Task Information
Task ID: 0aea3224-8138-11f0-8fb7-42010aa4000b
File name: 4ba7f1b03ef99706297592460c1fe645
Task parameters: ClamAV scan: True
Unpack: False
Share file: True
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
No matches
YARA Results
Static Analysis
The following YARA rules matched on the file (static analysis).
Rule name: adonunix2
Alert
Author: Tim Brown @timb_machine
Description: AD on UNIX
TLP: TLP:WHITE
Repository: MalwareBazaar
Rule name: Borland
Alert
Author: malware-lu
TLP: TLP:WHITE
Repository:
Rule name: botnet_plaintext_c2
Alert
Author: cip
Description: Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
TLP: TLP:WHITE
Repository: YARAify
Rule name: Capability_Embedded_Lua
Alert
Author: Obscurity Labs LLC
Description: Detects embedded Lua engines by looking for multiple Lua API symbols or env-var hooks
TLP: TLP:WHITE
Rule name: command_and_control
Alert
Author: CD_R0M_
Description: This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
TLP: TLP:WHITE
Repository: CD-R0M
Rule name: CP_AllMal_Detector
Alert
Author: DiegoAnalytics
Description: CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
TLP: TLP:WHITE
Repository: YARAify
Rule name: CP_Script_Inject_Detector
Alert
Author: DiegoAnalytics
Description: Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
TLP: TLP:WHITE
Repository: YARAify
Rule name: DebuggerCheck__API
Alert
Reference: https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP: TLP:WHITE
Rule name: DebuggerCheck__QueryInfo
Alert
Reference: https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP: TLP:WHITE
Rule name: DebuggerHiding__Active
Alert
Reference: https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP: TLP:WHITE
Rule name: FreddyBearDropper
Alert
Author: Dwarozh Hoshiar
Description: Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
TLP: TLP:WHITE
Repository: YARAify
Rule name: HKTL_Keyword_InjectDLL
Alert
Author: Florian Roth (Nextron Systems)
Description: Detects suspicious InjectDLL keyword found in hacktools or possibly unwanted applications
Reference: https://github.com/zerosum0x0/koadic
TLP: TLP:WHITE
Repository: Neo23x0
Rule name: HKTL_Keyword_InjectDLL_RID2F20
Alert
Author: Florian Roth
Description: Detects suspicious InjectDLL keyword found in hacktools or possibly unwanted applications
Reference: https://github.com/zerosum0x0/koadic
TLP: TLP:WHITE
Rule name: MD5_Constants
Alert
Author: phoul (@phoul)
Description: Look for MD5 constants
TLP: TLP:WHITE
Repository:
Rule name: NET
Alert
Author: malware-lu
TLP: TLP:WHITE
Repository:
Rule name: RIPEMD160_Constants
Alert
Author: phoul (@phoul)
Description: Look for RIPEMD-160 constants
TLP: TLP:WHITE
Repository:
Rule name: SEH__vectored
Alert
Reference: https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP: TLP:WHITE
Rule name: SHA1_Constants
Alert
Author: phoul (@phoul)
Description: Look for SHA1 constants
TLP: TLP:WHITE
Repository:
Rule name: Sus_Obf_Enc_Spoof_Hide_PE
Alert
Author: XiAnzheng
Description: Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
TLP: TLP:WHITE
Repository: YARAify
Rule name: ThreadControl__Context
Alert
Reference: https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP: TLP:WHITE
Rule name: vmdetect
Alert
Author: nex
Description: Possibly employs anti-virtualization techniques
TLP: TLP:WHITE
Repository:
Unpacker
The following YARA rules matched on the unpacked file.
Disabled by submitter
Unpacked Files
The following files could be unpacked from this sample.
Disabled by submitter