YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash fd47f98f7df3d29554d2436bc24e1eb44b049b4e9bbb8a7ba41b1167429e061b.

Scan Results

SHA256 hash: fd47f98f7df3d29554d2436bc24e1eb44b049b4e9bbb8a7ba41b1167429e061b
File size:106'496 bytes
File download: Original
MIME type:application/x-dosexec
MD5 hash: 4ee6e662d89e56f381a546f3bc671658
SHA1 hash: b5c278eec22365a63fab3ac5575fe0946658df3a
SHA3-384 hash: 3f75c5c0e794af414344aca1eb9230a11e568f138b62ae60f46c11eec0332388f187d869074b583803bde0082b4fddc0
First seen:2025-11-28 17:25:37 UTC
Last seen:Never
Sightings:1
imphash : 0239fd611af3d0e9b0c46c5837c80e09
Create hunting rule
ssdeep : 1536:czvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/EqcIzmd:nSHIG6mQwGmfOQd8YhY0/ExUG
TLSH :n/a
telfhash :n/a
gimphash :n/a
dhash icon :n/a

Tasks

There are 1 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

Task Information

Task ID:4132e9be-cc7f-11f0-a73e-42010aa4000b
File name:4ee6e662d89e56f381a546f3bc671658
Task parameters:ClamAV scan:True
Unpack:False
Share file:True

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

Signature:Win.Trojan.Autoit-7057866-1
Create hunting rule
Signature:Win.Trojan.naKocTb-6331389-1
Create hunting rule

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
TLP:TLP:WHITE
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
TLP:TLP:WHITE
Repository:YARAify
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
TLP:TLP:WHITE
Repository:CAPE
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
TLP:TLP:WHITE
Repository:diˈtekSHən
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
TLP:TLP:WHITE
Repository:diˈtekSHən
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
TLP:TLP:WHITE
Repository:diˈtekSHən
Rule name:infostealer_loki
Create hunting rule
TLP:TLP:WHITE
Repository:jeFF0Falltrades
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
TLP:TLP:WHITE
Repository:jeFF0Falltrades
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
TLP:TLP:WHITE
Repository:CAPE
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
TLP:TLP:WHITE
Repository:CAPE
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
TLP:TLP:WHITE
Repository:CAPE
Rule name:LokiPWS
Create hunting rule
Author:NDA0E
Description:Detects LokiBot
TLP:TLP:WHITE
Repository:YARAify
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
TLP:TLP:WHITE
Repository:JPCERTCC
Rule name:NET
Create hunting rule
Author:malware-lu
TLP:TLP:WHITE
Repository:
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
TLP:TLP:WHITE
Repository:YARAify
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
TLP:TLP:WHITE
Repository:advanced-threat-research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.
TLP:TLP:WHITE
Repository:Malpedia
Rule name:classified
Author:classified
TLP :TLP:GREEN
Rule name:Windows_Trojan_Lokibot_0f421617
Create hunting rule
Author:Elastic Security
TLP:TLP:WHITE
Repository:elastic
Rule name:Windows_Trojan_Lokibot_1f885282
Create hunting rule
Author:Elastic Security
TLP:TLP:WHITE
Repository:elastic

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files

The following files could be unpacked from this sample.