MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb55add55db0e0f7b9e63dd1d70bdc318b2a0e725e069a00ae8685d60a044e0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeamBot


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 28 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb55add55db0e0f7b9e63dd1d70bdc318b2a0e725e069a00ae8685d60a044e0b
SHA3-384 hash: c7b43ed2c32ab583029c0d0548c842041f1d2acfcb9b0a6a7f8177ddc2ff4787a5d313f434e6237e2526bb79599ee4cf
SHA1 hash: 99e1bd46fd1673470608774a6171f5db7323a6dc
MD5 hash: 119440585a9c8d2ba603cfdf0f1a7375
humanhash: connecticut-mango-carbon-december
File name:119440585a9c8d2ba603cfdf0f1a7375.exe
Download: download sample
Signature TeamBot
Create hunting rule
File size:4'235'230 bytes
First seen:2022-03-16 22:46:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JvuuIU2FilnTcFVG0yrmZMCpTRaaQg0/4786Bk:Jv7IUqy0VtyrmZToad0PQk
TLSH T11E16332154ED832CEDA1E6F4E6B04828C55BA5AB3B405387339AF0A4753386594FFED8
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe TeamBot


Avatar
abuse_ch
TeamBot C2:
108.170.60.184:39977

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
108.170.60.184:39977 https://threatfox.abuse.ch/ioc/395882/

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
119440585a9c8d2ba603cfdf0f1a7375.exe
Verdict:
No threats detected
Analysis date:
2022-03-16 23:11:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aaff80a8-d897-41e0-9f06-1596e7ee8103

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector06
Create hunting rule
Link:
https://www.capesandbox.com/analysis/251679/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Barys-9859550-0
Create hunting rule

Win.Trojan.Jaik-9862229-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Malware.Fjkr-9875306-0
Create hunting rule

Win.Malware.Fjkr-9875931-0
Create hunting rule

Win.Malware.Zenlod-9879130-0
Create hunting rule

Win.Malware.Zenlod-9885416-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Moving a recently created file
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Sending an HTTP GET request
Launching a process
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9499/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/623268ecb94fb38cb4929545/reports/9de1f2d2-f8bb-47cd-bc4d-a938c26a6faa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13957007-ff90-4e99-ac14-9cf205757b40
Result
Threat name:
Djvu RedLine Vidar onlyLogger
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/958390
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Djvu Ransomware
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 590872 Sample: nNDkOcUjO5.exe Startdate: 16/03/2022 Architecture: WINDOWS Score: 100 92 uyg5wye.2ihsfa.com 2->92 94 95.217.25.49, 49887, 80 HETZNER-ASDE Germany 2->94 96 15 other IPs or domains 2->96 128 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->128 130 Malicious sample detected (through community Yara rule) 2->130 132 Antivirus detection for URL or domain 2->132 136 22 other signatures 2->136 12 nNDkOcUjO5.exe 10 2->12         started        signatures3 134 Performs DNS queries to domains with low reputation 92->134 process4 file5 82 C:\Users\user\AppData\...\setup_installer.exe, PE32 12->82 dropped 15 setup_installer.exe 16 12->15         started        process6 file7 84 C:\Users\user\AppData\Local\...\sonia_8.txt, PE32 15->84 dropped 86 C:\Users\user\AppData\Local\...\sonia_7.txt, PE32 15->86 dropped 88 C:\Users\user\AppData\Local\...\sonia_6.txt, PE32 15->88 dropped 90 9 other files (5 malicious) 15->90 dropped 18 setup_install.exe 1 15->18         started        process8 dnsIp9 98 127.0.0.1 unknown unknown 18->98 100 sokiran.xyz 18->100 74 C:\Users\user\AppData\...\sonia_7.exe (copy), PE32 18->74 dropped 76 C:\Users\user\AppData\...\sonia_6.exe (copy), PE32 18->76 dropped 78 C:\Users\user\AppData\...\sonia_5.exe (copy), PE32 18->78 dropped 80 3 other files (1 malicious) 18->80 dropped 138 Antivirus detection for dropped file 18->138 140 Multi AV Scanner detection for dropped file 18->140 142 Performs DNS queries to domains with low reputation 18->142 144 Machine Learning detection for dropped file 18->144 23 cmd.exe 1 18->23         started        25 cmd.exe 1 18->25         started        27 cmd.exe 1 18->27         started        29 6 other processes 18->29 file10 signatures11 process12 process13 31 sonia_6.exe 23->31         started        36 sonia_1.exe 5 25->36         started        38 sonia_4.exe 1 27->38         started        40 sonia_8.exe 29->40         started        42 sonia_5.exe 14 3 29->42         started        44 sonia_7.exe 29->44         started        dnsIp14 102 212.193.30.21, 49781, 49860, 80 SPD-NETTR Russian Federation 31->102 104 136.144.41.133, 49777, 80 WORLDSTREAMNL Netherlands 31->104 110 11 other IPs or domains 31->110 56 C:\Users\...\m_kO9EChIfm0KsGcEM4zabXj.exe, PE32 31->56 dropped 58 C:\Users\...\k3w5lSWFUROGQoyrH7Ou22GX.exe, PE32 31->58 dropped 60 C:\Users\...\jnKo5EYAM9BHvgE_eWTbuND8.exe, PE32 31->60 dropped 72 16 other malicious files 31->72 dropped 116 Drops PE files to the document folder of the user 31->116 118 May check the online IP address of the machine 31->118 120 Creates HTML files with .exe extension (expired dropper behavior) 31->120 122 Disable Windows Defender real time protection (registry) 31->122 62 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 36->62 dropped 46 rundll32.exe 36->46         started        106 ip-api.com 38->106 108 ip-api.com 208.95.112.1, 49776, 49853, 49897 TUT-ASUS United States 38->108 112 7 other IPs or domains 38->112 64 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 38->64 dropped 124 Performs DNS queries to domains with low reputation 38->124 49 jfiag3g_gg.exe 38->49         started        66 C:\Users\user\AppData\Local\Temp\lihm.exe, PE32 40->66 dropped 68 C:\Users\user\AppData\Local\Temp\jhuuee.exe, PE32 40->68 dropped 70 C:\Users\user\AppData\Local\...\UGloryStp.exe, PE32 40->70 dropped 114 2 other IPs or domains 42->114 126 Injects a PE file into a foreign processes 44->126 51 sonia_7.exe 44->51         started        file15 signatures16 process17 signatures18 152 Writes to foreign memory regions 46->152 154 Allocates memory in foreign processes 46->154 156 Creates a thread in another existing process (thread injection) 46->156 53 svchost.exe 46->53 injected 158 Tries to harvest and steal browser information (history, passwords, etc) 49->158 process19 signatures20 146 System process connects to network (likely due to code injection or exploit) 53->146 148 Sets debug register (to hijack the execution of another thread) 53->148 150 Modifies the context of a thread in another process (thread injection) 53->150
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb55add55db0e0f7b9e63dd1d70bdc318b2a0e725e069a00ae8685d60a044e0b/
Threat name:
Win32.Trojan.CookiesStealer
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 09:37:21 UTC
File Type:
PE (Exe)
Extracted files:
138
AV detection:
31 of 42 (73.81%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7nk23vk5wdqppopghxi5oc64ggfsudtslydjuafoq2c5mcqejyfq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:arkei family:djvu family:onlylogger family:redline family:vidar botnet:1177 botnet:937 botnet:default botnet:domani botnet:ruz876 aspackv2 discovery evasion infostealer loader persistence ransomware spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220316-2qhp5sfchp/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ASPack v2.12-2.42
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
OnlyLogger Payload
Vidar Stealer
Arkei
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
OnlyLogger
RedLine
RedLine Payload
Vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
Malware Config
C2 Extraction:
varinnitof.xyz:80
http://fuyt.org/test3/get.php
185.215.113.7:5186
http://62.204.41.193/nosjpdfg.php
https://ieji.de/@sam7al
https://busshi.moe/@sam0al
Unpacked files
SH256 hash:
003fd15f1434f81dbe38220bb72c3396b6a9ae083b062a4ffc490b7f442279a0
MD5 hash:
9e281d90ae3da92fa56d41ff8eda5efc
SHA1 hash:
53867ae046c7946d4bc3b2683081df718a87766d
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
SH256 hash:
0c2ade2993927f6de828e30c07156c19751b55650a05c965631ca0ea1c983498
MD5 hash:
cc0d6b6813f92dbf5be3ecacf44d662a
SHA1 hash:
b968c57a14ddada4128356f6e39fb66c6d864d3f
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
SH256 hash:
55361941ab12c7edd987c706d25423d868f756fab1028d99eeffacdabf3da4ca
MD5 hash:
4de4b7bc0a92902422c4204fcfa58150
SHA1 hash:
587e0299ea32cc836281998941daa60f471e3480
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
SH256 hash:
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
MD5 hash:
7165e9d7456520d1f1644aa26da7c423
SHA1 hash:
177f9116229a021e24f80c4059999c4c52f9e830
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
SH256 hash:
ff92a6e4b786bad248b1594085510d19f292993801eb8c55408f94f92a2e84b4
MD5 hash:
7c88a8ff483f0b84a97daa4820efeea7
SHA1 hash:
93ec01a144b56d4a3e136adedeb18de06490339d
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
SH256 hash:
31bfa611103b37e1da14320250913d290b55b3ef4fab80cc78274fd629eb1dd1
MD5 hash:
79a901696d7d7e4e0702fb5b0faf4641
SHA1 hash:
4cf54183b5f03469fa5484ae7a08da8e4d7625b6
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
SH256 hash:
10a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
MD5 hash:
89c739ae3bbee8c40a52090ad0641d31
SHA1 hash:
d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
SH256 hash:
3363500e865bfd7b9d8a9f3ff13cd936a5a3af13baed569d8905284517db969e
MD5 hash:
a6653085d9809a4454ebe035748a6949
SHA1 hash:
c0fc471af6133fc4f56948f9a352f0ebaa66897c
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
SH256 hash:
d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384
MD5 hash:
5668cb771643274ba2c375ec6403c266
SHA1 hash:
dd78b03428b99368906fe62fc46aaaf1db07a8b9
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
SH256 hash:
adb98685d3d6a8fa5e90b6fd9d458601d874718d5815f8aab66728ba9d067440
MD5 hash:
987d0f92ed9871031e0061e16e7bbac4
SHA1 hash:
b69f3badc82b6da0ff311f9dc509bac244464332
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
SH256 hash:
a44d8aa57db199503ee029bf73e922daabf707598b6d5cac1805d47bd956ad86
MD5 hash:
f421a51b26c06de59948172ccfd1a2d6
SHA1 hash:
a851cb33400ae722ed6e942ae31c1554e1e297ff
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
SH256 hash:
d5e7a987dd3a93c9c435097fc95d76c07aadd16e08158fe9d42389c0793f2f7f
MD5 hash:
112f83f9d855241e275101bdfd4a7097
SHA1 hash:
7608f6721aeb2ec2a7deaefc66a7f1117fdd4a36
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
SH256 hash:
30d7abcd7b6395c15f8b5db1e81f6388e03415ff47382ac60726d9c57f817211
MD5 hash:
a5e5a3df54358a9ea060b8b37c56fa64
SHA1 hash:
b2209b2c0dec18ea70b9ca394a96f62cfa08973a
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
SH256 hash:
fb55add55db0e0f7b9e63dd1d70bdc318b2a0e725e069a00ae8685d60a044e0b
MD5 hash:
119440585a9c8d2ba603cfdf0f1a7375
SHA1 hash:
99e1bd46fd1673470608774a6171f5db7323a6dc
Link:
https://www.unpac.me/results/d25cacc0-0d80-4b9b-bda1-a9ca9ec0880b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb55add55db0e0f7b9e63dd1d70bdc318b2a0e725e069a00ae8685d60a044e0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:ICMLuaUtil_UACMe_M41
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:MALWARE_Win_DLInjector03
Create hunting rule
Author:ditekSHen
Description:Detects unknown loader / injector
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:PowerTool
Create hunting rule
Author:@bartblaze
Description:Identifies PowerTool, sometimes used by attackers to disable security software.
Reference:https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_sinowal_w1
Create hunting rule
Author:Seth Hardy
Description:Quarian code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/251679/

Comments