Task Information
Task ID: 1fec577c-9c94-11ed-98c2-42010aa4000b
File name: 4b90000.xgjAJD.dll
Task parameters: ClamAV scan: True
Unpack: False
Share file: True
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
YARA Results
Static Analysis
The following YARA rules matched on the file (static analysis).
Rule name: BitcoinAddress
Alert
Author: Didier Stevens (@DidierStevens)
Description: Contains a valid Bitcoin address
TLP: TLP:WHITE
Repository: malware-bazaar
Rule name: command_and_control
Alert
Author: CD_R0M_
Description: This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
TLP: TLP:WHITE
Repository: CD-R0M
Rule name: SUSP_XORed_Mozilla
Alert
Author: Florian Roth
Description: Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference: https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
TLP: TLP:WHITE
Repository: Neo23x0
Rule name: SUSP_XORed_Mozilla_RID2DB4
Alert
Author: Florian Roth
Description: Detects suspicious XORed keyword - Mozilla/5.0
Reference: Internal Research
TLP: TLP:WHITE
Rule name: SUSP_XORed_URL_in_EXE
Alert
Author: Florian Roth
Description: Detects an XORed URL in an executable
Reference: https://twitter.com/stvemillertime/status/1237035794973560834
TLP: TLP:WHITE
Repository: Neo23x0
Rule name: SUSP_XORed_URL_in_EXE_RID2E46
Alert
Author: Florian Roth
Description: Detects an XORed URL in an executable
Reference: https://twitter.com/stvemillertime/status/1237035794973560834
TLP: TLP:WHITE
Unpacker
The following YARA rules matched on the unpacked file.
Disabled by submitter
Unpacked Files
The following files could be unpacked from this sample.
Disabled by submitter