MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1e6657c4eb47b8e3fbd4c88a53913bf5ddcfa697096b54b3c6a097ae5d2099a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoViper


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1e6657c4eb47b8e3fbd4c88a53913bf5ddcfa697096b54b3c6a097ae5d2099a
SHA3-384 hash: bb5ae2664cbed028d3e14e7fd4941a43bfde4d1a22e55c355912ed48ebbb5a9e7e05cdc550db1bc0209342384cc4c5b2
SHA1 hash: e1f070db44142fc0182776b7ee97c4bb6a8e03fd
MD5 hash: 0632c534089bce22467d6a49c46fec11
humanhash: alabama-lamp-artist-maine
File name:mbrtest.exe
Download: download sample
Signature CoViper
Create hunting rule
File size:118'272 bytes
First seen:2022-03-05 20:36:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 771106f54fcc51d1aa3989e528332f80 (2 x Babadeda, 1 x CoViper)
ssdeep 1536:X7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf7k33xL7HqXc6hYvn61:Lq6+ouCpk2mpcWJ0r+QNTBf7439Kg61
Threatray 112 similar samples on MalwareBazaar
TLSH T1EFC39D41F2D242F7E9F20A7100A6612FA73576248724E8EFC34C3C939953AD19A7D3E9
File icon (PE):PE icon
dhash icon e9f4aa8accc6c664 (2 x Petya, 1 x CoViper)
Reporter adm1n_usa32
Tags:CoViper crasher exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mbrtest.exe
Verdict:
Suspicious activity
Analysis date:
2022-03-05 20:35:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3e0997f-2a8d-4ab4-afc7-265fcafb2f29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247583/
Detection(s):
SecuriteInfo.com.Malware.AI.392946571.12299.9836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Sending a custom TCP request
Low-level writing
Rewriting of the hard drive's master boot record
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8324/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CoViper
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6ac42a8-fd0b-479c-9c2b-648e502ea7e9
Result
Threat name:
Babadeda Petya
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951276
Signature
Antivirus detection for dropped file
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to infect the boot sector
Found Tor onion address
Infects the boot sector of the hard disk
Infects the VBR (Volume Boot Record) of the hard disk
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes directly to the primary disk partition (DR0)
Yara detected Babadeda
Yara detected Petya ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 583757 Sample: mbrtest.exe Startdate: 05/03/2022 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected Babadeda 2->36 38 Yara detected Petya ransomware 2->38 40 2 other signatures 2->40 8 mbrtest.exe 9 2->8         started        process3 file4 28 C:\Users\user\AppData\Local\...\dropper.exe, PE32 8->28 dropped 11 cmd.exe 1 8->11         started        process5 signatures6 42 Uses ping.exe to sleep 11->42 44 Uses ping.exe to check the status of other devices and networks 11->44 14 dropper.exe 11->14         started        18 PING.EXE 1 11->18         started        21 conhost.exe 11->21         started        process7 dnsIp8 30 \Device\Harddisk0\DR0, ASCII 14->30 dropped 46 Antivirus detection for dropped file 14->46 48 Multi AV Scanner detection for dropped file 14->48 50 Protects its processes via BreakOnTermination flag 14->50 52 5 other signatures 14->52 23 WerFault.exe 20 9 14->23         started        32 127.0.0.1 unknown unknown 18->32 file9 signatures10 process11 file12 26 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->26 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1e6657c4eb47b8e3fbd4c88a53913bf5ddcfa697096b54b3c6a097ae5d2099a/
Threat name:
Win32.Trojan.KillMbr
Create hunting rule
Status:
Malicious
First seen:
2022-02-25 09:28:00 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6htgk7cowr5y4p55jsekkoitx5o5z6tjocllksz4niexvzosbgna._file
Verdict:
malicious
Similar samples:
1f79ce7d7716512af2a93caf014f302846d5f41ff9850af71120c7fed2bf5845
CoViper
385d985b4b30f4e6abe301be1d8d91582a6f8bb9d73f8753721c8f48a1250abb
CoViper
39233ad29392ccae0a5f1a13569d11baf3b942b57dd01de2ec15288beb8ec02c
CoViper
5fcf5f6ab5218cdcc5745e391ff77ec1e7769134048c9f8432f1325f3c59dd5f
CoViper
7dfdcd5bc610f3718de9ecd3fc67aba996d3a9c786b5954832ede3cc99d0b0b7
CoViper
8e604b70dd6ca05df996f71508ba0c06b89da8c0107b789076617a8664ba4e6d
CoViper
cb53b1c63e40be27b7aa7cd458dbe467e6b6e887fbac6b373374a124c0253caf
CoViper
ceddcfa72226e91f7435facafe6631d1385ca4d246d242d5136ac4e9462b8611
CoViper
ed770464373d7578963c4f42cacca5e9b3094443a1666d1fa02fad0f4420f4f9
CoViper
f68cf2d7540359cd27bae6aaa15274efd2444f148e1632a9d4bf90facfe5c927
CoViper
+ 102 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
bootkit persistence
Link:
https://tria.ge/reports/220305-zd42hahbg6/
Behaviour
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Writes to the Master Boot Record (MBR)
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
fa4a841fb01391a8c8ed0e949fdcf6179c1efa94a7e61c00a1397804c34e6a44
MD5 hash:
525c65e0b05a9435ec60a3d7c1d08565
SHA1 hash:
a39f0a7bf64903b3e5d16eb6d019105d4cd040b0
Detections:
win_coviper_auto
Create hunting rule
Link:
https://www.unpac.me/results/8941f4e9-7283-461a-9798-97a952339b86/
SH256 hash:
f1e6657c4eb47b8e3fbd4c88a53913bf5ddcfa697096b54b3c6a097ae5d2099a
MD5 hash:
0632c534089bce22467d6a49c46fec11
SHA1 hash:
e1f070db44142fc0182776b7ee97c4bb6a8e03fd
Link:
https://www.unpac.me/results/8941f4e9-7283-461a-9798-97a952339b86/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1e6657c4eb47b8e3fbd4c88a53913bf5ddcfa697096b54b3c6a097ae5d2099a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/b3e0997f-2a8d-4ab4-afc7-265fcafb2f29
Cape
Cape
https://www.capesandbox.com/analysis/247583/

Comments