MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b12f4fdf07d06fb59b5619d01a293c51d32efd183d45a87459b47d5169cfe51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Makop


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b12f4fdf07d06fb59b5619d01a293c51d32efd183d45a87459b47d5169cfe51
SHA3-384 hash: 64e69908c3e0f7dfef37c276d37b786025560e11f21ab98484c81f660384af02851a45aec11e29b60d7ffc09485a13e9
SHA1 hash: a2a477a36236e38ca0140e3f751006a624f142ef
MD5 hash: 5a14e0ef81ea15e9afd4defdeaa840ae
humanhash: cardinal-uncle-nine-jersey
File name:4b12f4fdf07d06fb59b5619d01a293c51d32efd183d45a87459b47d5169cfe51
Download: download sample
Signature Makop
Create hunting rule
File size:176'640 bytes
First seen:2022-04-12 13:05:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 54dc4fa00aed2dfea3bfa727027b942d (1 x Makop)
ssdeep 1536:s/lLWqbPoATxKPTPCl+X8KY9/JOed/ohT6NxAMQ854URociX4Q2jw/mb3rU9:s/lLW2PoAp/xZdd/vsXQ4URoQM/
Threatray 1'610 similar samples on MalwareBazaar
TLSH T17104CF11BBE2C533C40594754476E6B1067EF8612F71D2133BA86A9E2E312D6C6BB38A
File icon (PE):PE icon
dhash icon 71f8a0888890c8e1 (1 x Makop)
Reporter JAMESWT_WT
Tags:exe makop Paymen45 Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
529
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4b12f4fdf07d06fb59b5619d01a293c51d32efd183d45a87459b47d5169cfe51
Verdict:
Malicious activity
Analysis date:
2022-04-13 02:52:49 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/460c9cf9-7bd9-4c32-b702-f8019c7966f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263112/
Detection(s):
Win.Packed.Generic-9853074-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a service
Behavior that indicates a threat
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Searching for synchronization primitives
Launching a process
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Changing a file
Moving a recently created file
Modifying an executable file
Moving a file to the Program Files subdirectory
Creating a file in the Program Files subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting volume shadow copies
Forced shutdown of a system process
Creating a file in the mass storage device
Encrypting user's files
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13621/overview
Behaviour
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62557908eab80a7a6c009e3c/reports/0e63dc07-253a-4f7a-96b6-80d3105bbd7a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Phobos Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3542aadb-750f-4ee1-ad0c-7f6bb6465092
Result
Threat name:
Oled
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/975362
Signature
Antivirus / Scanner detection for submitted sample
Creates autostart registry keys with suspicious names
Creates files in the recycle bin to hide itself
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after checking volume information)
Found ransom note / readme
Found Tor onion address
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Oled Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 607851 Sample: rmlGQin2iS Startdate: 12/04/2022 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 5 other signatures 2->44 7 rmlGQin2iS.exe 1 12 2->7         started        12 rmlGQin2iS.exe 2->12         started        14 rmlGQin2iS.exe 2->14         started        process3 dnsIp4 36 192.168.2.1 unknown unknown 7->36 28 C:\readme-warning.txt, ASCII 7->28 dropped 30 C:\Users\user\Desktop\readme-warning.txt, ASCII 7->30 dropped 32 C:\Users\user\Desktop\...\readme-warning.txt, ASCII 7->32 dropped 34 38 other files (36 malicious) 7->34 dropped 46 Detected unpacking (changes PE section rights) 7->46 48 Detected unpacking (overwrites its own PE header) 7->48 50 Found evasive API chain (may stop execution after checking mutex) 7->50 52 6 other signatures 7->52 16 cmd.exe 1 7->16         started        18 rmlGQin2iS.exe 7->18         started        file5 signatures6 process7 process8 20 conhost.exe 16->20         started        22 sc.exe 1 16->22         started        24 sc.exe 1 16->24         started        26 26 other processes 16->26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b12f4fdf07d06fb59b5619d01a293c51d32efd183d45a87459b47d5169cfe51/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 10:36:25 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
35 of 42 (83.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051
Makop
2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
Makop
57eab146f612a387a6d0db7073f200742634a31cc78dda6f59cfdc8996ddca4a
Makop
5f5d1f324ed8dc18d76f200a176d40ab2ae48e336f33c2f7b5d047d682f3260a
Makop
94658982002db6acea22c68b7619f71154933effd6428a81a235aba6e2789328
Makop
a617fdbff227afe8c89ba96d34724fb03c0c08857c508c8c80f3fedc916fe2b4
Makop
bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49
Makop
bc225c5fe58ce3b42512871afdcc4513a870812b6b6477d8fe53bca77100660e
Makop
e51abdb2023b560244802f7d9687944dc0dff3042c28d7bc7a2b517df6e24942
Makop
+ 1'600 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/220412-qb3k8aefe9/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Interacts with shadow copies
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Adds Run key to start application
Reads user/profile data of web browsers
Modifies extensions of user files
Stops running service(s)
Deletes shadow copies
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
0f5a8139fe8cc33ef652d3bee4454a82f4ced711694b5569cf03ef19de1567d0
MD5 hash:
0dba2425806541557d18624ad69d48bc
SHA1 hash:
7d05f09397f36994aecef98af5435e6e81ecd85b
Detections:
win_makop_ransomware_w0
Create hunting rule
Link:
https://www.unpac.me/results/e2aece38-4111-4f09-85fa-dc58e8ecf904/
SH256 hash:
4b12f4fdf07d06fb59b5619d01a293c51d32efd183d45a87459b47d5169cfe51
MD5 hash:
5a14e0ef81ea15e9afd4defdeaa840ae
SHA1 hash:
a2a477a36236e38ca0140e3f751006a624f142ef
Link:
https://www.unpac.me/results/e2aece38-4111-4f09-85fa-dc58e8ecf904/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b12f4fdf07d06fb59b5619d01a293c51d32efd183d45a87459b47d5169cfe51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_makop_1_vk
Create hunting rule
Author:@VK_Intel
Description:Detects MAKOP ransomware payload
Reference:https://twitter.com/VK_Intel/status/1242177227682390017
Rule name:RANSOM_makop
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect the unpacked Makop ransomware samples
Rule name:win_makop_ransomware_w0
Create hunting rule
Author:@VK_Intel
Description:Detects MAKOP ransomware payload
Reference:https://twitter.com/VK_Intel/status/1242177227682390017

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Makop

Executable exe 4b12f4fdf07d06fb59b5619d01a293c51d32efd183d45a87459b47d5169cfe51

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/360750/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/263112/

Comments