[markusg]

SHA-256
2816e869afc0bb09635c15d64f9fd1e6e02aaefc68fe227c454af302e6bb453a
File name
WinRar Setup (1).exe
https://www.virustotal.com/#/file/2816e ... /detection

[fonavozia]

C&C moved to hxxps://projectevrial.com/login/.

[fonavozia]

C&C address is downloaded from hxxps://github.com/sevampir/evrial (hxxps://raw.githubusercontent.com/sevampir/evrial/master/LICENSE.md/evrial)

[fonavozia]

Sample in attachment (379aa4c0fe0e2027e76341e075321fa0).

[ohdae]

File: b2ac53ffa2ee13e30ff0a78208d4c9b28251c00a3cd7e5345a07cd8664b943b1
Size: 46080
MD5: 379aa4c0fe0e2027e76341e075321fa0
SHA1: 8940ea910db97a4ecff02bd95218a2add8d728ce
SHA256: b2ac53ffa2ee13e30ff0a78208d4c9b28251c00a3cd7e5345a07cd8664b943b1

Pretty basic YARA rule strings for this sample here as well:

Code: Select all

	$name0 = "Evrial" ascii fullword
	$name1 = "Evrial.Hardware" ascii fullword
	$name2 = "Evrial.Cookies" ascii fullword

Thats^ the bare-minimum. I've let this hunting for awhile so I should have many more samples by EOD.