MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 347003b480671cccce2fdd442c8f3ed3503b6881c25c1aef70677813f6005df2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 347003b480671cccce2fdd442c8f3ed3503b6881c25c1aef70677813f6005df2
SHA3-384 hash: 027bdedb21f60bbc3f54ed71aa8923f6945b8371f0b00759b734184cffc2524c47f6f34daebebfa7e5bea7dad275391e
SHA1 hash: 963eb41810fad5be31d2c21bc5ea51f048b04a8f
MD5 hash: e2127d705863345a65c72f240cf44e16
humanhash: shade-early-utah-charlie
File name:system.exe
Download: download sample
File size:7'744'000 bytes
First seen:2020-08-11 13:24:51 UTC
Last seen:2020-08-11 14:21:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1eef8fec192ee428079265b0a797c107
ssdeep 98304:npfPB3WKgvmXVWn4GpnSXqsWuy3+4kW+AngVqwdt9fo+1U1:pfPB3WKgvmXUn4GpnSXqspyO5CglU
Threatray 15 similar samples on MalwareBazaar
TLSH 41762B43F8B204F9C3BEF13482529732BA71789947317F935F949A961A25FE47A2E310
Reporter Jirehlov
Tags:exe Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43426/
Detection(s):
PUA.Win.Packer.Pseudosigner-36
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching the process to interact with network services
Sending a UDP request
Launching a service
Forced system process termination
Creating a window
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Searching for the window
Deleting volume shadow copies
Preventing system recovery
Enabling autorun
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/419020
Signature
Creates an undocumented autostart registry key
Deletes shadow drive data (may be related to ransomware)
May disable shadow drive data (uses vssadmin)
Performs a network lookup / discovery via net view
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Delete shadow copy via WMIC
Sigma detected: Suspicious Debugger Registration Cmdline
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 261891 Sample: system.exe Startdate: 11/08/2020 Architecture: WINDOWS Score: 72 30 Sigma detected: Delete shadow copy via WMIC 2->30 32 May disable shadow drive data (uses vssadmin) 2->32 34 Deletes shadow drive data (may be related to ransomware) 2->34 36 2 other signatures 2->36 7 system.exe 1 26 2->7         started        process3 dnsIp4 28 127.0.0.1 unknown unknown 7->28 10 powershell.exe 23 7->10         started        13 powershell.exe 26 7->13         started        process5 signatures6 38 May disable shadow drive data (uses vssadmin) 10->38 40 Deletes shadow drive data (may be related to ransomware) 10->40 15 WMIC.exe 1 10->15         started        18 reg.exe 1 1 10->18         started        20 WMIC.exe 1 10->20         started        26 17 other processes 10->26 42 Performs a network lookup / discovery via net view 13->42 22 conhost.exe 13->22         started        24 net.exe 1 13->24         started        process7 signatures8 44 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 15->44 46 Creates an undocumented autostart registry key 18->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/347003b480671cccce2fdd442c8f3ed3503b6881c25c1aef70677813f6005df2/
Threat name:
ByteCode-MSIL.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 11:45:45 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
17d67e548d5b9c91ba3b2ce339100803174c32e7ab000cd6d90b461288b558a0
1a1d7e78c5ac2f804e01206111e915963cf51f680776ed02a15cb8353e5f7759
2ba1c6028593abc20b0f03b311123293b2503db0c76be21880dd26493fa0706f
32b8ffac3250444904e6af3fca1f6408e684f11ad59e6c46887cf44f5de19e6b
3b6d04d6b629c1bdab4f15b0aa0d1e7792078b21cf876ec4c630243de1b47ac3
6b03cfee0a25254f46bb2c3138ece41f2c0255a70141e3f457389e07120a153c
a3c34cc5f8a13545a73b2a21512232e91dfef275a3cecb81215a5affb69709fb
d54b73a94d481ee2917e42ba3d4ea3b70f368bb13cebf5b8824257907ac84ff1
ec2f156359e30aaf1929dff8f4b97deba32fe642d7fb8a76ba2346605c2d94d0
f8c94e76f4d756924bf929b32f85158bc81911ce4a606af67e37460405e0ad3f
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/200811-y5fqdcmnla/
Behaviour
JavaScript code in executable
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/347003b480671cccce2fdd442c8f3ed3503b6881c25c1aef70677813f6005df2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/43426/

Comments