MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PLAY

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
SHA3-384 hash:	b0eaa7f6581cebd20a6e44d0a491a9c3b8505601bb5f8b20766c166bc261cac6ee6687b86ba079d52b364ef3d8f64c7e
SHA1 hash:	14177730443c65aefeeda3162b324fdedf9cf9e0
MD5 hash:	223eff1610b432a1f1aa06c60bd7b9a6
humanhash:	leopard-fillet-neptune-west
File name:	PLAY.mal_
Download:	download sample
Signature	PLAY Create hunting rule
File size:	182'784 bytes
First seen:	2022-09-01 20:55:55 UTC
Last seen:	2024-11-13 21:05:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bfaffd974eb97f13ae5b4b98aa20c81e (3 x PLAY)
ssdeep	3072:Yrl2uRkddO+iR7OZOQ+dzeIP9mwUGU3l2bxW1/9JnOC/fhKJ2hXh3lmG:22uyqOh2g8U12K9dtEWx17
TLSH	T1F2047D16A7B1D075E4B6847026E98EF1CE693B320F01C8EF6781176959325E2E135F3B
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	cPeterr
Tags:	exe PLAY Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

853

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PLAY.mal_

Verdict:

Malicious activity

Analysis date:

2022-09-01 20:57:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9f9d23c3-0fc3-46c4-ae0d-82eb815a68d3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/307312/

Detection(s):

Win.Ransomware.Fragtor-9964473-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Changing a file

Modifying an executable file

Moving a recently created file

Moving a file to the Program Files directory

Moving a file to the Program Files subdirectory

Creating a file in the Program Files subdirectories

Replacing files

Creating a file in the mass storage device

Encrypting user's files

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/36339/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

filecoder greyware ransomware

Link:

https://www.filescan.io/uploads/63111ca3e87b88e71bec58e9/reports/6a55f03e-7af5-4a35-acb9-78dbcd8938e4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/371d5f50-9273-463d-97b3-11f57ea4d703

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.spyw

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1063270

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Writes many files with high entropy

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55/

Threat name:

Win32.Ransomware.PlayCrypt

Status:

Malicious

First seen:

2022-08-08 13:35:58 UTC

File Type:

PE (Exe)

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=abvoigiqrb7qqendxiugr34vo255ezjbmvkikaisggnpq6hqnzkq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

ransomware spyware stealer

Link:

https://tria.ge/reports/220901-zq1jvadbg2/

Behaviour

Drops file in Program Files directory

Drops desktop.ini file(s)

Enumerates connected drives

Reads user/profile data of web browsers

Modifies extensions of user files

Unpacked files

SH256 hash:

006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55

MD5 hash:

223eff1610b432a1f1aa06c60bd7b9a6

SHA1 hash:

14177730443c65aefeeda3162b324fdedf9cf9e0

Link:

https://www.unpac.me/results/0e944dac-e398-407d-ab77-8b780be214ab/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/006ae4191088/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://www.bleepingcomputer.com/news/security/argentinas-judiciary-of-c-rdoba-hit-by-play-ransomware-attack/

Cape

https://www.capesandbox.com/analysis/307312/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample