Edit tour
Windows
Analysis Report
CHA0VZiz8y.exe
Overview
General Information
| Sample name: | CHA0VZiz8y.exerenamed because original name is a hash value |
| Original sample name: | f0587649682207064554a2372966435d.exe |
| Analysis ID: | 1447491 |
| MD5: | f0587649682207064554a2372966435d |
| SHA1: | 2e8b948dfcffceb8acf550a585d2ea127f28f41f |
| SHA256: | 6bd479dd9293043d4149641897629169df609adf72926d32adfe0094c583828e |
| Tags: | 64exetrojan |
| Infos: |   |
 | |
Detection
CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected CryptOne packer
Yara detected Djvu Ransomware
Yara detected Mars stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected Vidar stealer
Yara detected zgRAT
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Modifies Group Policy settings
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potentially Suspicious Rundll32 Activity
Sigma detected: Windows Defender Exclusions Added - Registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
CHA0VZiz8y.exe (PID: 4120 cmdline: "C:\Users\ user\Deskt op\CHA0VZi z8y.exe" MD5: F0587649682207064554A2372966435D) 
_ebPmq_TcwNignYm0bf0ytJM.exe (PID: 2300 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\_ebP mq_TcwNign Ym0bf0ytJM .exe MD5: 9A78F27AA9D999EEE10CB154BA964869) 
7U1bGcxK3Lqi_XMHDNEdJrhB.exe (PID: 3680 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\7U1b GcxK3Lqi_X MHDNEdJrhB .exe MD5: ADD437E239EBA1CEABCA80AF38F80B56) - 7U1bGcxK3Lqi_XMHDNEdJrhB.exe (PID: 5316 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\7U1b GcxK3Lqi_X MHDNEdJrhB .exe MD5: ADD437E239EBA1CEABCA80AF38F80B56) 
icacls.exe (PID: 7628 cmdline: icacls "C: \Users\use r\AppData\ Local\cd60 6818-a84b- 463e-828b- b93214ba54 7c" /deny *S-1-1-0:( OI)(CI)(DE ,DC) MD5: 2E49585E4E08565F52090B144062F97E) - xS7PhKcNZTx4FuBAD1RB9kbJ.exe (PID: 3944 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\xS7P hKcNZTx4Fu BAD1RB9kbJ .exe MD5: 0951BF8665040A50D5FB548BE6AC7C1D) - ogoGQsWFwF_EcodN5qF7hiVC.exe (PID: 3056 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\ogoG QsWFwF_Eco dN5qF7hiVC .exe MD5: 22152460B13E4C2473DC3FCDEA192933) - RegAsm.exe (PID: 2888 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 5228 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - Zy329tNpRVznAcNUeSg4uGuQ.exe (PID: 1400 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\Zy32 9tNpRVznAc NUeSg4uGuQ .exe MD5: 6151F5177B7B35E3D7CEE99A2FC9AF24) - J9jGBSSbDD3yrTx79DzmOLls.exe (PID: 3652 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\J9jG BSSbDD3yrT x79DzmOLls .exe MD5: D816AEC818E5BE0A3B7AF1AEA4BCA1D8) - RegAsm.exe (PID: 2884 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) 
zfQlIB6J8n2u_zLV5LHnA1xW.exe (PID: 3920 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\zfQl IB6J8n2u_z LV5LHnA1xW .exe MD5: E22EFC95638F4C4E07FD7DABA5BD3154) 
kat806.tmp (PID: 3652 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\kat806. tmp MD5: 66064DBDB70A5EB15EBF3BF65ABA254B) - ZMyjNtrJZsXoQ4xLeKYzrWJD.exe (PID: 4268 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\ZMyj NtrJZsXoQ4 xLeKYzrWJD .exe MD5: C0FEE8DB6325C8C1B3F8CCD13574C65A) 
A_22rjVO67ooiUk2ueyL6tMl.exe (PID: 6444 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\A_22 rjVO67ooiU k2ueyL6tMl .exe MD5: D9A7D15AE1511095BC12D4FAA9BE6F70) 
MSBuild.exe (PID: 7648 cmdline: C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\MsBu ild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) 
EPA5EhRzK9ZnpAjdUqLJteUs.exe (PID: 6096 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\EPA5 EhRzK9ZnpA jdUqLJteUs .exe MD5: F57F726F9E1B8C24B4F7C275FFAC78CF) - schtasks.exe (PID: 2232 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MPGPH131\ MPGPH131.e xe" /tn "M PGPH131 HR " /sc HOUR LY /rl HIG HEST MD5: 48C2FE20575769DE916F48EF0676A965) 
conhost.exe (PID: 7232 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 7364 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MPGPH131\ MPGPH131.e xe" /tn "M PGPH131 LG " /sc ONLO GON /rl HI GHEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 7372 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
_rSi8sV87ppx0bgkbETdFbEZ.exe (PID: 4676 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\_rSi 8sV87ppx0b gkbETdFbEZ .exe MD5: 8B7B381CF7D4F577009F99FCE7E5FD39) - _rSi8sV87ppx0bgkbETdFbEZ.tmp (PID: 2676 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-KE1 07.tmp\_rS i8sV87ppx0 bgkbETdFbE Z.tmp" /SL 5="$4042A, 5528781,54 272,C:\Use rs\user\Do cuments\Si mpleAdobe\ _rSi8sV87p px0bgkbETd FbEZ.exe" MD5: 73919C5267ECFF99768AE00DFA5D9C3F) 
turquoisecdplayer.exe (PID: 4204 cmdline: "C:\Users\ user\AppDa ta\Local\T urquoise C D Player\t urquoisecd player.exe " -i MD5: 578530F1C73BA58C2D868B45C7223945) 
MYZqYdU5cUVwEz2j0JYbnTar.exe (PID: 5736 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\MYZq YdU5cUVwEz 2j0JYbnTar .exe MD5: 32D986D13D2B4B6ACDC7ACE345D66BD4) 
control.exe (PID: 7320 cmdline: "C:\Window s\System32 \control.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\eK hLlZQ.CPL" , MD5: EBC29AA32C57A54018089CFC9CACAFE8) 
rundll32.exe (PID: 7404 cmdline: "C:\Window s\system32 \rundll32. exe" Shell 32.dll,Con trol_RunDL L "C:\User s\user\App Data\Local \Temp\eKhL lZQ.CPL", MD5: 889B99C52A60DD49227C5E485A016679) 
FIxDICT7hSLYFeTzbHHqKZ7Z.exe (PID: 6208 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\FIxD ICT7hSLYFe TzbHHqKZ7Z .exe MD5: 3955AF54FBAC1E43C945F447D92E4108) 
0YXJTGaxIrryNdvx7SKozTjt.exe (PID: 5556 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\0YXJ TGaxIrryNd vx7SKozTjt .exe MD5: 029B4A16951A6FB1F6A1FDA9B39769B7) 
EEmC0rfrxeQDEUW4Qmh7BQX4.exe (PID: 5276 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\EEmC 0rfrxeQDEU W4Qmh7BQX4 .exe MD5: EEAB6B508F842CE18D229914CD7167F7) - RPA18tS89oJgBrOTDKzODMll.exe (PID: 5372 cmdline:
C:\Users\u ser\Docume nts\Simple Adobe\RPA1 8tS89oJgBr OTDKzODMll .exe MD5: D43AC79ABE604CAFFEFE6313617079A3) 
g_XGqx6vQcj4WvdQ2CmFiUpM.exe (PID: 5416 cmdline: C:\Users\u ser\Docume nts\Simple Adobe\g_XG qx6vQcj4Wv dQ2CmFiUpM .exe MD5: 3542F60DFEF8BA16451AB6097587BF63) - Install.exe (PID: 5676 cmdline:
.\Install. exe MD5: 0EC8D7480C7D858848914B24584B17B4) - Install.exe (PID: 7448 cmdline:
.\Install. exe /jfXIE didloJv "5 25403" /S MD5: C5FBFA06070EF1EA150FA88E1B6C6684)
- svchost.exe (PID: 5780 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s fhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 5708 cmdline:
C:\Windows \System32\ svchost.ex e -k NetSv cs -p -s N caSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 5520 cmdline:
C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -s WPD BusEnum MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- svchost.exe (PID: 7608 cmdline:
C:\Windows \System32\ svchost.ex e -k WerSv cGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| STOP, Djvu | STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Vidar | Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. | No Attribution |
{"C2 url": ["https://steamcommunity.com/profiles/76561199689717899"], "Botnet": "c21b45a432889af65aa05cd66920d0a2", "Version": "9.8"}{"Download URLs": [""], "C2 url": "http://cajgtus.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/33b490a613f49fa190924f199d2c079e20240512191214/caaf73\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0873PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8xYa6j6LzNJB2kuwO9Xc\\\\nSWMnTH6B2dX\\/XX8jCZc7kUlSg50HcwN2bYxLmKAwhfJZPFIYAufx4nMDKTEKIK5\\/\\\\n4RtQWlcufmpr7vcIJMnyyxwwyni9YfRUJR5VIIhfKzQE3gIQZ29b3M6dqzQeQ+oX\\\\nxHUQPadvTz\\/oYY7IbyFLZsHCxHKG2G2v4Yg4SX0nqMuvuzdAT+fLgmZd1ENiuf4U\\\\nWhF6Td3TAs0EkPT6MrxIXCKIQS5LAXEBcAlxRfv4QU03yP7NBxk4\\/gW6l4kV3RuO\\\\nbgqMAuPe3AkrIuOm1zi5FGsr7e8Y8KYE\\/RfQnJe+eOsmXlnhEpJGk1OLIrGxPETz\\\\nUQIDAQAB\\\\n-----END PUBLIC KEY-----"}{"C2 url": "5.42.65.115:40551", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security | ||
| JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
| JoeSecurity_Crypt | Yara detected CryptOne packer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| Click to see the 26 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation | Detects executables containing potential Windows Defender anti-emulation checks | ditekSHen |
| |
| JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation | Detects executables containing potential Windows Defender anti-emulation checks | ditekSHen |
| |
| JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
| JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
| Click to see the 43 entries | ||||
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Christian Burkard (Nextron Systems): | ||
| Source: | Author: vburov: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Malware Configuration Extractor: | ||