MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 1cdadad999b9e70c87560fcd9821c2b0fa4c0a92b8f79bded44935dd4fdc76a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
VegaLocker
Vendor detections: 4
| SHA256 hash: | 1cdadad999b9e70c87560fcd9821c2b0fa4c0a92b8f79bded44935dd4fdc76a5 |
|---|---|
| SHA3-384 hash: | f6b1fc943263364c0fb63c92d8f83c93a41b4797e4a2eacfd74bcd9127bb28eb8fd1e846b597e766723028cffd3c2110 |
| SHA1 hash: | bc4b390e2ddbf015b4b473cc9814a09ad799a74b |
| MD5 hash: | ab8ec4451b4a5930854293f229063a03 |
| humanhash: | autumn-table-ceiling-double |
| File name: | Payment advise-PDF.exe |
| Download: | download sample |
| Signature | VegaLocker |
| File size: | 687'327 bytes |
| First seen: | 2020-04-07 19:15:42 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | df3c30e49dcef846eaaf0012cf6d0907 (1 x VegaLocker) |
| ssdeep | 12288:r4qGd5NkYf24o23ADe88mCRgpmsxMw4hLzo77palxFPId5tJQ+QBq0:rMbW23ADe1mCRgpmjwGzFxCd5BG |
| Threatray | 10 similar samples on MalwareBazaar |
| TLSH | DEE4F183A786C072E0042730DC4697B665BABCBAFD35A02F6F9A770C76F79E19805057 |
| Reporter |  abuse_ch |
| Tags: | COVID-19 exe |
abuse_ch
COVID-19 themed malspam distributing VegaLocker:HELO: venuslogistics.managedns.org
Sending IP: 103.14.96.237
From: Accounts <gruchallainteriors@bellnet.ca>
Subject: Pending Payment Advise ( COVID-19 - please be safe)
Attachment: Payment advise-PDF.zip (contains "Payment advise-PDF.exe")
Intelligence
File Origin
Vendor Threat Intelligence
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | suspicious_packer_section |
|---|---|
| Author: | @j0sm1 |
| Description: | The packer/protector section names/keywords |
| Reference: | http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ |
| Rule name: | win_darktrack_rat_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | autogenerated rule brought to you by yara-signator |
| Rule name: | with_sqlite |
|---|---|
| Author: | Julian J. Gonzalez <info@seguridadparatodos.es> |
| Description: | Rule to detect the presence of SQLite data in raw image |
| Reference: | http://www.st2labs.com |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| WIN32_PROCESS_API | Can Create Process and Threads | kernel32.dll::CreateRemoteThread kernel32.dll::CreateProcessA kernel32.dll::VirtualAllocEx kernel32.dll::WriteProcessMemory kernel32.dll::CloseHandle |
| WIN_BASE_API | Uses Win Base API | kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA |
| WIN_BASE_IO_API | Can Create Files | kernel32.dll::CopyFileA kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA |
| WIN_REG_API | Can Manipulate Windows Registry | advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA advapi32.dll::RegSetValueExA |
| WIN_USER_API | Performs GUI Actions | user32.dll::FindWindowA |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.Malicious Windows executable - spyware, dropper
Incident Response Informaiton:
Network:
DNS Requests for "mail.roofmartlk.com", "aol.com", and "eglaftb1n8ya"
Contacted "162.144.12.187"
Antivirus:
Unpacked files and memory dump detected "Fugrafa" and "Symmi" strains of malware
Packed version was frequently detected as some form of PUA or trojan
Malicious processes: "payment advise-pdf.exe", "omari.pif", "cmd.exe", "svchost.exe"
Background Context:
This malware sample was submitted to Malware Bazaar and can be viewed here" https://bazaar.abuse.ch/sample/1cdadad999b9e70c87560fcd9821c2b0fa4c0a92b8f79bded44935dd4fdc76a5/". When submitted the malware was flagged as "VegaLocker" - a ransomware strain that has recently been attacking the healthcare industry. My analysis of this malware has NOT shown that the malware is VegaLocker, rather that the malware is actually installing spyware (more details below). The malware was sent as an attachment in a malspam email that is using "covid-19" as a lure.
Initial Static Analysis:
Windows executable, PE32 executable
ClamAV Detections: "PUA.Win.Packer.Upolyx-12", "PUA.Win.Packer.Upx-6", "PUA.Win.Adware.Slugin-6803969-0", "PUA.Win.Adware.Slugin-6840354-0"
VirusTotal Rate: 43/73 engines detected this file as malicious
MD5: ab8ec4451b4a5930854293f229063a03
SHA256: 1cdadad999b9e70c87560fcd9821c2b0fa4c0a92b8f79bded44935dd4fdc76a5
Packed with UPX - clearly has a second .exe contained inside
Interesting strings: "oleaut32.dll", "127.0", "192.168.", "GetProcAddress", "LoadLibraryA"
Dynamic Analysis:
The dynamic malware analysis engine I used is VMRay Analyzer. I also attempted to detonate the malware in one of my own virtual machines - a work in progress.
You can view the full breakdown of VMRay's analysis here: "https://www.vmray.com/analyses/1cdadad999b9/report/overview.html". VMRay concluded that the file is absolutely malicious, and classified the malware as a keylogger, dropper, and spyware. The antivirus that the analyzer detected the unpacked file and flagged it as "Gen.Variant.Fugrada.33553". The antivirus also flagged the dropped file "omari.dll" as being part of "Gen.Variant.Symmi.55851". The automated analyzer detected that the malware was capturing keyboard input, studying the web-browser and different applications on the local OS, and overall just collecting large amounts of data.
In a virtual machine on my lab computer, I also attempted to detonate the malware - to varying degrees of success. Initially, the malware immediately detected that it was in a lab environment and not only refused to run, but the executable actually deleted itself. This is by far the most advanced piece of malware that I have ever run in a sandbox.
Conclusion:
Many attackers have been using the covid-19 virus to great success as the theme for their malspam campaigns. It is unknown if this campaign and attached malware are specifically targetted at the healthcare industry or just normal users. I do not know why the malware was submitted with the tag of "VegaLocker" as this malware is clearly different. I know that many submissions to Malware Bazaar are through automated honeypots and perhaps the machine just flagged the wrong file as being the cause of a ransomware infection. It is also possible that the dropper may study the user, and wait to download and execute VegaLocker ransomware. More studying in a hands-on sandbox will be required to conclude if the dropper is just waiting to do more.
According to the quick tests run by my static analysis tool (Malware-Dismantle.py, look for it on GitHub), the file is a packed executable capable of being run on most Windows machines. The executable is packed with UPX. The ClamAV scan that was looking for as many signatures as possible confirmed that the file is malicious, flagging signatures that it is indeed packed, and that the scanned file may be adware (kinda a strange detection, but adware has been getting more and more sneaky lately). Curiously, ClamAV flagged the file with various PUA detections - something that could cause the detections to be overlooked. According to the VirusTotal query, the file was indeed malicious as 43/73 antivirus engines detected it. Some of the interesting strings that I found tied the executable to a frequently abused .dll, suggested that the program may seek to analyze the local network, and further confirmed that the executable is packed.
VMRay Analyzer provided a large amount of information detailing the execution of this malicious file. VMRay is well known for having virtual environments that can fool malware into executing. The full report generated by VMRay (including network activity, execution details, files, etc) is available here: "https://www.vmray.com/analyses/1cdadad999b9/report/overview.html". In my own execution, I had difficulties getting the malware to execute. I need to work on my local lab analysis environment.
Dynamic analysis has shown that this is a malicious form of spyware, which also acts as a dropper.
Also, this is my first full analysis report of real malware. Please let me know if you have any suggestions or advice.