NEW | Hunt across all abuse.ch platforms with one simple query - discover if an IPv4 address, domain, URL or file hash has been identified on any platform from a centralized search tool. Test it out here hunting.abuse.ch - and happy hunting 🔍

YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.

Scan Results

SHA256 hash: 17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467
File size:167'936 bytes
File download: Original Unpacked
MIME type:application/x-dosexec
MD5 hash: ca337c7130eef4f4ff8e8a4a8ec28647
SHA1 hash: 28558e35d3f9af01fe438eba7fba1c38201c86de
SHA3-384 hash: 7379c35d3cdc3b6c8180b1d81b7c219c5c0a24493ae65a359bc99bfd43a4213ac8c31fbf681d2c372c2f0dc9ca3781a6
First seen:2023-11-16 23:49:04 UTC
Last seen:Never
Sightings:1
imphash :n/a
ssdeep : 3072:LBVn11HzIOLbi4eTMlwDCnun4XbZIt+ypUF:d9jzvbnWJnu14p
TLSH :n/a
telfhash :n/a
gimphash :n/a
dhash icon :n/a

Tasks

There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

Task Information

Task ID:b9ba5eaa-84da-11ee-8c5c-42010aa4000b
File name:17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
Task parameters:ClamAV scan:True
Unpack:False
Share file:True

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

Signature:Win.Ransomware.Sodinokibi-6995593-0
Create hunting rule
Signature:Win.Ransomware.Sodinokibi-6995596-0
Create hunting rule
Signature:Win.Ransomware.Sodinokibi-7013612-0
Create hunting rule

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:MAL_RANSOM_REvil_Oct20_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects REvil ransomware
Reference:Internal Research
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:MAL_RANSOM_REvil_Oct20_1_RID2ED2
Create hunting rule
Author:Florian Roth
Description:Detects REvil ransomware
Reference:Internal Research
TLP:TLP:WHITE
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
TLP:TLP:WHITE
Repository:
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
TLP:TLP:WHITE
Repository:
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
TLP:TLP:WHITE
Repository:JPCERTCC
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
TLP:TLP:WHITE
Repository:YARAify
Rule name:pe_no_import_table
Create hunting rule
Author:
Description:Detect pe file that no import table
TLP:TLP:WHITE
Repository:YARAify
Rule name:RAN_Revil_Dec_2021_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect Revil ransomware
Reference:Internal Research
TLP:TLP:WHITE
Repository:StrangerealIntel
Rule name:Sodinokobi
Create hunting rule
Author:McAfee ATR team
Description:This rule detect Sodinokobi Ransomware in memory in old samples and perhaps future.
TLP:TLP:WHITE
Repository:advanced-threat-research
Rule name:classified
Author:classified
Description:classified
TLP :TLP:AMBER
Rule name:win_revil_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.revil.
TLP:TLP:WHITE
Repository:Malpedia
Rule name:Windows_Ransomware_Sodinokibi_83f05fbe
Create hunting rule
Author:Elastic Security
Description:Identifies SODINOKIBI/REvil ransomware
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.revil
TLP:TLP:WHITE
Rule name:Windows_Ransomware_Sodinokibi_a282ba44
Create hunting rule
Author:Elastic Security
Description:Identifies SODINOKIBI/REvil ransomware
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.revil
TLP:TLP:WHITE

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files

The following files could be unpacked from this sample.