Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe
Overview
General Information
| Sample name: | SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe |
| Analysis ID: | 1447129 |
| MD5: | a5891df2ec1f8f0335bc744b24b4d646 |
| SHA1: | d8aced6d7fd09deb2580990cecd2594c17d75c4d |
| SHA256: | 92105da09cc48e4f81bdfe124904bef025ee94c8ed8809353b1f19193a8badf3 |
| Tags: | exe |
| Infos: |   |
 | |
Detection
CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected CryptOne packer
Yara detected Djvu Ransomware
Yara detected GCleaner
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected Stealc
Yara detected Vidar
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Modifies Group Policy settings
Opens network shares
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Spawned By Uncommon Parent Process
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potentially Suspicious Rundll32 Activity
Sigma detected: Windows Defender Exclusions Added - Registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe (PID: 6664 cmdline: "C:\Users\ user\Deskt op\Securit eInfo.com. Win64.Evo- gen.30302. 14698.exe" MD5: A5891DF2EC1F8F0335BC744B24B4D646) 
NRN3O_fFwiqNbjNW0Hj0MSKB.exe (PID: 3912 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\NRN3 O_fFwiqNbj NW0Hj0MSKB .exe MD5: 22F5F177EE04B3AC13DF5A778A5D3C1E) 
AcFckZYSxYVwMhatLa6qbSBF.exe (PID: 5180 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\AcFc kZYSxYVwMh atLa6qbSBF .exe MD5: 3955AF54FBAC1E43C945F447D92E4108) 
2JjpKpJKHpHJisxPcc0WWCif.exe (PID: 5336 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\2Jjp KpJKHpHJis xPcc0WWCif .exe MD5: 335426382C8B11C43B441E478F4E743E) - 2JjpKpJKHpHJisxPcc0WWCif.tmp (PID: 7620 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-8OP 5B.tmp\2Jj pKpJKHpHJi sxPcc0WWCi f.tmp" /SL 5="$2043A, 5279044,54 272,C:\Use rs\user\Do cuments\Si mpleAdobe\ 2JjpKpJKHp HJisxPcc0W WCif.exe" MD5: BE70A78A316030C24575F48F60A59045) 
YsL35EpGrjU1rZchKY2714UT.exe (PID: 6448 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\YsL3 5EpGrjU1rZ chKY2714UT .exe MD5: 3F023AF63A8D50A095354335B3892C5A) 
katDE8F.tmp (PID: 7456 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\katDE8F .tmp MD5: 66064DBDB70A5EB15EBF3BF65ABA254B) 
NMSPRoliqHaiq3pjTjf_LdWm.exe (PID: 3156 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\NMSP RoliqHaiq3 pjTjf_LdWm .exe MD5: 7F3DB034A3FE2B644C9A48635C9543D5) 
control.exe (PID: 7544 cmdline: "C:\Window s\System32 \control.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\Pd 2rJIO.CPl" , MD5: EBC29AA32C57A54018089CFC9CACAFE8) 
rundll32.exe (PID: 7700 cmdline: "C:\Window s\system32 \rundll32. exe" Shell 32.dll,Con trol_RunDL L "C:\User s\user\App Data\Local \Temp\Pd2r JIO.CPl", MD5: 889B99C52A60DD49227C5E485A016679) 
va2JQfwFWdGawVd2zp4LeR00.exe (PID: 3052 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\va2J QfwFWdGawV d2zp4LeR00 .exe MD5: D72B9750EAB4B21E3F39E886275D80AB) 
l9lSJ9GGGlvKrfyivpacgPFW.exe (PID: 5324 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\l9lS J9GGGlvKrf yivpacgPFW .exe MD5: CD0FD465EA4FD58CF58413DDA8114989) 
WerFault.exe (PID: 7640 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 324 -s 728 MD5: C31336C1EFC2CCB44B4326EA793040F2) - ezK8JIVGtHF75lpAeZwSuYWB.exe (PID: 5344 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\ezK8 JIVGtHF75l pAeZwSuYWB .exe MD5: 6151F5177B7B35E3D7CEE99A2FC9AF24) 
uSTzApXGKnAPBLGKxFTiBRtj.exe (PID: 1720 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\uSTz ApXGKnAPBL GKxFTiBRtj .exe MD5: 0951BF8665040A50D5FB548BE6AC7C1D) 
WjH5u4L3ZceSlLwRuJa2oMKn.exe (PID: 2084 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\WjH5 u4L3ZceSlL wRuJa2oMKn .exe MD5: 029B4A16951A6FB1F6A1FDA9B39769B7) - F2MwMOxTR5ZuDHHYSd2btGVy.exe (PID: 5236 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\F2Mw MOxTR5ZuDH HYSd2btGVy .exe MD5: D79B788762C6435AE9F599743F9F482D) - RegAsm.exe (PID: 6984 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 7204 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) 
oRz0dgUR_xvbQVyt3Uz7F7QO.exe (PID: 984 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\oRz0 dgUR_xvbQV yt3Uz7F7QO .exe MD5: 43B0FD4A4213AA702E6BB8E8B67A9E2B) - schtasks.exe (PID: 7764 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MPGPH131\ MPGPH131.e xe" /tn "M PGPH131 HR " /sc HOUR LY /rl HIG HEST MD5: 48C2FE20575769DE916F48EF0676A965) 
conhost.exe (PID: 7780 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7908 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MPGPH131\ MPGPH131.e xe" /tn "M PGPH131 LG " /sc ONLO GON /rl HI GHEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7924 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
_C5tySJGGF0UA_S78re9UWIo.exe (PID: 7140 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\_C5t ySJGGF0UA_ S78re9UWIo .exe MD5: D9A7D15AE1511095BC12D4FAA9BE6F70) - Dnr7f7kJx0GzWtxbQaDXLIUA.exe (PID: 7064 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\Dnr7 f7kJx0GzWt xbQaDXLIUA .exe MD5: E154829A16292C782B579D217E0EA8BF) - RegAsm.exe (PID: 7212 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - r7sW8wNeP3sav5N1yYLUJzML.exe (PID: 3512 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\r7sW 8wNeP3sav5 N1yYLUJzML .exe MD5: C0FEE8DB6325C8C1B3F8CCD13574C65A) 
WDXRX19iwzw1OqSiNoRL5ABe.exe (PID: 5816 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\WDXR X19iwzw1Oq SiNoRL5ABe .exe MD5: D43AC79ABE604CAFFEFE6313617079A3) 
boVVOk_VnQHj3a1q182pGwZV.exe (PID: 2640 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\boVV Ok_VnQHj3a 1q182pGwZV .exe MD5: D1FBE0562396E6981A68818E4DA997F1) - Install.exe (PID: 7692 cmdline:
.\Install. exe MD5: EF289C0209DCA509E4AA6818F0CE63CA) - Install.exe (PID: 7832 cmdline:
.\Install. exe /TXxad idc "52540 3" /S MD5: C28D2EDD15308BA2FF580F1355108192) 
B0191BYWi2sm3auk5jNzPdQw.exe (PID: 5296 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\B019 1BYWi2sm3a uk5jNzPdQw .exe MD5: ADD437E239EBA1CEABCA80AF38F80B56) - B0191BYWi2sm3auk5jNzPdQw.exe (PID: 7408 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\B019 1BYWi2sm3a uk5jNzPdQw .exe MD5: ADD437E239EBA1CEABCA80AF38F80B56)
- svchost.exe (PID: 6828 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s fhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - Conhost.exe (PID: 5088 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- svchost.exe (PID: 6856 cmdline:
C:\Windows \System32\ svchost.ex e -k NetSv cs -p -s N caSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 6880 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -s WPD BusEnum MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7352 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - WerFault.exe (PID: 7472 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 456 -p 53 24 -ip 532 4 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| STOP, Djvu | STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| GCleaner | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
{"C2 url": "185.172.128.170/7043a0c6a68d9c65.php"}{"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "c21b45a432889af65aa05cd66920d0a2", "Version": "9.8"}{"Download URLs": [""], "C2 url": "http://cajgtus.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0873PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8xYa6j6LzNJB2kuwO9Xc\\\\nSWMnTH6B2dX\\/XX8jCZc7kUlSg50HcwN2bYxLmKAwhfJZPFIYAufx4nMDKTEKIK5\\/\\\\n4RtQWlcufmpr7vcIJMnyyxwwyni9YfRUJR5VIIhfKzQE3gIQZ29b3M6dqzQeQ+oX\\\\nxHUQPadvTz\\/oYY7IbyFLZsHCxHKG2G2v4Yg4SX0nqMuvuzdAT+fLgmZd1ENiuf4U\\\\nWhF6Td3TAs0EkPT6MrxIXCKIQS5LAXEBcAlxRfv4QU03yP7NBxk4\\/gW6l4kV3RuO\\\\nbgqMAuPe3AkrIuOm1zi5FGsr7e8Y8KYE\\/RfQnJe+eOsmXlnhEpJGk1OLIrGxPETz\\\\nUQIDAQAB\\\\n-----END PUBLIC KEY-----"}{"C2 addresses": ["185.172.128.90"]}{"C2 url": "5.42.65.115:40551"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RedLine_1 | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_Stealc_1 | Yara detected Stealc | Joe Security | ||
| JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| Click to see the 2 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security | ||
| JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security | ||
| JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security | ||
| JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security | ||
| JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security | ||
| Click to see the 66 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GCleaner | Yara detected GCleaner | Joe Security | ||
| JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
| JoeSecurity_MarsStealer | Yara detected Mars stealer | Joe Security | ||
| JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | ||
| Windows_Ransomware_Stop_1e8d48ff | unknown | unknown |
| |
| Click to see the 47 entries | ||||
System Summary |   |
|---|
| Source: | Author: Tim Rauch: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Christian Burkard (Nextron Systems): | ||
| Source: | Author: vburov: | ||
| Timestamp: | 05/24/24-13:42:02.108891 |
| SID: | 2049837 |
| Source Port: | 49730 |
| Destination Port: | 80 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||