Task Information
Task ID: 1fec577c-9c94-11ed-98c2-42010aa4000b File name: 4b90000.xgjAJD.dll Task parameters: ClamAV scan: True Unpack: False Share file: True
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
YARA Results
The following YARA rules matched on the file (static analysis).
Rule name: BitcoinAddress
Author: Didier Stevens (@DidierStevens) Description: Contains a valid Bitcoin address TLP: TLP:WHITE Repository: malware-bazaar
Rule name: command_and_control
Author: CD_R0M_ Description: This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group TLP: TLP:WHITE Repository: CD-R0M
Rule name: SUSP_XORed_Mozilla
Author: Florian Roth Description: Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key. Reference: https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force() TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_XORed_Mozilla_RID2DB4
Author: Florian Roth Description: Detects suspicious XORed keyword - Mozilla/5.0 Reference: Internal Research TLP: TLP:WHITE
Rule name: SUSP_XORed_URL_in_EXE
Author: Florian Roth Description: Detects an XORed URL in an executable Reference: https://twitter.com/stvemillertime/status/1237035794973560834 TLP: TLP:WHITE Repository: Neo23x0
Rule name: SUSP_XORed_URL_in_EXE_RID2E46
Author: Florian Roth Description: Detects an XORed URL in an executable Reference: https://twitter.com/stvemillertime/status/1237035794973560834 TLP: TLP:WHITE
The following YARA rules matched on the unpacked file.
Disabled by submitter
Unpacked Files
The following files could be unpacked from this sample.
Disabled by submitter