MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1b6faa0465ec8bf30e3450f9679f121ff9e724257577c38c813b77e82e1f42f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 2


Intelligence 2 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1b6faa0465ec8bf30e3450f9679f121ff9e724257577c38c813b77e82e1f42f
SHA3-384 hash: 966080a760a66af64dca8c9b2379702977c9862c459a5a0510666c7b30d7dfe23813cdaaaf96e5d3ac33c7985873fa95
SHA1 hash: 03dff661da8207517fc4cb3c0809e8c0fe7f76fa
MD5 hash: fbd82a5f5bfe23872fad17cf62c41a6e
humanhash: carpet-oranges-beryllium-oxygen
File name:svchost.exe
Download: download sample
File size:319'488 bytes
First seen:2020-05-05 14:39:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dd0adf5bf851f3dc20249af2934dfa3
ssdeep 6144:dcXeQ0MbLTYFIKQBLVbA989wiLBEjT/nzQ45dC33g6EjAQHP2yZ2oi6w:d0eQpvMIxREjT/U79zQuyE3F
Threatray 10 similar samples on MalwareBazaar
TLSH EE64236B82ED21BBF1335DBA685B2A0169BEC7301B16636A7754110F7E21D85DCEC30E
Reporter Anonymous
Tags:.exe


Avatar
Anonymous
Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Mpress-7
Create hunting rule

SecuriteInfo.com.Win32.DH_TA.32014.14718.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Mzrevenge
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 15:35:29 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
30 of 31 (96.77%)
Threat level:
  2/5
Verdict:
suspicious
Similar samples:
4029f9fcba1c53d86f2c59f07d5657930bd5ee64cca4c5929cbd3142484e815a
64dc4778b395fe6ba6b4911bb39d41dc2a1d5cb0655c0f369b25b5e38f0e27ec
835048e00ba3babf6f920c9a4c2863865a5dcf8e0b6ede4f57c63aeb9cb5c147
940ca9e10bfa12f912ed6d60e827f89726fd036eadafa77eff33a7168b59839a
9631ffcc8769d5ea6582646908a7a7e795cfee8d4fdaa3f1559deefb45ee6934
9b071bb883d03ad019622019118ed94894f8471ec7bff4982acc87267a552c68
a947c216ea52ce23457b3babb1e1eb6275cabe2150d3995553e4de4b8c3d97f4
bec4fa4086e8913a708a4bacb710b4f88f82082a2d282641b24af1f31e6652b9
e04cdba2c9443b7a859fb328cf19fecd73b6a91d0964b405d56a42ee0721c671
f9f23eab079a9101854c9db1d456c22548809efa8a0995418460dcd30336a9a8
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware trojan
Link:
https://tria.ge/reports/201109-s3grmv78ej/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Launches sc.exe
Modifies service
Checks whether UAC is enabled
Drops file in Drivers directory
Modifies extensions of user files
Deletes shadow copies
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments