MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bcd0f6cb2c259f22ade6de07f926c2e1512948af545e7a33fd27f784ef12bfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

EduRansom

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	8bcd0f6cb2c259f22ade6de07f926c2e1512948af545e7a33fd27f784ef12bfd
SHA3-384 hash:	2c0b1b0bcfa590fa03a22fa60b88f0de2441033f61339c3769f8786a019e119f9e49a47992b562cbbf65fd09d93cfc8c
SHA1 hash:	25ae2167260e1149ff6b8e1a607d1f823a61446e
MD5 hash:	3649ce18b9fd8a18d8f4fed729aabc8d
humanhash:	zebra-summer-victor-march
File name:	3649CE18B9FD8A18D8F4FED729AABC8D.bin
Download:	download sample
Signature	EduRansom Create hunting rule
File size:	9'716'224 bytes
First seen:	2020-07-27 06:48:38 UTC
Last seen:	2020-07-27 07:50:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5a9e4417b66023acaf7fa0ab18d6e3d1 (1 x EduRansom)
ssdeep	196608:tUxs/Z5+Sg/zdLiWWCYaenOBz6muaUKAlt:F/Z5+SGEWWCYNKz62UKA
Threatray	21 similar samples on MalwareBazaar
TLSH	D4A6D052ED9F11F2F7865A318CB3276F7332A7050331E9C7CA740996E9176E5AA32342
Reporter	JAMESWT_WT
Tags:	EduRansom

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/32671/

Detection(s):

SecuriteInfo.com.Trojan.Encoder.32176.2898.21102.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows subdirectories

Changing a file

Delayed writing of the file

Reading critical registry keys

Creating a file in the mass storage device

Stealing user critical data

Result

Threat name:

EduRansom

Detection:

malicious

Classification:

rans.phis.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/398302

Signature

Detected VMProtect packer

Hides threads from debuggers

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Overwrites Mozilla Firefox settings

Tries to detect debuggers by setting the trap flag for special instructions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected EduRansom

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8bcd0f6cb2c259f22ade6de07f926c2e1512948af545e7a33fd27f784ef12bfd/

Threat name:

Win32.Ransomware.UdeRansom

Status:

Malicious

First seen:

2020-07-25 00:38:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 48 (64.58%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rpgq63fsyjm7ekw6nxqh7etmfykrffek6vc6piz72j7xqtxrfp6q._file

Verdict:

suspicious

EduRansom

22a49fd2468178e5b33cad08985adde50f0530a33260affc58bee6b2401005a9

EduRansom

57cf4470348e3b5da0fa3152be84a81a5e2ce5d794976387be290f528fa419fd

EduRansom

84783081ade87f5a4a1902a275eb66c7fe8ebef9e43cdd2d4527bdb1a5a51f04

EduRansom

89d5d6a0436ed5e2e27c0f9cd1f7fa5b05fa342a082fc5d7ad2439ac75c7bf33

EduRansom

9fdf001f730abe9e97454ce266d79326fb6e7c02fa6f3c16a7bbf5485ef674c4

EduRansom

a3c2207806f9be710f3a1d1cbf1149a708bb080946e2368c8e826f5cef2293e4

EduRansom

a488990c82230074fdf4f22a014a8f05dbb2bdc055c096c4d4a28b3a8055a648

EduRansom

cf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8

EduRansom

eeff7bc679bb93407730373e791ecfcb9669be2b6dcfafa3a00aed5d4e953b4e

EduRansom

+ 11 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/200727-11vxalvpyx/

Behaviour

JavaScript code in executable

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Filecoder

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8bcd0f6cb2c259f22ade6de07f926c2e1512948af545e7a33fd27f784ef12bfd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/32671/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample