MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2fcd49dd7ce2e64415e73f5276e813e90d53dea18f5fba68e1c8b55e0c1f631. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs 3 YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2fcd49dd7ce2e64415e73f5276e813e90d53dea18f5fba68e1c8b55e0c1f631
SHA3-384 hash: af3430e0d8d0ea9f18e5cfb58319344b241a622ddab07282f2013d10d3e2989918c17769615cd08f465bf53f74f62b87
SHA1 hash: 7964286655f53257f9e6a5b546b086b7027d3d18
MD5 hash: 34ea477b185d56b4906e8f0fd7a41497
humanhash: berlin-kansas-carpet-oxygen
File name:34EA477B185D56B4906E8F0FD7A41497.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:5'312'000 bytes
First seen:2021-07-18 16:45:15 UTC
Last seen:2021-07-18 17:37:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:B6sXydK/C+xg2UNtZ4/PWbUO1y6hY5/pj9Mz2Z8ED9CZC7X4k3wy2rOKwK7VFhPq:0Ear4n4ZhY5BB7xhCe42wZRLF
Threatray 466 similar samples on MalwareBazaar
TLSH T1E336F0882BCAE113A9B1DD3096F39B540A6F3535FCC1941D28D41990A8F29EDFEBDE11
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
http://wymesc72.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://wymesc72.top/index.php https://threatfox.abuse.ch/ioc/160942/
http://morjed07.top/index.php https://threatfox.abuse.ch/ioc/160943/
http://x-vpn.ug/hfV3vDtt/index.php https://threatfox.abuse.ch/ioc/160958/

Intelligence

File Origin
# of uploads :
2
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
34EA477B185D56B4906E8F0FD7A41497.exe
Verdict:
Malicious activity
Analysis date:
2021-07-18 16:47:06 UTC
Tags:
trojan stealer vidar evasion loader
Link:
https://app.any.run/tasks/fe5884e0-bb56-4f35-810d-6f5e56e21e9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172431/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.2276.28143.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Chapak
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/011ca78c-736c-4e9b-9534-a891ba097e56
Result
Threat name:
Backstage Stealer Oski RedLine Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817948
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the document folder of the user
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Posts data to a JPG file (protocol mismatch)
Sample is protected by VMProtect
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Backstage Stealer
Yara detected Oski Stealer
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450359 Sample: xBMx9OBP97.exe Startdate: 18/07/2021 Architecture: WINDOWS Score: 100 142 google.vrthcobj.com 2->142 172 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->172 174 Multi AV Scanner detection for domain / URL 2->174 176 Found malware configuration 2->176 178 20 other signatures 2->178 14 xBMx9OBP97.exe 9 2->14         started        17 haleng.exe 2->17         started        signatures3 process4 file5 132 C:\Users\user\AppData\Local\...\playfile.exe, PE32 14->132 dropped 134 C:\Users\user\AppData\Local\...\note8876.exe, PE32 14->134 dropped 136 C:\Users\user\AppData\Local\Temp\ligl.exe, PE32 14->136 dropped 140 5 other files (2 malicious) 14->140 dropped 19 jhuuee.exe 3 2 14->19         started        24 playfile.exe 14->24         started        26 note8876.exe 16 14->26         started        32 4 other processes 14->32 138 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 17->138 dropped 28 jfiag3g_gg.exe 17->28         started        30 jfiag3g_gg.exe 17->30         started        process6 dnsIp7 144 ip-api.com 208.95.112.1, 49705, 80 TUT-ASUS United States 19->144 154 3 other IPs or domains 19->154 80 C:\Users\user\AppData\Local\Temp\haleng.exe, PE32 19->80 dropped 180 May check the online IP address of the machine 19->180 34 jfiag3g_gg.exe 1 19->34         started        36 jfiag3g_gg.exe 19->36         started        38 jfiag3g_gg.exe 19->38         started        82 C:\Users\user\AppData\Local\...\svchost.exe, PE32 24->82 dropped 182 Writes to foreign memory regions 24->182 184 Allocates memory in foreign processes 24->184 186 Sample uses process hollowing technique 24->186 194 2 other signatures 24->194 40 svchost.exe 24->40         started        146 101.36.107.74, 49708, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 26->146 148 iplogger.org 88.99.66.31, 443, 49709 HETZNER-ASDE Germany 26->148 84 C:\Users\user\Documents\...\note8876.exe, PE32 26->84 dropped 188 Drops PE files to the document folder of the user 26->188 190 Tries to harvest and steal browser information (history, passwords, etc) 26->190 150 91.241.19.12 REDBYTES-ASRU Russian Federation 32->150 152 8.208.92.93 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 32->152 156 5 other IPs or domains 32->156 86 C:\Users\user\AppData\...\rollerkind2[1].exe, PE32 32->86 dropped 88 C:\Users\user\AppData\...\pl_installer[1].exe, PE32 32->88 dropped 90 C:\Users\user\AppData\Roaming\6784578.exe, PE32 32->90 dropped 92 9 other files (none is malicious) 32->92 dropped 192 Creates processes via WMI 32->192 45 6784578.exe 32->45         started        47 ligl.exe 32->47         started        49 5337089.exe 32->49         started        51 2 other processes 32->51 file8 signatures9 process10 dnsIp11 53 setup_installer.exe 34->53         started        164 a343345.me 198.54.114.131, 49712, 80 NAMECHEAP-NETUS United States 40->164 110 C:\ProgramData\vcruntime140.dll, PE32 40->110 dropped 112 C:\ProgramData\sqlite3.dll, PE32 40->112 dropped 114 C:\ProgramData\softokn3.dll, PE32 40->114 dropped 124 4 other files (none is malicious) 40->124 dropped 200 System process connects to network (likely due to code injection or exploit) 40->200 202 Detected unpacking (changes PE section rights) 40->202 204 Detected unpacking (overwrites its own PE header) 40->204 206 2 other signatures 40->206 166 172.67.190.51 CLOUDFLARENETUS United States 45->166 116 C:\ProgramData\57\vcruntime140.dll, PE32 45->116 dropped 118 C:\ProgramData\57\sqlite3.dll, PE32 45->118 dropped 126 5 other files (none is malicious) 45->126 dropped 120 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 47->120 dropped 56 conhost.exe 47->56         started        122 C:\Users\user\AppData\...\WinHoster.exe, PE32 49->122 dropped file12 signatures13 process14 file15 94 C:\Users\user\AppData\...\setup_install.exe, PE32 53->94 dropped 96 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 53->96 dropped 98 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 53->98 dropped 100 5 other files (none is malicious) 53->100 dropped 58 setup_install.exe 53->58         started        process16 dnsIp17 168 172.67.179.203 CLOUDFLARENETUS United States 58->168 170 127.0.0.1 unknown unknown 58->170 208 Detected unpacking (changes PE section rights) 58->208 62 cmd.exe 58->62         started        64 cmd.exe 58->64         started        66 conhost.exe 58->66         started        signatures18 process19 process20 68 karotima_1.exe 62->68         started        73 karotima_2.exe 64->73         started        dnsIp21 158 103.155.92.207 TWIDC-AS-APTWIDCLimitedHK unknown 68->158 160 136.144.41.201 WORLDSTREAMNL Netherlands 68->160 162 10 other IPs or domains 68->162 102 C:\Users\...\xLNcx79C4jHjqgj18VVSh9WP.exe, PE32 68->102 dropped 104 C:\Users\...\sogTI92U_bh3oVCPG6jcZjef.exe, PE32 68->104 dropped 106 C:\Users\...\mtifVmUxbaNA_vjZ1jLHnfZL.exe, PE32 68->106 dropped 108 33 other files (22 malicious) 68->108 dropped 196 Drops PE files to the document folder of the user 68->196 198 Disable Windows Defender real time protection (registry) 68->198 75 karotima_2.exe 73->75         started        file22 signatures23 process24 file25 128 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 75->128 dropped 130 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 75->130 dropped 78 conhost.exe 75->78         started        process26
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f2fcd49dd7ce2e64415e73f5276e813e90d53dea18f5fba68e1c8b55e0c1f631/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 00:51:09 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6l6njhoxzyxgiqk6op2so3ubh2inkppkdd27xjuodsfvlygb6yyq._file
Verdict:
malicious
Similar samples:
00ac3efa4faaa3927d28bf7b78793d4dac0c814cdbefb2015734d76bee8c988f
RedLineStealer
2c1e4de15b0a08e77555d4b16f2bb56fae378081a9411138d323b6b52a7e891b
RedLineStealer
419dbec500b45dcb0aca32df66ed6107975ae346cea116494e7f36445746aa27
RedLineStealer
5c1f581f9d11fd4614ae17de1eaa58f5e37f47d15d18943214abe9c05f55e97d
RedLineStealer
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
RedLineStealer
bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034
RedLineStealer
cc161c44340b9944936e1af83913c62bfe6cdc92703e19fc036e556bd89caf79
RedLineStealer
fdccd5539f179d7b405ebbc63749ce662af29a3bbe0b66816cce09029e785aaf
RedLineStealer
+ 456 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:oski family:redline family:smokeloader family:socelars family:vidar botnet:903 aspackv2 backdoor discovery evasion infostealer persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210718-vy718p662s/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
CryptBot
CryptBot Payload
Modifies Windows Defender Real-time Protection settings
Oski
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
a343345.me
wymesc72.top
morjed07.top
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
https://sslamlssa1.tumblr.com/
Unpacked files
SH256 hash:
544747fff8e88a14d7b18f649ddde747dcd798cf24238e4294097dbed903ad86
MD5 hash:
ecb0c724a25e14a7e24be766a03d0857
SHA1 hash:
1a86e570f4d3ac4a597a1c3eacf82087e8fdb124
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
d90a03e850735fa12f2209a57191524ffc9c2f321a65ee7f3b51e083eb59b80f
MD5 hash:
f5ba66ed9cc96376d02e02bbfc59f460
SHA1 hash:
9d6393ea4739724156dd0cfacc5cb8db2e52f32c
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
758e40068e6c747c8b70f86e9d42394c1196b3077d7d0c90ecc0b5bc01cd56a8
MD5 hash:
d7eea408c292c6ea168f9328eb5b4526
SHA1 hash:
6f9ddc9ed9ec403c457bf9c5d997a817b057459b
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
c903df66e3e3c3dc0759b666896fe7f6816d691446044bdb1dfd4ff90904935a
MD5 hash:
dbbfe7aab44f31c2f03da866ed6a2288
SHA1 hash:
2950979d1dc657d95908a0e1d65b7f48173810f0
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
3c648992d1546155e984774bc4b6ca5f3ffd83d084f4e0d08346a08a95e30aa2
MD5 hash:
de1559dbbf4a543bd6ea181340105ae5
SHA1 hash:
d88509684b84254f2dc27f6ff86d6e20540b21b7
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
dff28812909d091652d5c6617c38dd4e60f80c6a6c4287d9aa65ad309e96093a
MD5 hash:
499ddcc70150ef2df77600b7865896fb
SHA1 hash:
43877ca0e904073af8f720b622ece53354eca649
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
Parent samples :
ab8d377d550ebae841ab75d2d6257fb38960efc049037bbd2468483871897e5d
244e43b042445635b9311f0a575a30bf27644ec34e5fc7085447f09859c7d968
f2fcd49dd7ce2e64415e73f5276e813e90d53dea18f5fba68e1c8b55e0c1f631
SH256 hash:
72cc90ccc3b16825e9946a81d42083a4c912293f72d697aa0166f26cc760bfd5
MD5 hash:
ede27a258a61ac5e6b2f1636346e8034
SHA1 hash:
c89ddbb73e4d0b3980d37cbe628be5d5d75fbebc
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
8641c07f1ae3f67a4bf3086d6ea749c8e84e069db1e141186ba97c51eaa6a9ed
MD5 hash:
7a4afdd20ea9f0b99cc5c5b88d023e78
SHA1 hash:
77727e79d1d40eb525ef1f9c75de45d1a2710a35
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
403a06f12a91f00f5834250436d0050c6387fee2c74101d0aa9697940a294b56
MD5 hash:
6800f4c8b2d1326dab120a6ad2b99ff6
SHA1 hash:
d45ad1d4567dd41b9676885c1d7c5e5ef8fe5fc0
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
10c21b4bc6bb419dbb63ea2635ab210c330744e84658380965d8baa3a4bbcfd6
MD5 hash:
a5372e8d80d48d3a928b7030a0dfd3d5
SHA1 hash:
ce627e5592e97b493a9e582f7bc122bb75e1cc1a
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
f55ae614fb938d3f4d7ae242692d1450488df9b8aef2eeb6bb7677b7e5b2f224
MD5 hash:
eb8258fb16479b239249ba5b0d1011ec
SHA1 hash:
a3f449206382417ea53bc2996c91223dd7d34f16
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
056877edac9956258feb390fa9064657a387034d7382ce472f33f90b8f62b918
MD5 hash:
0730871e2101d7ecfb559c70f4324dbc
SHA1 hash:
9d4ca3d769ca1bf2bfcd8d1eabfb16949c272d18
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
50aad66f7c6337f549e83fa8453823eaaf25e4e5300b72ed7d392ee3dbb7c4a4
MD5 hash:
2a019b0e964597765d4e20768b0cf006
SHA1 hash:
9fa71838510152d4f561ace3ece67606afaeb722
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
bbbf5318b90d69722d4bd345a350a738110b7581cd78dd453ae2c18ee18ec6a3
MD5 hash:
f8cb0d8a815d6cd98e28c8782c7941f8
SHA1 hash:
a756f558b997a510b5196daee55a171414465aa2
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
SH256 hash:
f2fcd49dd7ce2e64415e73f5276e813e90d53dea18f5fba68e1c8b55e0c1f631
MD5 hash:
34ea477b185d56b4906e8f0fd7a41497
SHA1 hash:
7964286655f53257f9e6a5b546b086b7027d3d18
Link:
https://www.unpac.me/results/3ab450eb-2e57-4ae2-9691-17ba4661a4ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2fcd49dd7ce2e64415e73f5276e813e90d53dea18f5fba68e1c8b55e0c1f631

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICOIUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_mem
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8/
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.oski.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172431/

Comments