Task Information
Task ID: b17b953a-1033-11f0-b4a6-42010aa4000b
File name: 400000.0b993f41f9b27caaf27e4db4c42b16fb.exe
Task parameters: ClamAV scan: True
Unpack: False
Share file: True
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
No matches
YARA Results
Static Analysis
The following YARA rules matched on the file (static analysis).
Rule name: APT_DustSquad_PE_Nov19_1
Alert
Author: Arkbird_SOLG
Description: Detection Rule for APT DustSquad campaign Nov19
Reference: https://twitter.com/Rmy_Reserve/status/1197448735422238721
TLP: TLP:WHITE
Repository: StrangerealIntel
Rule name: APT_DustSquad_PE_Nov19_2
Alert
Author: Arkbird_SOLG
Description: Detection Rule for APT DustSquad campaign Nov19
Reference: https://twitter.com/Rmy_Reserve/status/1197448735422238721
TLP: TLP:WHITE
Repository: StrangerealIntel
Rule name: Borland
Alert
Author: malware-lu
TLP: TLP:WHITE
Repository:
Rule name: DebuggerCheck__API
Alert
Reference: https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP: TLP:WHITE
Rule name: Detect_PowerShell_Obfuscation
Alert
Author: daniyyell
Description: Detects obfuscated PowerShell commands commonly used in malicious scripts.
TLP: TLP:WHITE
Repository: YARAify
Rule name: classified
Author: classified
Description: classified
Reference: classified
TLP : TLP:AMBER
Rule name: MD5_Constants
Alert
Author: phoul (@phoul)
Description: Look for MD5 constants
TLP: TLP:WHITE
Repository:
Rule name: SR_APT_DustSquad_PE_Nov19
Alert
Author: Arkbird_SOLG
Description: Super Rule for APT DustSquad campaign Nov19
Reference: https://twitter.com/Rmy_Reserve/status/1197448735422238721
TLP: TLP:WHITE
Repository: StrangerealIntel
Rule name: Sus_Obf_Enc_Spoof_Hide_PE
Alert
Author: XiAnzheng
Description: Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
TLP: TLP:WHITE
Repository: YARAify
Rule name: Unk_Crime_Downloader_2
Alert
Author: @bartblaze
Description: Identifies what appears to be related to PureLogs stealer, but it's likely a 2nd stage with the final stage to be downloaded.
TLP: TLP:WHITE
Repository: bartblaze
Rule name: vmdetect
Alert
Author: nex
Description: Possibly employs anti-virtualization techniques
TLP: TLP:WHITE
Repository:
Unpacker
The following YARA rules matched on the unpacked file.
Disabled by submitter
Unpacked Files
The following files could be unpacked from this sample.
Disabled by submitter