YARAify Scan Results

Task Information

---

Task ID:	0ac8af11-1034-11f0-b4a6-42010aa4000b
File name:	400000.dotnet.exe
Task parameters:	ClamAV scan:	True
	Unpack:	False
	Share file:	True

ClamAV Results

---

The file matched the following open source and commercial ClamAV rules.

Signature:	Win.Trojan.Generic-9846514-0 Alert Create hunting rule

Signature:	Win.Trojan.Zpevdo-10036185-0 Alert Create hunting rule

YARA Results

---

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:	BLOWFISH_Constants Alert Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants
TLP:	TLP:WHITE
Repository:

Rule name:	Borland Alert Create hunting rule
Author:	malware-lu
TLP:	TLP:WHITE
Repository:

Rule name:	Check_FindWindowA_iat Alert Create hunting rule
TLP:	TLP:WHITE
Repository:

Rule name:	DebuggerCheck__API Alert Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:	TLP:WHITE

Rule name:	DebuggerCheck__QueryInfo Alert Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:	TLP:WHITE

Rule name:	DebuggerHiding__Thread Alert Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:	TLP:WHITE

Rule name:	detect_powershell Alert Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	Detect_PowerShell_Obfuscation Alert Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	Disable_Defender Alert Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	EnigmaStub Alert Create hunting rule
Author:	@bartblaze
Description:	Identifies Enigma packer stub.
TLP:	TLP:WHITE
Repository:	bartblaze

Rule name:	MD5_Constants Alert Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants
TLP:	TLP:WHITE
Repository:

Rule name:	NET Alert Create hunting rule
Author:	malware-lu
TLP:	TLP:WHITE
Repository:

Rule name:	pe_detect_tls_callbacks Alert Create hunting rule
Author:
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	possible_trojan_banker Alert Create hunting rule
Author:	@johnk3r
Description:	Detects common strings, DLL and API in Banker_BR
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	RANSOMWARE Alert Create hunting rule
Author:	ToroGuitar
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	RIPEMD160_Constants Alert Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants
TLP:	TLP:WHITE
Repository:

Rule name:	SHA1_Constants Alert Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants
TLP:	TLP:WHITE
Repository:

Rule name:	SHA512_Constants Alert Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants
TLP:	TLP:WHITE
Repository:

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Alert Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	test_Malaysia Alert Create hunting rule
Author:	rectifyq
Description:	Detects file containing malaysia string
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	ThreadControl__Context Alert Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:	TLP:WHITE

Rule name:	vmdetect Alert Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques
TLP:	TLP:WHITE
Repository:

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files

---

The following files could be unpacked from this sample.