Task Information
Task ID: adbaa337-1c30-11f1-b47f-42010aa4000b File name: 7cf0000.exe Task parameters: ClamAV scan: True Unpack: False Share file: True
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
No matches
YARA Results
The following YARA rules matched on the file (static analysis).
Rule name: DebuggerCheck__API
Reference: https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara TLP: TLP:WHITE
Rule name: DebuggerCheck__RemoteAPI
Reference: https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara TLP: TLP:WHITE
Rule name: sus_pe_free_without_allocation
Author: Maxime THIEBAUT (@0xThiebaut) Description: Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution TLP: TLP:WHITE
Rule name: SUSP_XORed_Mozilla_Oct19
Author: Florian Roth Description: Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key. Reference: https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force() TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_XORed_Mozilla_RID2DB4
Author: Florian Roth Description: Detects suspicious XORed keyword - Mozilla/5.0 Reference: Internal Research TLP: TLP:WHITE
Rule name: SUSP_XORed_URL_In_EXE
Author: Florian Roth (Nextron Systems) Description: Detects an XORed URL in an executable Reference: https://twitter.com/stvemillertime/status/1237035794973560834 TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_XORed_URL_in_EXE_RID2E46
Author: Florian Roth Description: Detects an XORed URL in an executable Reference: https://twitter.com/stvemillertime/status/1237035794973560834 TLP: TLP:WHITE
The following YARA rules matched on the unpacked file.
Disabled by submitter
Unpacked Files
The following files could be unpacked from this sample.
Disabled by submitter