MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f263c018987dc3e25427e3d2b1b895a58b32efbc748cc5e83189f4902c3149cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Spambot.Kelihos


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f263c018987dc3e25427e3d2b1b895a58b32efbc748cc5e83189f4902c3149cd
SHA3-384 hash: feebb5d5647b0f14a7e5c3ebb372666e67b720584400bc7eeed3891faca0e2ceee20a77642bd781c1fe0b88b19012e96
SHA1 hash: d7fd2076248000534e49dbf427a0941df830e2d0
MD5 hash: c7fc0c2db7eb95ab6fbb81515e4af24c
humanhash: mississippi-lithium-enemy-finch
File name:C7FC0C2DB7EB95AB6FBB81515E4AF24C.exe
Download: download sample
Signature Spambot.Kelihos
Create hunting rule
File size:4'916'736 bytes
First seen:2025-08-07 15:35:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:tt2JAPmG2dmoyUHK7yAIfpPfLS+MLNSB8UvUEEOeZZhkOfuQ:ttBSUoGuPf9eSB8eUEETbkO2Q
Threatray 70 similar samples on MalwareBazaar
TLSH T1C736334097CE4122FDE407F05A3703832FA52973932646A62B2F5E5F15F23ED46B1B9A
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Spambot.Kelihos


Avatar
abuse_ch
Spambot.Kelihos C2:
http://357129cm.nyash.es/PythonPollLowbasePrivate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://357129cm.nyash.es/PythonPollLowbasePrivate.php https://threatfox.abuse.ch/ioc/1565231/

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
C7FC0C2DB7EB95AB6FBB81515E4AF24C.exe
Verdict:
Malicious activity
Analysis date:
2025-08-07 15:38:47 UTC
Tags:
lumma stealer amadey botnet loader auto-reg rdp arch-exec gcleaner auto-startup purecrypter dcrat rat remote darkcrystal telegram stealc vidar autoit auto generic
Link:
https://app.any.run/tasks/dd8d0956-8031-4b17-8762-0a30c241b87d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19515/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Nanocore-9942160-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6894c7d31e8a59ee04e731a8
Tags:
vmdetect autorun emotet autoit
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Running batch commands
Searching for analyzing tools
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Launching a service
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm CAB crypt explorer installer lolbin microsoft_visual_cc nanocore obfuscated packed packed packer_detected rundll32 runonce sfx threat
Link:
https://www.filescan.io/uploads/6894c7ea9ef4d2ff7cf0b204/reports/c872c5c2-ee82-44ac-a658-0fdb2e6ca071/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f263c018987dc3e25427e3d2b1b895a58b32efbc748cc5e83189f4902c3149cd
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24f45c55-4167-44eb-86e8-cbe5c7bfa3f6
Result
Threat name:
Amadey, LummaC Stealer, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1752486
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1752486 Sample: 1damffy2ej.exe Startdate: 07/08/2025 Architecture: WINDOWS Score: 100 138 smp.rodeo 2->138 140 severhi.lol 2->140 142 20 other IPs or domains 2->142 158 Suricata IDS alerts for network traffic 2->158 160 Found malware configuration 2->160 162 Antivirus detection for dropped file 2->162 164 25 other signatures 2->164 12 1damffy2ej.exe 1 4 2->12         started        15 3ymot1Yr.exe 2->15         started        18 svchost.exe 2->18         started        20 5 other processes 2->20 signatures3 process4 file5 124 C:\Users\user\AppData\Local\...\2V1115.exe, PE32 12->124 dropped 126 C:\Users\user\AppData\Local\...\1j66h4.exe, PE32 12->126 dropped 22 1j66h4.exe 7 12->22         started        26 2V1115.exe 12->26         started        202 Binary is likely a compiled AutoIt script file 15->202 29 cmd.exe 15->29         started        31 GRGpbfj8.exe 15->31         started        33 cmd.exe 15->33         started        35 cmd.exe 15->35         started        204 Changes security center settings (notifications, updates, antivirus, firewall) 18->204 signatures6 process7 dnsIp8 110 C:\oOz1Eox\7t4STwkL.exe, PE32 22->110 dropped 112 C:\oOz1Eox\3ymot1Yr.exe, PE32 22->112 dropped 114 C:\oOz1Eox\2n6bfR78.exe, PE32 22->114 dropped 182 Multi AV Scanner detection for dropped file 22->182 37 cmd.exe 1 22->37         started        144 steamcommunity.com 23.204.10.89, 443, 49689 AKAMAI-ASUS United States 26->144 184 Antivirus detection for dropped file 26->184 186 Detected unpacking (changes PE section rights) 26->186 188 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->188 194 4 other signatures 26->194 190 Suspicious powershell command line found 29->190 40 powershell.exe 29->40         started        42 conhost.exe 29->42         started        192 Contains functionality to start a terminal service 31->192 44 Conhost.exe 31->44         started        46 2n6bfR78.exe 33->46         started        48 conhost.exe 33->48         started        50 conhost.exe 35->50         started        52 schtasks.exe 35->52         started        file9 signatures10 process11 signatures12 166 Suspicious powershell command line found 37->166 168 Uses cmd line tools excessively to alter registry or file data 37->168 170 Bypasses PowerShell execution policy 37->170 174 2 other signatures 37->174 54 3ymot1Yr.exe 37->54         started        57 7t4STwkL.exe 15 37->57         started        60 conhost.exe 37->60         started        172 Loading BitLocker PowerShell Module 40->172 62 Conhost.exe 46->62         started        process13 file14 176 Multi AV Scanner detection for dropped file 54->176 178 Binary is likely a compiled AutoIt script file 54->178 180 Found API chain indicative of sandbox detection 54->180 64 GRGpbfj8.exe 1 56 54->64         started        69 cmd.exe 54->69         started        71 cmd.exe 1 54->71         started        73 cmd.exe 54->73         started        116 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 57->116 dropped 118 C:\Users\user\AppData\Local\...\cecho.exe, PE32 57->118 dropped 120 C:\Users\user\AppData\Local\...120SudoLG.exe, PE32+ 57->120 dropped 122 2 other malicious files 57->122 dropped 75 cmd.exe 57->75         started        signatures15 process16 dnsIp17 132 94.154.35.25, 49687, 49688, 49694 SELECTELRU Ukraine 64->132 134 45.141.233.196, 49690, 49695, 49697 ASDETUKhttpwwwheficedcomGB Bulgaria 64->134 136 2 other IPs or domains 64->136 102 C:\Users\user\AppData\Local\...\kaQ7Taz.exe, PE32+ 64->102 dropped 104 C:\Users\user\AppData\Local\...\uLGLDHH.exe, PE32+ 64->104 dropped 106 C:\Users\user\AppData\Local\...\JlsGsa8.exe, PE32 64->106 dropped 108 24 other malicious files 64->108 dropped 150 Multi AV Scanner detection for dropped file 64->150 152 Contains functionality to start a terminal service 64->152 77 amnew.exe 64->77         started        154 Suspicious powershell command line found 69->154 81 powershell.exe 69->81         started        83 conhost.exe 69->83         started        85 2n6bfR78.exe 2 71->85         started        87 conhost.exe 71->87         started        89 conhost.exe 73->89         started        91 schtasks.exe 73->91         started        156 Uses cmd line tools excessively to alter registry or file data 75->156 93 cmd.exe 75->93         started        95 19 other processes 75->95 file18 signatures19 process20 file21 128 C:\Users\user\AppData\Local\...\huran.exe, PE32 77->128 dropped 196 Multi AV Scanner detection for dropped file 77->196 198 Contains functionality to start a terminal service 77->198 97 huran.exe 77->97         started        200 Loading BitLocker PowerShell Module 81->200 130 C:\oOz1EoxbehaviorgraphRGpbfj8.exe, PE32 85->130 dropped 100 tasklist.exe 93->100         started        signatures22 process23 signatures24 146 Multi AV Scanner detection for dropped file 97->146 148 Contains functionality to start a terminal service 97->148
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f263c018987dc3e25427e3d2b1b895a58b32efbc748cc5e83189f4902c3149cd
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f263c018987dc3e25427e3d2b1b895a58b32efbc748cc5e83189f4902c3149cd/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/f263c018987dc3e25427e3d2b1b895a58b32efbc748cc5e83189f4902c3149cd
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-07-31 20:29:00 UTC
File Type:
PE (Exe)
Extracted files:
147
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jr4ageypxb6evbh4pjldoevuwftf354osgml2brrh2jalbrjhgq._file
Verdict:
malicious
Label(s):
admintool_nsudo
Create hunting rule
unc_loader_055
Create hunting rule
rhadamanthys
Create hunting rule
unc_loader_051
Create hunting rule
r77rootkit
Create hunting rule
amadey
Create hunting rule
admintool_nircmd
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
0716413e9582efeafc691651c8d5a6bd5a6d34b9ace4a88087495ba147da986e
Spambot.Kelihos
13b94e39dc44551854c3f0a51091bb0ccd1e7d9122c8b06306a2de478a843e7a
Spambot.Kelihos
c3452e0484d1985280565c5f8827e798f4623cf7b05ce624b394303376b108a2
Spambot.Kelihos
df9f78937a5c691da3d7c523244f195a7e9e407fdc784731efd6fdcd8b8a70f2
Spambot.Kelihos
e31068535e8e9357380370f137c9fa8ab52bd1c8e11a0bb285253cd85d480897
Spambot.Kelihos
e3d63f823c7ce84e013e1726c45ea9c7384cd5c55471d9ca793af2ccec8a10f6
Spambot.Kelihos
error
Spambot.Kelihos
f263c018987dc3e25427e3d2b1b895a58b32efbc748cc5e83189f4902c3149cd
Spambot.Kelihos
+ 60 additional samples on MalwareBazaar
Result
Malware family:
salatstealer
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:rhadamanthys family:salatstealer botnet:fbf543 defense_evasion discovery execution persistence stealer themida trojan upx
Link:
https://tria.ge/reports/250807-s1qn3atwgw/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Power Settings
Adds Run key to start application
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Themida packer
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect SalatStealer payload
Detects Rhadamanthys Payload
Disables service(s)
Lumma Stealer, LummaC
Lumma family
Rhadamanthys
Rhadamanthys family
Salatstealer family
Suspicious use of NtCreateUserProcessOtherParentProcess
salatstealer
Malware Config
C2 Extraction:
http://94.154.35.25
https://thinkrz.lol/xkad/api
https://integkr.pics/zman
https://aspecqo.top/towp
https://paramkc.lat/zayw
https://severhi.lol/xahb/api
https://smp.rodeo/riww/api
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
https://mocadia.com/iuew
https://mastwin.in/qsaz/api
https://ordinarniyvrach.ru/xiur/api
https://yamakrug.ru/lzka/api
https://vishneviyjazz.ru/neco/api
https://yrokistorii.ru/uqya/api
https://stolewnica.ru/xjuf/api
https://visokiywkaf.ru/mmtn/api
https://kletkamozga.ru/iwyq/api
https://invertdbdi.top/xjit
Verdict:
Malicious
Tags:
stealer redline Win.Packed.Nanocore-9942160-0
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/060e57ca-6c0b-4fa8-95c9-0212d8e445a8
Unpacked files
SH256 hash:
f263c018987dc3e25427e3d2b1b895a58b32efbc748cc5e83189f4902c3149cd
MD5 hash:
c7fc0c2db7eb95ab6fbb81515e4af24c
SHA1 hash:
d7fd2076248000534e49dbf427a0941df830e2d0
Link:
https://www.unpac.me/results/ea5bcd70-543a-42f9-8adb-2bae878884aa/
SH256 hash:
a2d9b6fa0ed1100636901755c8d778fe9ec142e71ed90033f796d60404afbc39
MD5 hash:
9d6369dfcfdb50e7459cae3ba016b45d
SHA1 hash:
5f0d4a67b001625d68c8f4446890957ecd32a515
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/ea5bcd70-543a-42f9-8adb-2bae878884aa/
SH256 hash:
a33976c8eb1b300c6a0b119fd5042449fd97fd45875eba641d26c1ce4e82e738
MD5 hash:
7369b0da936d99845f940a6034a9e4e4
SHA1 hash:
992af06f701f63d68665074e76ddd9df939e60ae
Link:
https://www.unpac.me/results/ea5bcd70-543a-42f9-8adb-2bae878884aa/
SH256 hash:
e59e0de82bb024e34acf90b011afe68dc106b7327681d4fa3d16fa44842d1104
MD5 hash:
6adcdc8bfa60fc445e7fa9a909f54b1a
SHA1 hash:
0ed0de60893c6a729bc9f81529237597dbf99db7
Link:
https://www.unpac.me/results/ea5bcd70-543a-42f9-8adb-2bae878884aa/
SH256 hash:
605940a76bf42ea1008b6ff4756c8c138d07cc3e1bd010a51f551069d9432683
MD5 hash:
90a17499f16ef3e150ff7181624a0b3b
SHA1 hash:
c238703c550807d8617c94d8af8052f8cecfbb68
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/ea5bcd70-543a-42f9-8adb-2bae878884aa/
SH256 hash:
3c7959d26a0e983a65a0f0cb9501567ad6b7149f9052e649649d1f4f8390480a
MD5 hash:
d6a28e90544f88191342edd75cd1732b
SHA1 hash:
25f16dc288f9f819b113f090227c32f36704c6d1
Link:
https://www.unpac.me/results/ea5bcd70-543a-42f9-8adb-2bae878884aa/
SH256 hash:
ceef4cdaa41d64f90cc0304a1fef529a93a235e8c41380b6410b135a53bcbd28
MD5 hash:
4856c8ad86577410e1c699c741dd18a4
SHA1 hash:
576d3dc08e0d4a301cb3ce060826239071b7622b
Link:
https://www.unpac.me/results/ea5bcd70-543a-42f9-8adb-2bae878884aa/
SH256 hash:
f76f50bc9c2861905bfa45bda5267da1a19bf068e73753efa29158068a373251
MD5 hash:
b24b52f9c9a12046c3f6089998dadd46
SHA1 hash:
2cc936a3c221e40af8eb8ecc7ea2a0fd30eece0a
Link:
https://www.unpac.me/results/ea5bcd70-543a-42f9-8adb-2bae878884aa/
SH256 hash:
84650e28d06640c00b558b1a80fac3dbb80e6f94b26bdaeee0eb80f1c58fb0f4
MD5 hash:
b64e019681970678d241fd96e184a73a
SHA1 hash:
f340dd298b3bc6e6c26fab53b2930b3db511c868
Link:
https://www.unpac.me/results/ea5bcd70-543a-42f9-8adb-2bae878884aa/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f263c018987d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f263c018987dc3e25427e3d2b1b895a58b32efbc748cc5e83189f4902c3149cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Vidar_unpacked_PulseIntel
Create hunting rule
Author:PulseIntel
Description:Vidar Payload
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/19515/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments