eff245eaf196ed4fccd154723b6
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
018e06f57725563e4525700edffafb1b062bf5d4b0e9fee498507f0f8200fcdf
MD5 hash:
ade4edd66bc695c9465816fa2538d0cb
SHA1 hash:
e4351a2531307c848c60b20ffb50bcc04156fdbc
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
043b6a0284468934582819996dbaa70b863ab4caa4f968c81c39a33b2ac81735
MD5 hash:
1841c479da7efd24521579053efcf440
SHA1 hash:
0aacfd06c7223b988584a381cb10d6c3f462fc6a
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
14c2bbccdabb8408395d636b44b99de4b16db2e6bf35181cb71e7be516d83ad9
MD5 hash:
ccc9ea43ead4aa754b91e2039fe0ac1c
SHA1 hash:
f382635559045ac1aeb1368d74e6b5c6e98e6a48
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
1940d563046c67dbbeaf5f2a2417aaccdae587c1eb97b79c263994896805bece
MD5 hash:
2401bee633ea4032a758ffc6d729deac
SHA1 hash:
3040e0e27f48eacf45860be4ece6f94db7bc1c4e
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
1a2da0a66c7771962d525b8fe9491052efbd5f87b97d935c267fd96519b5a35e
MD5 hash:
56a8b030ade4736915e5b601a4bf39f8
SHA1 hash:
ab03e7948c4604fbd15d285f674ea879082a8e7c
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
285b462e3cd4a5b207315ad33ee6965a8b98ca58abb8d16882e4bc2d758ff1a4
MD5 hash:
065f0830d1e36f8f44702b0f567082e8
SHA1 hash:
724c33558fcc8ecd86ee56335e8f6eb5bfeac0db
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
2d7d1248965834c6db9b2347bea8b825bd8587446bd0a1228d9d1cabe643f046
MD5 hash:
e71697132b7f2758d2266e26d688666b
SHA1 hash:
d04b1316c033b71ea3702c8bf138703343e2f7ee
Detections:
win_xworm_w0
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
440912d85d2f98bb4f508ab82847067c18e1e15be0d8ecdcff0cc19327527fc2
MD5 hash:
640d8ffa779c6dd5252a262e440c66c0
SHA1 hash:
3252d8a70a18d5d4e0cc84791d587dd12a394c2a
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86
MD5 hash:
819352ea9e832d24fc4cebb2757a462b
SHA1 hash:
aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303
MD5 hash:
776193701a2ed869b5f1b6e71970a0ac
SHA1 hash:
2f973458531aaa283cdc835af4e24f5f709cbad1
Detections:
StormKitty
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
Parent samples :
66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303
f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
SH256 hash:
6a098f5a7f9328b35d73ee232846b13e2d587d47f473cbc9b3f1d74def7086ea
MD5 hash:
ba2141a7aefa1a80e2091bf7c2ca72db
SHA1 hash:
9047b546ce9c0ea2c36d24a10eb31516a24a047d
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
6eb6a0c64ee8c575f56a93065138b17883118cf231a6916fc601ec86793d85bf
MD5 hash:
93b19f24add82a6cda96bbb3eaa755f9
SHA1 hash:
b83179a79862aedc92ee79b6cb8a7e4525266687
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365
MD5 hash:
32a8742009ffdfd68b46fe8fd4794386
SHA1 hash:
de18190d77ae094b03d357abfa4a465058cd54e3
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
Parent samples :
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365
f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
SH256 hash:
75e8ff57fa6d95cf4d8405bffebb2b9b1c55a0abba0fe345f55b8f0e88be6f3c
MD5 hash:
f0e921f2f850b7ec094036d20ff9be9b
SHA1 hash:
3b2d76d06470580858cc572257491e32d4b021c0
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451
MD5 hash:
3b87d1363a45ce9368e9baec32c69466
SHA1 hash:
70a9f4df01d17060ec17df9528fca7026cc42935
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
MD5 hash:
a999d7f3807564cc816c16f862a60bbe
SHA1 hash:
1ee724daaf70c6b0083bf589674b6f6d8427544f
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
b574aabf02a65aa3b6f7bfff0a574873ce96429d3f708a10f87bc1f6518f14aa
MD5 hash:
3e19341a940638536b4a7891d5b2b777
SHA1 hash:
ca6f5b28e2e54f3f86fd9f45a792a868c82e35b5
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
b6d8bccdf123ceac6b9642ad3500d4e0b3d30b9c9dd2d29499d38c02bd8f9982
MD5 hash:
edb2f0d0eb08dcd78b3ddf87a847de01
SHA1 hash:
cc23d101f917cad3664f8c1fa0788a89e03a669c
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c
MD5 hash:
9043d712208178c33ba8e942834ce457
SHA1 hash:
e0fa5c730bf127a33348f5d2a5673260ae3719d1
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
MD5 hash:
bcc0fe2b28edd2da651388f84599059b
SHA1 hash:
44d7756708aafa08730ca9dbdc01091790940a4f
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
d4e2fc220ff2b731b6bd8a3ebb4e92b86aad8bc8e1a8336d1405480214ee74f3
MD5 hash:
b617a5deb678d11f6437f41fd0ea3a2e
SHA1 hash:
1604bf92069783b08c732553c8d0dc465d7ba41c
Detections:
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_DLAgent10
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
MD5 hash:
195ffb7167db3219b217c4fd439eedd6
SHA1 hash:
1e76e6099570ede620b76ed47cf8d03a936d49f8
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
fa420fd3d1a5a2bb813ef8e6063480099f19091e8fa1b3389004c1ac559e806b
MD5 hash:
cf15259e22b58a0dfd1156ab71cbd690
SHA1 hash:
3614f4e469d28d6e65471099e2d45c8e28a7a49e
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
63fb201040002775e6ef6f836a8f0f4d94324fc299c0f9bc1f17a97c6bb24552
MD5 hash:
5505592313b74f2e2c8727837750f66d
SHA1 hash:
d0394cf350090ba4fc68c7e12fd806881b0c42e0
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
SH256 hash:
b6647006cf5e920db52c66a2028f2492df03c4deceda32fb021ebe4126bfe261
MD5 hash:
c38b245b97fea00a08141af793a76f87
SHA1 hash:
c9c5c786f8e8d3c5670ef64f4f3ae35c556bb640
Link:
https://www.unpac.me/results/08b048de-e668-4186-bb2a-239832229539/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/12492/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments