MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a617fdbff227afe8c89ba96d34724fb03c0c08857c508c8c80f3fedc916fe2b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ransomare.Makop


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a617fdbff227afe8c89ba96d34724fb03c0c08857c508c8c80f3fedc916fe2b4
SHA3-384 hash: 1fd1df26498b499a17ad8b9725f1d97fccf9542be94c5f5f77048ce21a36ae50f78f8cbb8b9d9ac9ce4902fc8edd0746
SHA1 hash: efde96d76f372f2f31a017a7f83ea5ed87905614
MD5 hash: 5d8ae8c788d8f89b6bbe4b94f77d0181
humanhash: idaho-cup-monkey-wolfram
File name:입사지원서_220109(경력사항도 같이 기재하였습니다 잘부탁드립니다).exe
Download: download sample
Signature Ransomare.Makop
Create hunting rule
File size:3'032'820 bytes
First seen:2022-01-10 03:19:24 UTC
Last seen:2022-01-10 04:30:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 49152:+yrMQjbcDLasp30MinHKQ3TqR9FhvFrcDLasp30MinHKQ3TqR9FhvF5qI:+yrMQjbcPV0FnHKQ3mhv5cPV0FnHKQ3U
Threatray 306 similar samples on MalwareBazaar
TLSH T10AE5E0E6E4405945F82F0BB2F8B66DB304471D7B94BC2B8C398A3B5245F7DA5103E98B
File icon (PE):PE icon
dhash icon 3361a5a5a5a56133 (1 x Ransomare.Makop)
Reporter fbgwls245
Tags:exe makop Ransomare.Makop Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
536
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
입사지원서_220109(경력사항도 같이 기재하였습니다 잘부탁드립니다).exe
Verdict:
Suspicious activity
Analysis date:
2022-01-10 03:20:24 UTC
Tags:
ransomware makop oled
Link:
https://app.any.run/tasks/1d4d219c-06c7-46a6-8495-a04850372f82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217943/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.4.4395.10785.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3957/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
control.exe expand.exe fingerprint overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61dba5e61c0d769df9dd66cd/reports/fc71f55a-241d-42dd-9ff5-8763607b7d14/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/75c00cf8-47a4-45c0-aacd-68f7ef70adc8
Result
Threat name:
Oled
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917427
Signature
Creates files in the recycle bin to hide itself
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Found evasive API chain (may stop execution after checking mutex)
Found ransom note / readme
Injects a PE file into a foreign processes
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: WannaCry Ransomware
Writes many files with high entropy
Yara detected Oled Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549905 Sample: 8#Ub2e4).exe Startdate: 10/01/2022 Architecture: WINDOWS Score: 100 53 Sigma detected: WannaCry Ransomware 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Found ransom note / readme 2->57 59 4 other signatures 2->59 8 8#Ub2e4).exe 19 2->8         started        12 wbengine.exe 3 2->12         started        14 vdsldr.exe 2->14         started        16 vds.exe 2->16         started        process3 file4 47 C:\Users\user\AppData\Local\...\System.dll, PE32 8->47 dropped 75 Found evasive API chain (may stop execution after checking mutex) 8->75 77 Writes many files with high entropy 8->77 79 Opens the same file many times (likely Sandbox evasion) 8->79 81 Injects a PE file into a foreign processes 8->81 18 8#Ub2e4).exe 11 8->18         started        83 Creates files inside the volume driver (system volume information) 12->83 signatures5 process6 dnsIp7 51 192.168.2.1 unknown unknown 18->51 39 C:\Users\user\Desktop\...\PIVFAGEAAV.jpg, data 18->39 dropped 41 C:\Users\user\Desktop\...\DUUDTUBZFW.jpg, data 18->41 dropped 43 C:\Users\user\Desktop\...\BNAGMGSPLO.xlsx, data 18->43 dropped 45 30 other files (28 malicious) 18->45 dropped 61 Creates files in the recycle bin to hide itself 18->61 63 Modifies existing user documents (likely ransomware behavior) 18->63 23 cmd.exe 1 18->23         started        26 8#Ub2e4).exe 17 18->26         started        file8 signatures9 process10 file11 65 May disable shadow drive data (uses vssadmin) 23->65 67 Deletes shadow drive data (may be related to ransomware) 23->67 69 Deletes the backup plan of Windows 23->69 29 WMIC.exe 1 23->29         started        31 conhost.exe 23->31         started        33 wbadmin.exe 3 23->33         started        35 vssadmin.exe 1 23->35         started        49 C:\Users\user\AppData\Local\...\System.dll, PE32 26->49 dropped 71 Opens the same file many times (likely Sandbox evasion) 26->71 73 Injects a PE file into a foreign processes 26->73 37 8#Ub2e4).exe 26->37         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a617fdbff227afe8c89ba96d34724fb03c0c08857c508c8c80f3fedc916fe2b4/
Threat name:
Win32.Ransomware.Phobos
Create hunting rule
Status:
Malicious
First seen:
2022-01-10 03:20:20 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uyl73p7se6x6rse3vfwti4spwa6aycefpriizdea6p7nzelp4k2a._file
Verdict:
malicious
Similar samples:
03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051
Ransomare.Makop
2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
Ransomare.Makop
57eab146f612a387a6d0db7073f200742634a31cc78dda6f59cfdc8996ddca4a
Ransomare.Makop
5f5d1f324ed8dc18d76f200a176d40ab2ae48e336f33c2f7b5d047d682f3260a
Ransomare.Makop
bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49
Ransomare.Makop
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec
Ransomare.Makop
dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
Ransomare.Makop
e51abdb2023b560244802f7d9687944dc0dff3042c28d7bc7a2b517df6e24942
Ransomare.Makop
fc257f64a0279bb5ae221b968d3f38bbb7237a8475c165c5a8430fe6633e3fe6
Ransomare.Makop
+ 296 additional samples on MalwareBazaar
Result
Malware family:
makop
Create hunting rule
Score:
  10/10
Tags:
family:makop ransomware spyware stealer
Link:
https://tria.ge/reports/220110-dvsh5sdgg8/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Deletes backup catalog
Deletes shadow copies
Makop
Unpacked files
SH256 hash:
17418c2239e7f5a21f4c66b5d1acc5df43bb7e68a40550400d3aeeb4f074fe65
MD5 hash:
52547a94a117a595a5dadf88d8447c7b
SHA1 hash:
509890898a20ea112fc50b7d33f2de866a7c7ed8
Link:
https://www.unpac.me/results/51ba57b6-e3c3-44fe-8fbf-a3afb1644a4f/
SH256 hash:
ac553372db44443b2d523fe0d6cb865f37ba80278a392ea11a43599eea2999c5
MD5 hash:
3a3a85372958c2fd2e05694609e16b1b
SHA1 hash:
91485589083064b7aaa898ed59fbdf79fe88a6d0
Link:
https://www.unpac.me/results/51ba57b6-e3c3-44fe-8fbf-a3afb1644a4f/
SH256 hash:
a617fdbff227afe8c89ba96d34724fb03c0c08857c508c8c80f3fedc916fe2b4
MD5 hash:
5d8ae8c788d8f89b6bbe4b94f77d0181
SHA1 hash:
efde96d76f372f2f31a017a7f83ea5ed87905614
Link:
https://www.unpac.me/results/51ba57b6-e3c3-44fe-8fbf-a3afb1644a4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a617fdbff227afe8c89ba96d34724fb03c0c08857c508c8c80f3fedc916fe2b4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/217943/

Comments