MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 006a6bed71198de86f59e003a891e431d75e47c3a6ead1b612af6c2f896f6e0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 006a6bed71198de86f59e003a891e431d75e47c3a6ead1b612af6c2f896f6e0b
SHA3-384 hash: a758441468f151073d2a322ee3fe34622183691c9d4844bd79968d3a5ccb269bf7fde28fcf3bace0a5cf615038c25f82
SHA1 hash: bd233a21fec15d541446e85c1f4b5af5879e754e
MD5 hash: 509f4cfb25305b927c606723fe2f6b8b
humanhash: triple-echo-chicken-louisiana
File name:509f4cfb_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:641'024 bytes
First seen:2021-05-05 08:02:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 665ca8ef89a5633779c67d062b93bcad (1 x VirLock)
ssdeep 12288:rOII1IJfA7gxgYGg9BKPy7zwgIhdKjnPay4qlCtYm9jWylGnTTm:rOIIiJo7+gy9Bnw3/KjnPH/C9h0nTTm
Threatray 16 similar samples on MalwareBazaar
TLSH 52D4AD62ABF9D8FECC5582768CC4F6B8C69283769E0D425F0F404095A0FE9D4E3D5E4A
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/149948/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6804475-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a service
Launching a service
Creating a file in the Windows subdirectories
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/006a6bed71198de86f59e003a891e431d75e47c3a6ead1b612af6c2f896f6e0b/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 01:06:46 UTC
AV detection:
44 of 45 (97.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
01b660c91e227a817722d8253374b0e0e535106f116d58c9e7bc74905a6856dd
VirLock
18f98b3e546cd029c9c0a7d3538ee81051feb61ed869b9f9bfc7f2804848c13d
VirLock
4fc2bd2bacfa559b22c7a4b69199fe7d96cc9565dfabec90a9f24d694b2c68c7
VirLock
659b76788cccfc9c993dd9047e86844c7183957478fabe32455dc2a2ddea49fb
VirLock
728406539dbbb175ad0e0f346d6c9e563c7b95507e91c71af64f220a382525cf
VirLock
90761262c9ec61d2a8e6de72eeeec48ba96b847332d509e3be357581be133598
VirLock
ae4bafd3c3f078bb17813eeeeef9d5c9587c758a492359310690bc2cbc7278be
VirLock
ce110be24e6986a96b43b83b15c1d8d6a20274e47e677fccb47b97c8818a268c
VirLock
e32e01f3602e769a1b6a7965573648b420035c74fdae200213a992a16044a220
VirLock
f7b7022afea2352c4c4874452f1505e9e4c344923b8b27b661e2b0ccc74f58f6
VirLock
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/210505-927sd98g1j/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
2618c865040a26afa6f3c0b3e49a0ee687e29644519c0fd57e5cc512ba687686
MD5 hash:
e14ac67990bcd5e37f24347f1358c922
SHA1 hash:
7163e4c8f1d9bc1ce547a8fd92e0a4a8429eabfb
Link:
https://www.unpac.me/results/e23defb8-ea05-4b1f-888c-86e937617dbd/
SH256 hash:
8d0aafeb646968d4e874bc5571fe3745fa07577de296737c68892073e28b9659
MD5 hash:
68ebfd257af15813dab501bc3d940577
SHA1 hash:
f0191f7ce5c2341c01ffe1eed336ff34dfa5adf3
Link:
https://www.unpac.me/results/e23defb8-ea05-4b1f-888c-86e937617dbd/
SH256 hash:
68711178a2cf000d99d2308c8e2d1ae8ab6eea1f4427c2fc4d1709c42bc936cd
MD5 hash:
47f49fae3aedd9b9e19521b54bfbe656
SHA1 hash:
5124324353f0cd5148652d3560f7ec23f57fe959
Link:
https://www.unpac.me/results/e23defb8-ea05-4b1f-888c-86e937617dbd/
SH256 hash:
ff4acb42e13d87d19e31429842ef5e94716279bccabf2e747b3cb1cac414ad7d
MD5 hash:
0f602d1497a56f224ec070dcf2c3d821
SHA1 hash:
1742afcb3b49a2d0a2f1937973a3a0c0d1f88819
Link:
https://www.unpac.me/results/e23defb8-ea05-4b1f-888c-86e937617dbd/
SH256 hash:
006a6bed71198de86f59e003a891e431d75e47c3a6ead1b612af6c2f896f6e0b
MD5 hash:
509f4cfb25305b927c606723fe2f6b8b
SHA1 hash:
bd233a21fec15d541446e85c1f4b5af5879e754e
Link:
https://www.unpac.me/results/e23defb8-ea05-4b1f-888c-86e937617dbd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/006a6bed71198de86f59e003a891e431d75e47c3a6ead1b612af6c2f896f6e0b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149948/

Comments