YARAify Scan Results
You are viewing the YARAify database entry for the file with the SHA256 hash 5a7950686bd1d0ab47a2864e51aaa6ca93560d767d4c7f3575488c9c67a3acc8.
Scan Results
| SHA256 hash: | 5a7950686bd1d0ab47a2864e51aaa6ca93560d767d4c7f3575488c9c67a3acc8 | |
|---|---|---|
| File size: | 8'605'722 bytes | |
| File download: | Original Unpacked | |
| MIME type: | application/x-dosexec | |
| MD5 hash: | 25a99d5aab6e4f2d53b5ef7c1992504c | |
| SHA1 hash: | 509854d7dd22cf0c8bb5f1a26da4a13ed361ad53 | |
| SHA3-384 hash: | cbeaa1b627eb299cd333386cc4ac2ca258c8bd0acfed0c8ceea7db33d2e9ebd30392d99d3d840de95ac3510196ae37d9 | |
| First seen: | 2024-08-03 05:51:17 UTC | |
| Last seen: | Never | |
| Sightings: | 1 | |
| imphash : | 5c8a7fbf2fc8e42ff5a789746587543d | |
| ssdeep : | 98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr | |
| TLSH : | n/a | |
| telfhash : | n/a | |
| gimphash : | n/a | |
| dhash icon : | n/a | |
Tasks
There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.
Task Information
| Task ID: | 6710b638-515c-11ef-8b8b-42010aa4000b | |
|---|---|---|
| File name: | 25a99d5aab6e4f2d53b5ef7c1992504c | |
| Task parameters: | ClamAV scan: | True |
| Unpack: | False | |
| Share file: | True | |
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
| Signature: | PUA.Win.File.Coinminer-9787052-0 |
|---|
| Signature: | PUA.Win.Packer.UpxProtector-1 |
|---|
| Signature: | Win.Downloader.Johnnie-9792210-0 |
|---|
| Signature: | Win.Downloader.Johnnie-9792269-0 |
|---|
| Signature: | Win.Dropper.Gh0stRAT-6989861-0 |
|---|
| Signature: | Win.Dropper.Gh0stRAT-6991075-0 |
|---|
| Signature: | Win.Dropper.Mimikatz-9778171-1 |
|---|
| Signature: | Win.Exploit.ChinaChopper-1-7122825-1 |
|---|
| Signature: | Win.Exploit.EQGRP-6322722-0 |
|---|
| Signature: | Win.Malware.Zegost-10012524-0 |
|---|
| Signature: | Win.Tool.Mimikatz-9741197-0 |
|---|
| Signature: | Win.Tool.Mimikatz-9784738-0 |
|---|
| Signature: | Win.Tool.Mimikatz-9862656-0 |
|---|
| Signature: | Win.Tool.Mimikatz-9862659-0 |
|---|
| Signature: | Win.Tool.Mimikatz-9862662-0 |
|---|
| Signature: | Win.Tool.Mimikatz-9862700-0 |
|---|
| Signature: | Win.Tool.Shadowbrokers-10026173-0 |
|---|
| Signature: | Win.Tool.Shadowbrokers-9775051-0 |
|---|
| Signature: | Win.Tool.Shadowbrokers-9943477-0 |
|---|
| Signature: | Win.Trojan.Generic-9975617-0 |
|---|
YARA Results
Static Analysis
The following YARA rules matched on the file (static analysis).
| Rule name: | BLOWFISH_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for Blowfish constants |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | ccrewQAZ |
|---|---|
| Author: | AlienVault Labs |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | CMD_Ping_Localhost |
|---|---|
| TLP: | TLP:WHITE |
| Repository: | MalwareBazaar |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| TLP: | TLP:WHITE |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| TLP: | TLP:WHITE |
| Rule name: | DebuggerException__SetConsoleCtrl |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| TLP: | TLP:WHITE |
| Rule name: | Detect_SliverFox_String |
|---|---|
| Author: | huoji |
| Description: | Detect files is `SliverFox` malware |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | Disable_Defender |
|---|---|
| Author: | iam-py-test |
| Description: | Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen |
| TLP: | TLP:WHITE |
| Repository: | MalwareBazaar |
| Rule name: | HackTool_Producers |
|---|---|
| Description: | Hacktool Producers String |
| TLP: | TLP:WHITE |
| Repository: | Neo23x0 |
| Rule name: | HKTL_mimikatz_icon |
|---|---|
| Author: | Arnim Rupp |
| Description: | Detects mimikatz icon in PE file |
| Reference: | https://blog.gentilkiwi.com/mimikatz |
| TLP: | TLP:WHITE |
| Repository: | Neo23x0 |
| Rule name: | INDICATOR_TOOL_EXP_ApacheStrusts |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Windows executables containing ApacheStruts exploit artifatcs |
| TLP: | TLP:WHITE |
| Repository: | diˈtekSHən |
| Rule name: | INDICATOR_TOOL_EXP_EternalBlue |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Windows executables containing EternalBlue explitation artifacts |
| TLP: | TLP:WHITE |
| Repository: | diˈtekSHən |
| Rule name: | INDICATOR_TOOL_EXP_WebLogic |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Windows executables containing Weblogic exploits commands |
| TLP: | TLP:WHITE |
| Repository: | diˈtekSHən |
| Rule name: | INDICATOR_TOOL_PWS_Mimikatz |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Mimikatz |
| TLP: | TLP:WHITE |
| Repository: | diˈtekSHən |
| Rule name: | Ins_NSIS_Buer_Nov_2020_1 |
|---|---|
| Author: | Arkbird_SOLG |
| Description: | Detect NSIS installer used for Buer loader |
| TLP: | TLP:WHITE |
| Repository: | StrangerealIntel |
| Rule name: | maldoc_find_kernel32_base_method_1 |
|---|---|
| Author: | Didier Stevens (https://DidierStevens.com) |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | maldoc_getEIP_method_1 |
|---|---|
| Author: | Didier Stevens (https://DidierStevens.com) |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | meth_get_eip |
|---|---|
| Author: | Willi Ballenthin |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | meth_stackstrings |
|---|---|
| Author: | Willi Ballenthin |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | mimikatz |
|---|---|
| Author: | Benjamin DELPY (gentilkiwi) |
| Description: | mimikatz |
| TLP: | TLP:WHITE |
| Repository: | Neo23x0 |
| Rule name: | Mimikatz_Samples_2014b_2 |
|---|---|
| Author: | Florian Roth with the help of YarGen Rule Generator |
| Description: | Mimikatz pwassword dumper samples from the second half of 2014 |
| Reference: | not set |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | Mimikatz_SampleSet_1 |
|---|---|
| Author: | Florian Roth - Florian Roth |
| Description: | Mimikatz Rule generated from a big Mimikatz sample set |
| TLP: | TLP:WHITE |
| Rule name: | Mimikatz_SampleSet_5 |
|---|---|
| Author: | Florian Roth - Florian Roth |
| Description: | Mimikatz Rule generated from a big Mimikatz sample set |
| TLP: | TLP:WHITE |
| Rule name: | Mimikatz_SampleSet_7 |
|---|---|
| Author: | Florian Roth - Florian Roth |
| Description: | Mimikatz Rule generated from a big Mimikatz sample set |
| TLP: | TLP:WHITE |
| Rule name: | Mimikatz_SampleSet_9 |
|---|---|
| Author: | Florian Roth - Florian Roth |
| Description: | Mimikatz Rule generated from a big Mimikatz sample set |
| TLP: | TLP:WHITE |
| Rule name: | Mimikatz_Strings |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects Mimikatz strings |
| Reference: | not set |
| TLP: | TLP:WHITE |
| Repository: | Neo23x0 |
| Rule name: | Mimikatz_Strings_RID2DA0 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects Mimikatz strings |
| Reference: | not set |
| TLP: | TLP:WHITE |
| Rule name: | PE_Potentially_Signed_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
| TLP: | TLP:WHITE |
| Rule name: | Ping_Command_in_EXE |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects an suspicious ping command execution in an executable |
| Reference: | Internal Research |
| TLP: | TLP:WHITE |
| Repository: | Neo23x0 |
| Rule name: | RIPEMD160_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for RIPEMD-160 constants |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | SHA1_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA1 constants |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | SHA512_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA384/SHA512 constants |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | UPXProtectorv10x2 |
|---|---|
| Author: | malware-lu |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser |
|---|---|
| Author: | malware-lu |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | UPXv20MarkusLaszloReiser |
|---|---|
| Author: | malware-lu |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | vmdetect |
|---|---|
| Author: | nex |
| Description: | Possibly employs anti-virtualization techniques |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | win_mimikatz_w0 |
|---|---|
| Author: | Benjamin DELPY (gentilkiwi) |
| Description: | mimikatz |
| TLP: | TLP:WHITE |
| Repository: | Malpedia |
| Rule name: | with_urls |
|---|---|
| Author: | Antonio Sanchez <asanchez@hispasec.com> |
| Description: | Rule to detect the presence of an or several urls |
| Reference: | http://laboratorio.blogs.hispasec.com/ |
| TLP: | TLP:WHITE |
| Rule name: | without_attachments |
|---|---|
| Author: | Antonio Sanchez <asanchez@hispasec.com> |
| Description: | Rule to detect the no presence of any attachment |
| Reference: | http://laboratorio.blogs.hispasec.com/ |
| TLP: | TLP:WHITE |
| Rule name: | yara_template |
|---|---|
| TLP: | TLP:WHITE |
| Repository: | MalwareBazaar |
Unpacker
The following YARA rules matched on the unpacked file.
Disabled by submitter
Unpacked Files
The following files could be unpacked from this sample.
Disabled by submitter