MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1f6aeee9a42004e68765a83e9cbd51bc878a0afd7c80a88432ab14c84f8541b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1f6aeee9a42004e68765a83e9cbd51bc878a0afd7c80a88432ab14c84f8541b
SHA3-384 hash: 0b910aa1cd95a6a5a56a3c53ac7e1ca0c6e9cc97973746465ea22ee6842a5815fdd648b63d1cdd98bb12ad278edb9eaa
SHA1 hash: a4f1861d6862b9b31ac8f56b7b307c3e192c0e87
MD5 hash: 21dd531727259fb0085f2407598c7db0
humanhash: speaker-comet-carpet-oregon
File name:F1F6AEEE9A42004E68765A83E9CBD51BC878A0AFD7C80.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:6'667'779 bytes
First seen:2021-11-09 04:15:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:y1DeOU7F8IKCgML6/jRsDaH95LnyUm/0Qeid6ID0vzpQS+smBZcs1G5pR/COj+34:yq/KNeed5rnm/EiRD09aSqo+3wRl
Threatray 1'393 similar samples on MalwareBazaar
TLSH T1C66633C55AFBC508FAD454BF8DB5BCCB6C60661C814ECB1E9993B42819829E27F4CB0D
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://194.180.174.182/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://194.180.174.182/ https://threatfox.abuse.ch/ioc/245154/

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204344/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

Win.Packed.Socelars-9901323-1
Create hunting rule

Win.Packed.Socelars-9901373-1
Create hunting rule

Win.Packed.Socelars-9901381-1
Create hunting rule

Win.Packed.Socelars-9901382-1
Create hunting rule

Win.Malware.Socelars-9901386-1
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys glupteba mokes overlay packed redline socelars ursnif virus
Link:
https://www.filescan.io/uploads/6189f606a00afa9663a189c7/reports/2d413e78-eee3-4db7-afb2-14f8a29e8a6a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2c7cdbc-b558-4554-aff3-42cd9a1dde1a
Result
Threat name:
Backstage Stealer RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885715
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Backstage Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 518184 Sample: F1F6AEEE9A42004E68765A83E9C... Startdate: 09/11/2021 Architecture: WINDOWS Score: 100 82 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->82 84 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->84 86 3 other IPs or domains 2->86 104 Antivirus detection for URL or domain 2->104 106 Antivirus detection for dropped file 2->106 108 Antivirus / Scanner detection for submitted sample 2->108 110 19 other signatures 2->110 13 F1F6AEEE9A42004E68765A83E9CBD51BC878A0AFD7C80.exe 10 2->13         started        16 WmiPrvSE.exe 2->16         started        signatures3 process4 file5 80 C:\Users\user\AppData\...\setup_installer.exe, PE32 13->80 dropped 18 setup_installer.exe 21 13->18         started        process6 file7 58 C:\Users\user\AppData\...\setup_install.exe, PE32 18->58 dropped 60 C:\Users\user\AppData\...\Fri10e583b149b5.exe, PE32 18->60 dropped 62 C:\Users\user\...\Fri10c41a79819beb1.exe, PE32 18->62 dropped 64 16 other files (11 malicious) 18->64 dropped 21 setup_install.exe 1 18->21         started        process8 dnsIp9 102 127.0.0.1 unknown unknown 21->102 138 Adds a directory exclusion to Windows Defender 21->138 25 cmd.exe 21->25         started        27 cmd.exe 21->27         started        29 cmd.exe 21->29         started        31 11 other processes 21->31 signatures10 process11 signatures12 34 Fri1007d0fc7215e8439.exe 25->34         started        39 Fri10932ee1ae2b.exe 27->39         started        41 Fri102c05a030.exe 29->41         started        140 Adds a directory exclusion to Windows Defender 31->140 43 Fri10c41a79819beb1.exe 31->43         started        45 Fri1007c7fe80a.exe 31->45         started        47 Fri10a6c6c2f64.exe 31->47         started        49 6 other processes 31->49 process13 dnsIp14 88 45.142.182.152 XSSERVERNL Germany 34->88 90 103.155.92.29 TWIDC-AS-APTWIDCLimitedHK unknown 34->90 96 13 other IPs or domains 34->96 66 C:\Users\...\m1FeJ5Y6Pf7jnfs7GIiKZZ_o.exe, PE32 34->66 dropped 68 dd7c8e90c804f83b712eb175eb0daaef[1].exe, PE32 34->68 dropped 70 C:\Users\user\AppData\...\wetsetup0802[1].exe, PE32 34->70 dropped 76 27 other files (9 malicious) 34->76 dropped 112 Antivirus detection for dropped file 34->112 114 Detected unpacking (creates a PE file in dynamic memory) 34->114 132 2 other signatures 34->132 116 Query firmware table information (likely to detect VMs) 39->116 118 Tries to detect sandboxes and other dynamic analysis tools (window names) 39->118 134 2 other signatures 39->134 92 194.145.227.161 CLOUDPITDE Ukraine 41->92 120 Detected unpacking (changes PE section rights) 41->120 122 Detected unpacking (overwrites its own PE header) 41->122 124 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 41->124 136 2 other signatures 43->136 98 2 other IPs or domains 45->98 72 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 45->72 dropped 126 Creates processes via WMI 45->126 74 C:\Users\user\AppData\...\Fri10a6c6c2f64.tmp, PE32 47->74 dropped 128 Obfuscated command line found 47->128 94 208.95.112.1 TUT-ASUS United States 49->94 100 6 other IPs or domains 49->100 130 Tries to harvest and steal browser information (history, passwords, etc) 49->130 51 mshta.exe 49->51         started        file15 signatures16 process17 process18 53 cmd.exe 51->53         started        file19 78 C:\Users\user\AppData\...\SkVPVS3t6Y8W.EXe, PE32 53->78 dropped 56 conhost.exe 53->56         started        process20
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f1f6aeee9a42004e68765a83e9cbd51bc878a0afd7c80a88432ab14c84f8541b/
Threat name:
Win32.Spyware.Socelars
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 23:41:38 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6h3k53u2iiae42dwlkb6ts6vdpehrifp27eavccdfkyuzbhykqnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
RedLineStealer
4cd754af5d3b9faa7e9626f79fccc35464224247a10f4d01ef502a0423e637a7
RedLineStealer
7e890b0ee04f14d8989db2a0a853c06741112c432030b63457fe866600b44749
RedLineStealer
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
RedLineStealer
96f34985e744edae462b513fd68856056c135078302d827eac076717acf8662e
RedLineStealer
a3845d760f3394981f0e9b2330c279db0534befaaa17c67ded9b3dbd7b9e608f
RedLineStealer
ee96df216161f048ee9c50853b018f779d71bce1498f28a4d1b1bc3d797f14ac
RedLineStealer
+ 1'383 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars botnet:ani botnet:jamesfuck aspackv2 backdoor discovery evasion infostealer spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211109-evtlwabfbk/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
65.108.20.195:6774
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
45.142.215.47:27643
Unpacked files
SH256 hash:
0bb9bb0248ff89fac4e513cc1891f8aabbcc076446790c68d849e5a6c007c1ca
MD5 hash:
2fbf0040b06b8719902326d9584c29c3
SHA1 hash:
f2983c7b2d3d91722fb88198ac2441c5e098c2cf
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
daf2e84c2147fc190c72c048f28af57b5608008a585693bce82b91b2f2377b3c
MD5 hash:
61bccc6ce0533a99d7282ea0622d12f0
SHA1 hash:
f27ef25e8832cc8b70d312c3ba5554f196b24b99
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
c5761c7d94d975a44e08caf948531b363c30e3f78d7b45a7b28bda39beb4e534
MD5 hash:
cf4029ca825cdfb5aaf5e9bb77ebb919
SHA1 hash:
eb9a4185ddf39c48c6731bf7fedcba4592c67994
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
bffb5e0da99f01972d746d4bf68765ca7db0fb32e598f8fd9a92e8389f321c1f
MD5 hash:
417411e71de543ffbe76242943ba5b90
SHA1 hash:
e50f45218c6d01cb67787add25491acfead007fa
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
75256e9dfa64a7d301d41c5a18fe99f28168b4c2b930e922e1abbb9277d96176
MD5 hash:
1575ff50183d1411cd3f166594f88410
SHA1 hash:
ccef72f2349ef3fdab67e86c582acec723ce3d96
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
cbf35793507f7fb119bddc1676726e33793f8fb52695df73ff33d2bd30a1b462
MD5 hash:
224b29df84d69424e70a7cbc9be454f0
SHA1 hash:
c03de830c4715fcbd2f90bd47de50a77e1ccda28
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
8619662dfe0ddbb459df10acbe0746922818c6cc9a7e4b53b230470b74dfb079
MD5 hash:
b6e611a0bfe4c7913704e56f86bcc0f8
SHA1 hash:
bde22e7dc4493bb8b1490e9eb01c13abf3887aeb
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
e8e4cb96f958e7205a90052f13cdf0d63f0018345152eb4ef552b8d796481cee
MD5 hash:
57e3a53d7576635f94c0b7ea6b9fad43
SHA1 hash:
a43b28cd48d9efcbccc12ad2a644d6186acbd968
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
70f246fd61a27a4e2ffde2357e6c8ebe554a79811a35e7141f747090d05ff7e1
MD5 hash:
51b73b4d3041eb2d32a29dca61059549
SHA1 hash:
9845a8e5716e5e16ffc33ceccae9abf52872a2b5
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
c83c6bbdf2a042df0c8343aed3d04a09e2f09b7c97ca13da4e141b2ee6b73e24
MD5 hash:
bd04c2aaa95597b44e601173a12ff67a
SHA1 hash:
6482176bc16a64fe9df5f4615c30dfddc083dcfc
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
c280697a1a1020c17a4d60e36e7d4a9ca5154aa394bdb55966c935365ef25196
MD5 hash:
ed4075580b883fd2a7cd5f0cb8870f14
SHA1 hash:
310c8fe2064ff7430a325db6755550f62566c050
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
078b80b059f5db99874557c13a13f9916674fef20eaac89337cb9f14ee97405e
MD5 hash:
a8bc5553733d6e68753d63747eed87d6
SHA1 hash:
f9210ad415b8d1a0c4a88b62ff6f05d0128df05e
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
9253c070a4a5ce357909556505b49ccd25b5a21789064621393a61df2dbfc515
MD5 hash:
1b0354c000633a8862638f65a19442dc
SHA1 hash:
ea04a876808c63b899895383d5dfe9c026a36853
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
d5896f8d00c6688b5b2a6f84d8ae3f3d1e136512624cb96054ca0db51af53dff
MD5 hash:
6e1cf5a21e2cbfab1a3fad4e5ff360c2
SHA1 hash:
c37f14af2efba855033d2221bbec13d436427ccd
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
393447aa843f148cd22e887d1eda74062785f0b4a6f098fbcb0d024b5aa23e4e
MD5 hash:
07f99f9e2df157ae78339603186ac280
SHA1 hash:
cb295687ae130d85061676471abcaa5f60df4198
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
972c33057d6944870e2fe26b4a5f2497cde0b540150386bdba04c8fc607f4b01
MD5 hash:
d5d68f6d0c6e151d2fb689740f5f3f75
SHA1 hash:
cb5ef9eb004073daba0eb683f1ff69d1dd5f21eb
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
Parent samples :
f33c9c6f077b7fb4d243925fe48b875581bb8af46e452b39bd4a2c3dd68f0ef9
822ee6c4b4bb9a619985e83c04a2dfe1a09152dc0276bd698f6d03be6ec7b83a
cfcab36f73560b2d15b6c266feaaf0195a6e0d18c22aa22b672e7eb2f979923e
7287980c1afb840a7438471126c0c95c36fefa79a013f9620264507e5f98c7a6
f9c9b3fbf4d11f96ff06fc8292d8c67ad6cf5432409754bbfc95c5c80e6b160d
72b6da82c3aa6faeee19e842814f77874cab37b3425ce6c503754b90c43a4610
e4fb39b3f6aa19028ccdd531437e7994a9b6f62b317adfa3edc16ba51e57acb1
582bd655f491fe76a95b9c8900a3051d379dcbb86036f273b2a7bc6cdd928e9b
9265b09595c59007e116c60605c28bd616387cf0dff79c7db8c5880e23cfef8e
abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb6bd2120da1c01fb1a5a
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
9112ea197ca86b1bd22471c9c9339c9c7e202dca98435d84360e2c3c1bd8ba08
MD5 hash:
77fcd40815c758d3cff3a8ed6b12a411
SHA1 hash:
83aa024396a0d6de2bc9999f092bd7bdabfc4cb1
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
19bd45a690cf543de51395c974f47cbe638e07b1685fc1dd77f149fa718443e9
MD5 hash:
906fe3a57e03b534e8e78713fb48468d
SHA1 hash:
293546e4cfffb5a558a4167aa63b3fa4c646e0ea
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
fa27857a94608e55af869974eed36fae126454c1e5361fa9e26fd78887a9f0dd
MD5 hash:
b1565a37ff45df6a03963ece52191967
SHA1 hash:
7186c80df8c61376fc2f7f06456773f6180e0ed3
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
185a3a1fb4e65f459935b4d3b7b692c604240749f600b6b177912f6c81c17095
MD5 hash:
cd5bacb45670c5aa75e9dbffb53f89ce
SHA1 hash:
5aa61418f879bcb9299a0543b2b0f0908a5c3a33
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
SH256 hash:
f1f6aeee9a42004e68765a83e9cbd51bc878a0afd7c80a88432ab14c84f8541b
MD5 hash:
21dd531727259fb0085f2407598c7db0
SHA1 hash:
a4f1861d6862b9b31ac8f56b7b307c3e192c0e87
Link:
https://www.unpac.me/results/6714e346-847c-4f44-b896-2e8f616989d7/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f1f6aeee9a42/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1f6aeee9a42004e68765a83e9cbd51bc878a0afd7c80a88432ab14c84f8541b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_b
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/204344/

Comments