YARAify Scan Results
You are viewing the YARAify database entry for the file with the SHA256 hash 6c120011ae3df30ebdb35df05e9a494561dbd7ef1347b292da7c3de8f4c23d14
.
Scan Results
SHA256 hash: | 6c120011ae3df30ebdb35df05e9a494561dbd7ef1347b292da7c3de8f4c23d14 | |
---|---|---|
File size: | 10'331'247 bytes | |
File download: | Original | |
MIME type: | application/x-dosexec | |
MD5 hash: | e01acc59441709fadfa1e80e35f77b73 | |
SHA1 hash: | 8720fc848a3b7e7174447fe322dee89095f65efd | |
SHA3-384 hash: | 9cb207c71b2b803e93254884a7d8b149d142eff388285370b38d2141b75ff3a7284366cd4a0aeb182a0feaa6b6b9b74f | |
First seen: | 2025-04-03 02:33:04 UTC | |
Last seen: | Never | |
Sightings: | 1 | |
imphash : | 41d4c56009e4f7c74b5cb4a5919d9f05 | |
ssdeep : | 196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1 | |
TLSH : | n/a | |
telfhash : | n/a | |
gimphash : | n/a | |
dhash icon : | n/a |
Tasks
There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.
Task Information
Task ID: | f8b524d7-1033-11f0-b4a6-42010aa4000b | |
---|---|---|
File name: | e01acc59441709fadfa1e80e35f77b73 | |
Task parameters: | ClamAV scan: | True |
Unpack: | False | |
Share file: | True |
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
Signature: | PUA.Win.File.Coinminer-9787052-0 |
---|
Signature: | PUA.Win.Packer.UpxProtector-1 |
---|
Signature: | Win.Downloader.Johnnie-9792210-0 |
---|
Signature: | Win.Downloader.Johnnie-9792269-0 |
---|
Signature: | Win.Dropper.Gh0stRAT-6989861-0 |
---|
Signature: | Win.Dropper.Gh0stRAT-6991075-0 |
---|
Signature: | Win.Dropper.Mimikatz-9778171-1 |
---|
Signature: | Win.Exploit.ChinaChopper-1-7122825-1 |
---|
Signature: | Win.Exploit.EQGRP-6322722-0 |
---|
Signature: | Win.Malware.Zegost-10012524-0 |
---|
Signature: | Win.Tool.Mimikatz-9741197-0 |
---|
Signature: | Win.Tool.Mimikatz-9784738-0 |
---|
Signature: | Win.Tool.Mimikatz-9862656-0 |
---|
Signature: | Win.Tool.Mimikatz-9862659-0 |
---|
Signature: | Win.Tool.Mimikatz-9862662-0 |
---|
Signature: | Win.Tool.Mimikatz-9862700-0 |
---|
Signature: | Win.Tool.Shadowbrokers-10026173-0 |
---|
Signature: | Win.Tool.Shadowbrokers-10040848-0 |
---|
Signature: | Win.Tool.Shadowbrokers-9775051-0 |
---|
Signature: | Win.Tool.Shadowbrokers-9943477-0 |
---|
YARA Results
Static Analysis
The following YARA rules matched on the file (static analysis).
Rule name: | BLOWFISH_Constants |
---|---|
Author: | phoul (@phoul) |
Description: | Look for Blowfish constants |
TLP: | TLP:WHITE |
Repository: |
Rule name: | ccrewQAZ |
---|---|
Author: | AlienVault Labs |
TLP: | TLP:WHITE |
Repository: |
Rule name: | CMD_Ping_Localhost |
---|---|
TLP: | TLP:WHITE |
Repository: | MalwareBazaar |
Rule name: | DebuggerCheck__API |
---|---|
Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
TLP: | TLP:WHITE |
Rule name: | DebuggerCheck__QueryInfo |
---|---|
Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
TLP: | TLP:WHITE |
Rule name: | DebuggerException__SetConsoleCtrl |
---|---|
Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
TLP: | TLP:WHITE |
Rule name: | Detect_PowerShell_Obfuscation |
---|---|
Author: | daniyyell |
Description: | Detects obfuscated PowerShell commands commonly used in malicious scripts. |
TLP: | TLP:WHITE |
Repository: | YARAify |
Rule name: | Detect_SliverFox_String |
---|---|
Author: | huoji |
Description: | Detect files is `SliverFox` malware |
TLP: | TLP:WHITE |
Repository: | YARAify |
Rule name: | Disable_Defender |
---|---|
Author: | iam-py-test |
Description: | Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen |
TLP: | TLP:WHITE |
Repository: | MalwareBazaar |
Rule name: | golang_bin_JCorn_CSC846 |
---|---|
Author: | Justin Cornwell |
Description: | CSC-846 Golang detection ruleset |
TLP: | TLP:WHITE |
Repository: | YARAify |
Rule name: | HackTool_Producers |
---|---|
Description: | Hacktool Producers String |
TLP: | TLP:WHITE |
Repository: | Neo23x0 |
Rule name: | HKTL_mimikatz_icon |
---|---|
Author: | Arnim Rupp |
Description: | Detects mimikatz icon in PE file |
Reference: | https://blog.gentilkiwi.com/mimikatz |
TLP: | TLP:WHITE |
Repository: | Neo23x0 |
Rule name: | INDICATOR_TOOL_EXP_ApacheStrusts |
---|---|
Author: | ditekSHen |
Description: | Detects Windows executables containing ApacheStruts exploit artifatcs |
TLP: | TLP:WHITE |
Repository: | diˈtekSHən |
Rule name: | INDICATOR_TOOL_EXP_EternalBlue |
---|---|
Author: | ditekSHen |
Description: | Detects Windows executables containing EternalBlue explitation artifacts |
TLP: | TLP:WHITE |
Repository: | diˈtekSHən |
Rule name: | INDICATOR_TOOL_EXP_WebLogic |
---|---|
Author: | ditekSHen |
Description: | Detects Windows executables containing Weblogic exploits commands |
TLP: | TLP:WHITE |
Repository: | diˈtekSHən |
Rule name: | INDICATOR_TOOL_PWS_Mimikatz |
---|---|
Author: | ditekSHen |
Description: | Detects Mimikatz |
TLP: | TLP:WHITE |
Repository: | diˈtekSHən |
Rule name: | Ins_NSIS_Buer_Nov_2020_1 |
---|---|
Author: | Arkbird_SOLG |
Description: | Detect NSIS installer used for Buer loader |
TLP: | TLP:WHITE |
Repository: | StrangerealIntel |
Rule name: | MAL_Driver_773B |
---|---|
Author: | Florian Roth |
Description: | Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys |
Reference: | https://github.com/magicsword-io/LOLDrivers |
TLP: | TLP:WHITE |
Repository: | Neo23x0 |
Rule name: | MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_14B8 |
---|---|
Author: | Florian Roth |
Description: | Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys |
Reference: | https://github.com/magicsword-io/LOLDrivers |
TLP: | TLP:WHITE |
Repository: | Neo23x0 |
Rule name: | MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_7662 |
---|---|
Author: | Florian Roth |
Description: | Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys |
Reference: | https://github.com/magicsword-io/LOLDrivers |
TLP: | TLP:WHITE |
Repository: | Neo23x0 |
Rule name: | MD5_Constants |
---|---|
Author: | phoul (@phoul) |
Description: | Look for MD5 constants |
TLP: | TLP:WHITE |
Repository: |
Rule name: | meth_stackstrings |
---|---|
Author: | Willi Ballenthin |
TLP: | TLP:WHITE |
Repository: | YARAify |
Rule name: | mimikatz |
---|---|
Author: | Benjamin DELPY (gentilkiwi) |
Description: | mimikatz |
TLP: | TLP:WHITE |
Repository: | Neo23x0 |
Rule name: | Mimikatz_Samples_2014b_2 |
---|---|
Author: | Florian Roth with the help of YarGen Rule Generator |
Description: | Mimikatz pwassword dumper samples from the second half of 2014 |
Reference: | not set |
TLP: | TLP:WHITE |
Repository: |
Rule name: | Mimikatz_SampleSet_1 |
---|---|
Author: | Florian Roth - Florian Roth |
Description: | Mimikatz Rule generated from a big Mimikatz sample set |
TLP: | TLP:WHITE |
Rule name: | Mimikatz_SampleSet_5 |
---|---|
Author: | Florian Roth - Florian Roth |
Description: | Mimikatz Rule generated from a big Mimikatz sample set |
TLP: | TLP:WHITE |
Rule name: | Mimikatz_SampleSet_7 |
---|---|
Author: | Florian Roth - Florian Roth |
Description: | Mimikatz Rule generated from a big Mimikatz sample set |
TLP: | TLP:WHITE |
Rule name: | Mimikatz_SampleSet_9 |
---|---|
Author: | Florian Roth - Florian Roth |
Description: | Mimikatz Rule generated from a big Mimikatz sample set |
TLP: | TLP:WHITE |
Rule name: | Mimikatz_Strings |
---|---|
Author: | Florian Roth (Nextron Systems) |
Description: | Detects Mimikatz strings |
Reference: | not set |
TLP: | TLP:WHITE |
Repository: | Neo23x0 |
Rule name: | Mimikatz_Strings_RID2DA0 |
---|---|
Author: | Florian Roth |
Description: | Detects Mimikatz strings |
Reference: | not set |
TLP: | TLP:WHITE |
Rule name: | Ping_Command_in_EXE |
---|---|
Author: | Florian Roth (Nextron Systems) |
Description: | Detects an suspicious ping command execution in an executable |
Reference: | Internal Research |
TLP: | TLP:WHITE |
Repository: | Neo23x0 |
Rule name: | RIPEMD160_Constants |
---|---|
Author: | phoul (@phoul) |
Description: | Look for RIPEMD-160 constants |
TLP: | TLP:WHITE |
Repository: |
Rule name: | SHA1_Constants |
---|---|
Author: | phoul (@phoul) |
Description: | Look for SHA1 constants |
TLP: | TLP:WHITE |
Repository: |
Rule name: | SHA512_Constants |
---|---|
Author: | phoul (@phoul) |
Description: | Look for SHA384/SHA512 constants |
TLP: | TLP:WHITE |
Repository: |
Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
---|---|
Author: | XiAnzheng |
Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
TLP: | TLP:WHITE |
Repository: | YARAify |
Rule name: | test_Malaysia |
---|---|
Author: | rectifyq |
Description: | Detects file containing malaysia string |
TLP: | TLP:WHITE |
Repository: | YARAify |
Rule name: | UPXProtectorv10x2 |
---|---|
Author: | malware-lu |
TLP: | TLP:WHITE |
Repository: |
Rule name: | UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser |
---|---|
Author: | malware-lu |
TLP: | TLP:WHITE |
Repository: |
Rule name: | UPXv20MarkusLaszloReiser |
---|---|
Author: | malware-lu |
TLP: | TLP:WHITE |
Repository: |
Rule name: | vmdetect |
---|---|
Author: | nex |
Description: | Possibly employs anti-virtualization techniques |
TLP: | TLP:WHITE |
Repository: |
Rule name: | win_mimikatz_w0 |
---|---|
Author: | Benjamin DELPY (gentilkiwi) |
Description: | mimikatz |
TLP: | TLP:WHITE |
Repository: | Malpedia |
Rule name: | with_urls |
---|---|
Author: | Antonio Sanchez <asanchez@hispasec.com> |
Description: | Rule to detect the presence of an or several urls |
Reference: | http://laboratorio.blogs.hispasec.com/ |
TLP: | TLP:WHITE |
Rule name: | without_attachments |
---|---|
Author: | Antonio Sanchez <asanchez@hispasec.com> |
Description: | Rule to detect the no presence of any attachment |
Reference: | http://laboratorio.blogs.hispasec.com/ |
TLP: | TLP:WHITE |
Unpacker
The following YARA rules matched on the unpacked file.
Unpacked Files
The following files could be unpacked from this sample.