YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash 8964902504c456e13ceb4a7d51d62855de305977d8b9a5ce54c1ce1048de4e23.

SHA256 hash:	8964902504c456e13ceb4a7d51d62855de305977d8b9a5ce54c1ce1048de4e23
File size:	15'810'560 bytes
File download:	Original
MIME type:	application/x-dosexec
MD5 hash:	46431d72ffc08cdd6f8e88d3232bd57b
SHA1 hash:	4b3a8e3b0a9eb88ec16d521d7ac39632e3c3955f
SHA3-384 hash:	4fc39ccd04772bf813c7627121b564fd6c4477b3a8e78d407d4b64cb4ed0849716b0721bc595fd7e090e770b7c9c2893
First seen:	2025-11-21 00:04:47 UTC
Last seen:	Never
Sightings:	1
imphash :	9cb200ce3e226e8545d911b0ffa4c02a Create hunting rule
ssdeep :	393216:iv94IFo/elrHj38qgR+XUCPQfUlh40RPR:itzDj3AR+XTIf4h4U
TLSH :	T1CCF60203E4F3C823DCED7BBE5D2AD7642853D610792584463AFA0F4A6A31538743E9A7 Create hunting rule
telfhash :	n/a
gimphash :	n/a
dhash icon :	b2dbdc0901496412 Create hunting rule

There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

The file matched the following open source and commercial ClamAV rules.

No matches

The following YARA rules matched on the file (static analysis).

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
TLP:	TLP:WHITE
Repository:	CD-R0M

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	HUNTING_SUSP_TLS_SECTION Create hunting rule
Author:	chaosphere
Description:	Detect PE files with .tls section that can be used for anti-debugging
Reference:	Practical Malware Analysis - Chapter 16
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants
TLP:	TLP:WHITE
Repository:

Rule name:	pe_detect_tls_callbacks Create hunting rule
Author:
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants
TLP:	TLP:WHITE
Repository:

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants
TLP:	TLP:WHITE
Repository:

Rule name:	VMProtectStub Create hunting rule
Author:	@bartblaze
Description:	Identifies VMProtect packer stub.
TLP:	TLP:WHITE
Repository:	bartblaze

The following YARA rules matched on the unpacked file.

Disabled by submitter

The following files could be unpacked from this sample.

Disabled by submitter

2025-11-21 00:04:48 UTC Static: 15 Unpacker: 0 ClamAV: 0