NEW | Hunt across all abuse.ch platforms with one simple query - discover if an IPv4 address, domain, URL or file hash has been identified on any platform from a centralized search tool. Test it out here hunting.abuse.ch - and happy hunting 🔍

YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash 24084d5f9324fc34d37401433bdea324f558eb88214b0e4a752f8cff8c13da1b.

Scan Results

SHA256 hash: 24084d5f9324fc34d37401433bdea324f558eb88214b0e4a752f8cff8c13da1b
File size:9'836'771 bytes
File download: Original Unpacked
MIME type:application/x-dosexec
MD5 hash: f5ca37d047e4518e98866152aafffd2c
SHA1 hash: 821691bfbdc31af2d068cc5faeb625d502168aac
SHA3-384 hash: 6bb50cba993cb75b57dc2fc0a5a76461d540aaada9866a1d930aaabbfebf102766149dc80cf8e6236e628c399c5719aa
First seen:2024-09-12 17:26:57 UTC
Last seen:Never
Sightings:1
imphash : be41bf7b8cc010b614bd36bbca606973
Create hunting rule
ssdeep : 196608:1lokKDywCAfywOweBzcyw3ywsywDywPbywgsywZywRywxywBywEyw4ywwywmIByy:1qywCAqwUBzBwiwxwGwPewgxwUwswMwe
TLSH :n/a
telfhash :n/a
gimphash :n/a
File icon (PE):PE icon
dhash icon : 0001000507030300
Create hunting rule

Tasks

There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

Task Information

Task ID:367a3dea-712c-11ef-b6ec-42010aa4000b
File name:f5ca37d047e4518e98866152aafffd2c
Task parameters:ClamAV scan:True
Unpack:False
Share file:True

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

Signature:PUA.Win.File.Autokms-9804431-0
Create hunting rule
Signature:PUA.Win.Tool.Hackkms-7341355-0
Create hunting rule
Signature:Win.Tool.Autokms-9829657-0
Create hunting rule

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
TLP:TLP:WHITE
Repository:CD-R0M
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:TLP:WHITE
Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
TLP:TLP:WHITE
Repository:YARAify
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
TLP:TLP:WHITE
Repository:MalwareBazaar
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
TLP:TLP:WHITE
Repository:
Rule name:NET
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
TLP:TLP:WHITE
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
TLP:TLP:WHITE
Repository:YARAify
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
TLP:TLP:WHITE
Repository:CD-R0M

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files

The following files could be unpacked from this sample.