NEW | Hunt across all abuse.ch platforms with one simple query - discover if an IPv4 address, domain, URL or file hash has been identified on any platform from a centralized search tool. Test it out here hunting.abuse.ch - and happy hunting 🔍

YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash f38ebe991c80aad6cab9d7e547be57badf5cd85b87034ad9b8d166befee654e1.

Scan Results

SHA256 hash: f38ebe991c80aad6cab9d7e547be57badf5cd85b87034ad9b8d166befee654e1
File size:259'584 bytes
File download: Original Unpacked
MIME type:application/x-dosexec
MD5 hash: 294232882ed326b41c2b4c63495ad440
SHA1 hash: 3f406404eaf9b48bea7ac826162cd9a2b307f869
SHA3-384 hash: a6ff49363a5fa50b10e458f25304fcefaf799e2aa362011245227ad5718bfc704f2b0bc1c8aaac91ce560330b18e57a3
First seen:2023-07-21 21:56:05 UTC
Last seen:2023-07-22 06:39:12 UTC
Sightings:2
imphash : 9a064d655ca92ebdb195df1065a05abf
Create hunting rule
ssdeep : 3072:Cttys/tjEKcaMNJQFXGKlzGSj28VCMm/dNSYyVIfWCP:kygtjhZMzQQmz3MB4DVi
TLSH : T18244CF257AD0C032D46386344830D7A29A7BBC715BB5A5CF33582B3E2EB17C15ABD366
Create hunting rule
telfhash :n/a
gimphash :n/a
File icon (PE):PE icon
dhash icon : 1088c0c048a0a400
Create hunting rule

Tasks

There are 0 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

Task Information

Task ID:783f2868-285a-11ee-98cb-42010aa4000b
File name:294232882ed326b41c2b4c63495ad440
Task parameters:ClamAV scan:True
Unpack:False
Share file:True

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files

The following files could be unpacked from this sample.

Task Information

Task ID:640a9157-2811-11ee-98cb-42010aa4000b
File name:esgx9eyw.exe
Task parameters:ClamAV scan:True
Unpack:True
Share file:True

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Unpacker

The following YARA rules matched on the unpacked file.

Rule name:MALWARE_Win_Grum
Author:ditekSHen
Description:Detect Grum spam bot
TLP :TLP:WHITE
Rule name:MALWARE_Win_Tofsee
Author:ditekSHen
Description:Detects Tofsee
TLP :TLP:WHITE
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns
TLP :TLP:WHITE
Rule name:tofsee_yhub
Author:Billy Austin
Description:Detects Tofsee botnet, also known as Gheg
TLP :TLP:WHITE
Rule name:win_tofsee
Author:akrasuski1
Description:Tofsee malware
Reference:https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining
TLP :TLP:WHITE
Rule name:win_tofsee_w0
Author:akrasuski1
TLP :TLP:WHITE
Rule name:Windows_Trojan_Tofsee_26124fe4
Author:Elastic Security
TLP :TLP:WHITE
Rule name:yara_template
TLP :TLP:WHITE

Unpacked Files

The following files could be unpacked from this sample.

File name400000.5a3dc2eb-3ead-40ee-a2db-b2163e572685.exe
MD5 hash:9f175ce885c7b536aa076cae54ee9209
SHA256 hash:5eadc374e88d237af8d4dedb6c42cc08998e658c57454ac8b1f5eaae9c3b1337
File size:86'016 bytes
File type:application/x-dosexec
YARA matches:8
File name1e0000.shc
MD5 hash:3becf68038ad58fa297c98309c7cf0f7
SHA256 hash:c396f8343671cc2a06223d239e8f3b9e7bc569c984f4c656398b01ab53c6ff5d
File size:77'824 bytes
File type:application/x-dosexec
YARA matches:0
File name1e0e67.exe
MD5 hash:bc3df2e7e533504f017a5fcb4771922f
SHA256 hash:9a5a2984a7cdab154f7764e9bf00ff8893b4be638a8553c6b26e252afac6507d
File size:74'137 bytes
File type:application/x-dosexec
YARA matches:0
File name2629000.shc
MD5 hash:5562f0400e28b8b501c48280b10e33c3
SHA256 hash:32417427a831bbe9a61f1bf3af121f505a8776617eb4551c9f5924fbfe52761e
File size:77'824 bytes
File type:application/octet-stream
YARA matches:0