NEW | Hunt across all abuse.ch platforms with one simple query - discover if an IPv4 address, domain, URL or file hash has been identified on any platform from a centralized search tool. Test it out here hunting.abuse.ch - and happy hunting 🔍

YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash 92ad070e85950e70909d2fa40a394970fee8b64559856802742da942455a3887.

Scan Results

SHA256 hash: 92ad070e85950e70909d2fa40a394970fee8b64559856802742da942455a3887
File size:38'708 bytes
File download: Original
MIME type:application/x-dosexec
MD5 hash: ef52faf7540fb4aa5a1df346a68f10b0
SHA1 hash: b3956d4b57ed05a9404c1c2d4cd59910ec69e743
SHA3-384 hash: a80ddbb89e05cf2d345ee92f10c3268b9bd6e03718c54a0c83380089fd4d0a6083cb0674a90bc7b4dfb5d5cfe1a9f2b5
First seen:2024-08-06 17:05:51 UTC
Last seen:2024-08-06 17:05:51 UTC
Sightings:2
imphash : 3cd715357f4bb1efb511566fc983cdf4
Create hunting rule
ssdeep : 384:Bape+6e9b1wxETHftKtLlGELmI4KQfJ3Eqm4GTp4yhGdAd0g8SptA7z6n6:Ba3/B1iET/8tLlGED4/3E94w6
TLSH :n/a
telfhash :n/a
gimphash :n/a
dhash icon :n/a

Tasks

There are 2 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

Task Information

Task ID:22c2e3c4-5416-11ef-8b8b-42010aa4000b
File name:400000.TMP.exe
Task parameters:ClamAV scan:True
Unpack:False
Share file:True

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

Signature:PUA.Win.Packer.Chinaprotect-1
Create hunting rule
Signature:PUA.Win.Packer.RLPack-1
Create hunting rule
Signature:PUA.Win.Packer.Rlpack-42
Create hunting rule
Signature:PUA.Win.Packer.Rlpack-59
Create hunting rule
Signature:PUA.Win.Packer.RlpackFullediti-3
Create hunting rule
Signature:PUA.Win.Packer.RlpackFullediti-5
Create hunting rule
Signature:Win.Dropper.Gh0stRAT-7414189-0
Create hunting rule

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:CN_Honker_Webshell
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Sample from CN Honker Pentest Toolset - file Webshell.exe
Reference:Disclosed CN Honker Pentest Toolset
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:CN_Honker_Webshell_RID2DFD
Create hunting rule
Author:Florian Roth
Description:Sample from CN Honker Pentest Toolset - file Webshell.exe
Reference:Disclosed CN Honker Pentest Toolset
TLP:TLP:WHITE
Rule name:INDICATOR_EXE_Packed_RLPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with RLPACK
TLP:TLP:WHITE
Repository:diˈtekSHən
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
TLP:TLP:WHITE
Repository:
Rule name:malware_PoisonIvy
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect PoisonIvy in memory
Reference:internal research
TLP:TLP:WHITE
Repository:JPCERTCC
Rule name:poisonivy
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Poison Ivy
TLP:TLP:WHITE
Repository:
Rule name:PoisonIvy
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect PoisonIvy in memory
Reference:internal research
TLP:TLP:WHITE
Repository:
Rule name:RLPackFullEdition117Ap0x
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:RLPackFullEdition117aPLibAp0x
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:RLPackFullEditionV11Xap0x
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files

The following files could be unpacked from this sample.

Task Information

Task ID:22b0efd1-5416-11ef-8b8b-42010aa4000b
File name:400000.TMP.exe
Task parameters:ClamAV scan:True
Unpack:False
Share file:True

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

Signature:PUA.Win.Packer.Chinaprotect-1
Create hunting rule
Signature:PUA.Win.Packer.RLPack-1
Create hunting rule
Signature:PUA.Win.Packer.Rlpack-42
Create hunting rule
Signature:PUA.Win.Packer.Rlpack-59
Create hunting rule
Signature:PUA.Win.Packer.RlpackFullediti-3
Create hunting rule
Signature:PUA.Win.Packer.RlpackFullediti-5
Create hunting rule
Signature:Win.Dropper.Gh0stRAT-7414189-0
Create hunting rule

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:CN_Honker_Webshell
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Sample from CN Honker Pentest Toolset - file Webshell.exe
Reference:Disclosed CN Honker Pentest Toolset
TLP:TLP:WHITE
Repository:Neo23x0
Rule name:CN_Honker_Webshell_RID2DFD
Create hunting rule
Author:Florian Roth
Description:Sample from CN Honker Pentest Toolset - file Webshell.exe
Reference:Disclosed CN Honker Pentest Toolset
TLP:TLP:WHITE
Rule name:INDICATOR_EXE_Packed_RLPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with RLPACK
TLP:TLP:WHITE
Repository:diˈtekSHən
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
TLP:TLP:WHITE
Repository:
Rule name:malware_PoisonIvy
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect PoisonIvy in memory
Reference:internal research
TLP:TLP:WHITE
Repository:JPCERTCC
Rule name:poisonivy
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Poison Ivy
TLP:TLP:WHITE
Repository:
Rule name:PoisonIvy
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect PoisonIvy in memory
Reference:internal research
TLP:TLP:WHITE
Repository:
Rule name:RLPackFullEdition117Ap0x
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:RLPackFullEdition117aPLibAp0x
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:RLPackFullEditionV11Xap0x
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files

The following files could be unpacked from this sample.