Task Information
Task ID: cd154c3e-8137-11f0-8fb7-42010aa4000b
File name: 445d33d73076cf21ecdd32568aa3584c
Task parameters: ClamAV scan: True
Unpack: False
Share file: True
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
YARA Results
Static Analysis
The following YARA rules matched on the file (static analysis).
Rule name: CHM_File_Executes_JS_Via_PowerShell
Alert
Author: daniyyell
Description: Detects a Microsoft Compiled HTML Help (CHM) file that executes embedded JavaScript to launch a messagebox via PowerShell
TLP: TLP:WHITE
Repository: YARAify
Rule name: CP_AllMal_Detector
Alert
Author: DiegoAnalytics
Description: CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
TLP: TLP:WHITE
Repository: YARAify
Rule name: DetectEncryptedVariants
Alert
Author: Zinyth
Description: Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
TLP: TLP:WHITE
Repository: YARAify
Rule name: Disable_Defender
Alert
Author: iam-py-test
Description: Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
TLP: TLP:WHITE
Repository: MalwareBazaar
Rule name: FreddyBearDropper
Alert
Author: Dwarozh Hoshiar
Description: Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
TLP: TLP:WHITE
Repository: YARAify
Rule name: iso_lnk
Alert
Author: tdawg
TLP: TLP:WHITE
Rule name: RIPEMD160_Constants
Alert
Author: phoul (@phoul)
Description: Look for RIPEMD-160 constants
TLP: TLP:WHITE
Repository:
Rule name: SHA1_Constants
Alert
Author: phoul (@phoul)
Description: Look for SHA1 constants
TLP: TLP:WHITE
Repository:
Rule name: Sus_Obf_Enc_Spoof_Hide_PE
Alert
Author: XiAnzheng
Description: Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
TLP: TLP:WHITE
Repository: YARAify
Rule name: SUSP_NullSoftInst_Combo_Oct20_1
Alert
Author: Florian Roth (Nextron Systems)
Description: Detects suspicious NullSoft Installer combination with common Copyright strings
Reference: https://twitter.com/malwrhunterteam/status/1313023627177193472
TLP: TLP:WHITE
Repository: Neo23x0
Unpacker
The following YARA rules matched on the unpacked file.
Disabled by submitter
Unpacked Files
The following files could be unpacked from this sample.
Disabled by submitter