MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd
SHA3-384 hash: 9912f2cfe46a1b1ea1955e01ae73430ca5d2f3561b680a5c522500a066c736f8dcc235c986372fe0fdfd3ff299b59ad4
SHA1 hash: 2d834ebcadce10b267ab6c20241b62d12706875d
MD5 hash: 9e0fd09ae20af32dfb66d844c6de9418
humanhash: sierra-king-stairway-whiskey
File name:iec56w4ibovnb4wc.onion_Library__UPXsamples__PackedRansomwareUPX.bin.malw
Download: download sample
File size:62'464 bytes
First seen:2020-03-18 23:11:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4711790e145a6d6c10c51f671d12ed69
ssdeep 1536:cOaIjDaSQhFZJjVQ7EbV5B5VZzkD/x8pLbWD:cOaEDaSQvZJ+78dfS8p/WD
Threatray 62 similar samples on MalwareBazaar
TLSH E753D08123E6812DFAF36FB81DB946604D7B7D5A7E78E35C1592800D1D72E98C4707A3
Reporter ov3rflow1
Tags:malw

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-6
Create hunting rule

Win.Trojan.Agent-6527677-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Crypmodadv
Create hunting rule
Status:
Malicious
First seen:
2018-04-27 04:56:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0a739f4ec3d096010d0cd9fc0c0631f0b080cc2aad1f720fd1883737b6a6a952
118185aed4dd97bbf3fe28bebb075a67ca7dbf75dee24efa999e170ee13d0396
5699fabebe0636ac5a7723f02566d5600a407892d570d4c91c60c4669704d8f1
7bb0368333b8dc8c6b4c422f11c02ec43d385547b460c2f1f8cf78013521a2f5
846f306ccd5e9d610aa3bb92817e08e123cc6be01c4771cdcad518130770c9dd
893033ccdb5795d90f5cad3d4e2121307a9f18b05f74c39970395a2f1a6a40ec
9bc42c118c6cc7a45c18fc844e0e132c28cfe4f90380f8a6e1305a798b3d15fb
cc95a8d100f70d0fbf4af14e852aa108bdb0e36db4054c3f60b3515818a71f46
d6f2ddb3eb2696dc88121f6cad6fce9c0b023d4aa1f8a31e912c7577b2e08e32
e5b440a826d14744df920514f027f0871f84292d83b95b731eadfe3165117448
+ 52 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ransomware
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/951150abf88603c73afef53326bded068d0f87b45e01dee3d268eca4eedbe9dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments