MAL_MSIL_NET_DuckTail_Stealer_Loader

Rule Info

Name
MAL_MSIL_NET_DuckTail_Stealer_Loader
Author
dr4k0nia
Description
Detects DuckTail stealer .NET loader
Score
80
Reference
https://blog.cyble.com/2023/05/17/ducktail-malware-focuses-on-targeting-hr-and-marketing-professionals/
Date
2023-06-16
Minimum Yara
1.7
Rule Hash
4bfa8d3bae06b77da8133be739f126c6
Tags
['FILE', 'MAL', 'EXE']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/mal_msil_net_ducktail_stealer_loader/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
21
Suspicious (< 10 engines)
10
Clean (0 engines)
2

Rule Matches

Timestamp
Positives
Total
Hash
VT
2024-12-13 23:42:29
35
69
1f56331a8db0d7e2761c2e7fbac9bdf4df9c3cd9815a8016e58e92f0acad33a1
2024-07-15 20:24:35
22
73
e21f8770c82aaa008be4d22f78cf1bc68dc6883fdc1f6e14dc3035b34fa7b7c1
2024-07-15 20:22:53
17
73
1fb8298ec31f9815aaa4b863fc486948df0a8d5f5d8186ea55d222440a3acb8b
2024-02-16 09:35:55
29
71
01a9f22254d8b12b123c954ca00ecc55ac9dc6565da458a9f8f33150a3f930a8
2024-02-16 07:45:36
30
72
38109d5d6d3abdab2555de16150acd68d5c5822b7aaeecd2808fcc3b434c9831
2024-02-15 08:32:50
24
62
95a50f21576821b940842f93bacea47366075d542a8b515d4c350c2c80ec2e06
2024-02-14 05:04:54
28
66
4fcc1afbcf4ce244025f2ae852b1ada176ee24e3cbf1e64858c0e7e1867ee9fe
2024-02-14 03:11:52
29
71
1805f26864e9e27062f602705b3cf286e55debc27ac826bc11fa30b5a131fba3
2024-02-13 16:32:58
32
71
d58bf65080d1ead82a4b0bfbb1302587b5a30e2bbd7cbfe4124b0ed2e74d3423
2023-11-15 19:04:55
5
70
9cf88cfd198e0070bb24868ce56f260f55a4b227e266ebcb37fdb83183299ae5
2023-10-10 15:48:37
28
69
0efd2fa19128c0a5e0505693a08e6425fb5933c0db7b1ce20b9bad973b7ca6aa
2023-10-10 12:20:34
14
72
b650e419b98e9adb683f2fda3f17b61b96dbfa17451e41ddbb297cf0f9a20982
2023-10-10 11:58:56
26
69
aa60e49d0c37eb8ba8e33458090f7b8ef2262876aef6eb092ef660a2740afe77
2023-10-10 11:44:44
29
70
28c5a24c2c3f631a2c2300b894457163c5d2c7c537d786462eda0bf4365031ce
2023-10-10 10:39:57
28
70
4d0aa3b0e3c4ba2eab4d0bbadb0250782103156ce73c4c93ea329391c35d0371
2023-10-10 09:38:57
24
66
e01fc13627a977101d3780c3a5b312fe2924615111735a7404b03495c1f70cdd
2023-10-10 09:36:00
29
67
43cd20cd9f274ee01661737b668ad89218d8b16a56e12107d341b6b1c531fd4d
2023-10-10 09:29:11
27
71
0259a86c31572bd0d95d7b23045464276d93034a72cebeb2860fa650f390f4e1
2023-09-08 02:06:48
5
68
8ebfe7641aa4fdd50caa66eb3075d1c36571a4042d4efc9cbfa9207c8822487f
2023-08-01 11:29:15
12
70
dbee482992d4c39caba9a9d36cd5152b869e880b6e41577632ec0957bf2e78be
2023-07-20 14:14:00
1
60
60f8820fae86f0ce57f2d444f36e509cb1f1ef43ab6dede5acf19eb95c69a091
2023-07-20 11:16:14
30
71
0803763b6f63b0f4e7a64b4e7a2415c20feea30d0f14b52cf6a3451a8dbc542e
2023-06-30 06:18:25
7
71
993a6e1b7a8951e8e194010bd597fbc2a0c2dcd81a56075fb0efb6da5c531088
2023-06-29 16:07:21
4
71
f5a6f9b2b45eabe29229f7f3eb4d8ff5b4f5303f59bb44a07c2adcd2d1e3a8a0
2023-06-26 21:01:32
3
67
e8f5bae389e514093cd3d1a88ffafbe3615fb84f244c9ac61c7a9613c911a63e
2023-06-24 15:25:05
5
69
d27280102bd64cb36db81db07d41466649023a8b1acdb960129303b69cffee60
2023-06-24 15:23:58
2
69
e247fd3a2ae88fcb90b4d27b97e49b02594607fc50c03225b1f3f78c41398d66
2023-06-23 13:59:28
4
69
3ab2760f3f0bf7442fc3b7c4a1552332ab0cbb33917202d1cb8d1e27ec1828a6
2023-06-21 12:35:51
28
70
a702d855b83b0ebf3508e6bfbd29e210f027c561c46f7f80910db221d432aa07
2023-06-21 02:44:10
12
71
af69e9240b936030d7d5ccc245546f7c481dc3a6d49410c57c66bfb734324732
2023-06-19 23:15:01
6
71
6dd451a2ff5f3b6fcab700d94483bac2c358ebad038aa37da3bc64660a5a090d
2023-06-19 23:13:50
0
71
d676cfc1290f3cd5fcee220a8d3c9d4caa8312113e683325c994145df039a405
2023-06-19 19:09:44
0
69
81a5b0ffdb92bb77604fd7f08655cf252b14dac09b24616e5ed39dbd7572fe9c

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022