MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HydraCrypt


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
SHA3-384 hash: bf167abf920f6f988d4241b8fb516118994d25b494c3b08a1394da51b33a57406a7782c1e4ea767913523e1c30df2390
SHA1 hash: b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
MD5 hash: 08b304d01220f9de63244b4666621bba
humanhash: speaker-carolina-sweet-tango
File name:2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin
Download: download sample
Signature HydraCrypt
Create hunting rule
File size:167'936 bytes
First seen:2023-03-09 20:47:25 UTC
Last seen:2024-05-21 08:15:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a3d6959e6823cfab73700f601ca3412 (1 x HydraCrypt)
ssdeep 3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn
Threatray 395 similar samples on MalwareBazaar
TLSH T109F39D5BA3D2E0A6FD5C01B975875EB498B524F33F4108CB8B09495971313FC2EB2E9A
TrID 43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.2% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon 60f8ace2a4eced58 (1 x HydraCrypt)
Reporter petikvx
Tags:HydraCrypt Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
591
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hydracrypt.exe
Verdict:
Malicious activity
Analysis date:
2021-02-10 13:31:36 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/a0839545-8c18-442a-85ba-022ca5c02e37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373151/
Detection(s):
SecuriteInfo.com.FileCryptor.GSK.563.9902.10991.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to interact with network services
Deleting volume shadow copies
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72399/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
40%
Tags:
packed
Link:
https://www.filescan.io/uploads/640a46033774707c2639aded/reports/8d764fdc-4333-4d36-a1de-e88fd6edb098/overview
Verdict:
Malicious
Labled as:
Ransom_HYDRA.AM
Link:
https://www.hybrid-analysis.com/sample/afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CTB-Locker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5299817c-d673-4e21-9bb0-4008b7ccc91f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1190762
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Creates files in the recycle bin to hide itself
Creates multiple autostart registry keys
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (changes PE section rights)
Disables security and backup related services
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May encrypt documents and pictures (Ransomware)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Delete shadow copy via WMIC
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 823638 Sample: 2016-02-03-EITest-Angler-EK... Startdate: 09/03/2023 Architecture: WINDOWS Score: 100 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 3 other signatures 2->78 9 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe 2->9         started        12 kozoxemi.exe 2->12         started        14 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe 2->14         started        16 2 other processes 2->16 process3 signatures4 88 Detected unpacking (changes PE section rights) 9->88 90 Tries to detect sandboxes / dynamic malware analysis system (file name check) 9->90 92 Contain functionality to detect virtual machines 9->92 104 5 other signatures 9->104 18 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe 6 508 9->18         started        94 Antivirus detection for dropped file 12->94 96 Multi AV Scanner detection for dropped file 12->96 98 Machine Learning detection for dropped file 12->98 23 kozoxemi.exe 12->23         started        100 Injects a PE file into a foreign processes 14->100 25 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe 14->25         started        102 Sample uses process hollowing technique 16->102 27 2016-02-03-EITest-Angler-EK-payload-HydraCrypt.bin.exe 16->27         started        process5 dnsIp6 66 google.com 172.217.168.14, 49695, 80 GOOGLEUS United States 18->66 68 192.168.2.1 unknown unknown 18->68 70 drivers-softprotect.eu 18->70 58 C:\...\desktop.ini.hydracrypt_ID_61a0d79d, a.out 18->58 dropped 60 C:\Users\user\AppData\...\kozoxemi.exe, PE32 18->60 dropped 62 C:\Users\user\AppData\...\2$FUWW$FFHEX.dat, b.out 18->62 dropped 64 21 other malicious files 18->64 dropped 80 Creates files in the recycle bin to hide itself 18->80 82 Creates multiple autostart registry keys 18->82 84 Deletes shadow drive data (may be related to ransomware) 18->84 86 3 other signatures 18->86 29 cmd.exe 1 18->29         started        32 cmd.exe 1 18->32         started        34 cmd.exe 1 18->34         started        36 26 other processes 18->36 file7 signatures8 process9 signatures10 106 Deletes shadow drive data (may be related to ransomware) 29->106 38 net.exe 1 29->38         started        40 conhost.exe 29->40         started        42 WMIC.exe 1 32->42         started        44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        48 vssadmin.exe 1 34->48         started        50 conhost.exe 36->50         started        52 conhost.exe 36->52         started        54 50 other processes 36->54 process11 process12 56 net1.exe 1 38->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e/
Threat name:
Win32.Ransomware.HydraCrypt
Create hunting rule
Status:
Malicious
First seen:
2016-02-04 08:12:49 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
37 of 39 (94.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v7j3okopth5z5jcb6qugfjedluow52zw5zjv7gzany5aaobms4xa._file
Verdict:
malicious
Similar samples:
0f1c1a1c87587222d358553c1b9a482e7d9e6a601cdf40e9a0288827311c0650
HydraCrypt
38813d304e6f75adc3b92ba75bdee6b6f000837d26cde3a0a07edb869f1666bd
HydraCrypt
4fa8e3ed74b9d941888ab229b323154e2a2bdb2274fd7e767e16bb8dadd97365
HydraCrypt
615410f6d53aefbcbdd874fdeaa335d174bdbdae890d8888e02af05e9851b589
HydraCrypt
6d0b9f54f09f25973baccfbdf8c98b61a33cbdbdf0d90563cf2964f4966ff48f
HydraCrypt
797c253df096431e69f1aa84f0010f248384fe437cda4bf8df916c48fbb7984f
HydraCrypt
895f390d56ade378e72f343465d78ed3f3f98ab04a3fb3e2e2616184e566b6c5
HydraCrypt
d063eec4ec30ecc633469e28b06bf8288a9107cd9f16ea97720877a6f761e248
HydraCrypt
e1d94beb469be76da4aafd382a153f477ede6e3a1a283b7becf6cffbd131d4df
HydraCrypt
e47ca034c78e942930e24ba0b911f2d5bb826d9259d83d0b0991dd0939f115a0
HydraCrypt
+ 385 additional samples on MalwareBazaar
Result
Malware family:
hydracrypt
Create hunting rule
Score:
  10/10
Tags:
family:hydracrypt persistence ransomware spyware stealer
Link:
https://tria.ge/reports/230309-zlerksac34/
Behaviour
Interacts with shadow copies
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Modifies extensions of user files
Deletes shadow copies
HydraCrypt
Unpacked files
SH256 hash:
23bd00709e1a58b13c74db964c99754803b6c6ce77764ee4aa5fc20bd1ec5245
MD5 hash:
79275b7866bba0d8e5a51604d6817038
SHA1 hash:
a18e927344866ca151457cca7e74712e4642734e
Link:
https://www.unpac.me/results/ceb37cc9-85db-431b-a3ed-67a8817cd1f1/
SH256 hash:
91c9d7d2f7f9628d13fbc224383d03b0dfc51c0f8a0c004fa88a38f18e64348c
MD5 hash:
92d74a2f90f3a5fb56ae05b1e9996393
SHA1 hash:
6fda20ec6aa401df1dabebb82f8173d9f7cff6f9
Detections:
win_nitol_auto
Create hunting rule
Link:
https://www.unpac.me/results/ceb37cc9-85db-431b-a3ed-67a8817cd1f1/
Parent samples :
89ba6ca01979a51dd5e8fee7d80e8d69322531ba357750a79d8aaceb5a3163c7
2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7
aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202
09421ff53504cf75091ab714967521b7d55f0975b2ca08d7887bf6fb000c1b82
ac2362bfb043929f138f0ed947f81fa8444fd87b2301ecaa9a837e86f6eca690
d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758
5f0798cdb628b90fa0507427cfad23ac606c781d630526e15c20e0150a9ece04
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
1dffdc569c0107c0f2e102f0da4fb60ac3ad59c5697e822f68548e681a384ad9
SH256 hash:
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
MD5 hash:
08b304d01220f9de63244b4666621bba
SHA1 hash:
b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
Link:
https://www.unpac.me/results/ceb37cc9-85db-431b-a3ed-67a8817cd1f1/
Malware family:
APT28
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/afd3b729cf99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/373151/

Comments