YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash bbe60e4a66721c9239754b63e11f09eba968b56eef6756e68e19aed332acb5d4.

SHA256 hash:	bbe60e4a66721c9239754b63e11f09eba968b56eef6756e68e19aed332acb5d4
File size:	10'792'960 bytes
File download:	Original
MIME type:	application/x-dosexec
MD5 hash:	10cf3a9ca05cd81f5a6ade91b89c81d4
SHA1 hash:	7e3068c23c82472007963f98155a1930bb0edf36
SHA3-384 hash:	a69e636877e0dd420b987179484e444ae8e8c179847f362b3ad7ce3ae69c686a2a8a3671a9d73f1834a239b3deba6fdf
First seen:	2025-11-21 02:58:37 UTC
Last seen:	Never
Sightings:	1
imphash :	9fcc4027df3d9eda893b1cea005acdf0 Create hunting rule
ssdeep :	196608:x6F/8kYqsBmiFm4CTqfG+vTiwnDmNQkJM8uDIYnKO37F:UF/8kD4F3e+biSDcQwM8uDuu
TLSH :	T1C9B6BF173530EC60F8880B7BD5A2573465A92248A8F6C41BF70CAE77BB744135A6FA1F Create hunting rule
telfhash :	n/a
gimphash :	n/a
dhash icon :	cde83155968e84cc Create hunting rule

There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

The file matched the following open source and commercial ClamAV rules.

Signature:	PUA.Win.Packer.AcprotectUltraprotect-1 Create hunting rule

Signature:	PUA.Win.Packer.Embedpe-3 Create hunting rule

Signature:	SecuriteInfo.com.Variant.Application.Mikey.137123.24901.UNOFFICIAL Create hunting rule

Signature:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.31418.30309.UNOFFICIAL Create hunting rule

The following YARA rules matched on the file (static analysis).

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)
TLP:	TLP:WHITE
Repository:

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants
TLP:	TLP:WHITE
Repository:

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants
TLP:	TLP:WHITE
Repository:

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants
TLP:	TLP:WHITE
Repository:

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/
TLP:	TLP:WHITE

Rule name:	without_attachments Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the no presence of any attachment
Reference:	http://laboratorio.blogs.hispasec.com/
TLP:	TLP:WHITE

The following YARA rules matched on the unpacked file.

Disabled by submitter

The following files could be unpacked from this sample.

Disabled by submitter

2025-11-21 02:58:37 UTC Static: 14 Unpacker: 0 ClamAV: 4