MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
SHA3-384 hash: 3bdb62add6a6517c284d3ef9cac91a7a904664fbe6e73d1efedd2a2cfa7c46558dc9f003e55c9800e05f4062811de781
SHA1 hash: 3cb0cb07cc2542f1d98060adccda726ea865db98
MD5 hash: d86f451bbff804e59a549f9fb33d6e3f
humanhash: tennessee-mars-tennis-georgia
File name:Control.exe
Download: download sample
File size:1'976'000 bytes
First seen:2021-03-27 07:27:48 UTC
Last seen:2021-03-27 09:33:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5d2ddf9bb9051294e17ea7cb876c77e2
ssdeep 49152:olyGDEemRoq2KKpgL5lWKDFcmjkf8cudB/8WjM:UYerFq/FgUcuf/85
Threatray 7 similar samples on MalwareBazaar
TLSH E7950282818364FDD6A5A27A022D93727D92F6501DE21BE73EF3C21E97344855ABFC13
Reporter Jirehlov
Tags:exe Ransomware signed

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Control.bin
Verdict:
No threats detected
Analysis date:
2021-03-27 12:37:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/34c764bb-e6ce-4802-9eac-bd4082f972f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127249/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.33705.26029.23602.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Changing a file
Creating a file
Sending a UDP request
Deleting a recently created file
Replacing files
Running batch commands
Launching a process
Creating a file in the mass storage device
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe62108a-43c3-484a-b27c-707c92ee10e7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/655809
Signature
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376841 Sample: Control.exe Startdate: 27/03/2021 Architecture: WINDOWS Score: 96 41 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Deletes shadow drive data (may be related to ransomware) 2->45 8 Control.exe 3 2->8         started        process3 file4 33 C:\Users\user\AppData\Roaming\DataWlan\Dfrg, PE32+ 8->33 dropped 35 C:\Users\user\...\Dfrg:Zone.Identifier, ASCII 8->35 dropped 49 Detected unpacking (changes PE section rights) 8->49 51 Detected unpacking (creates a PE file in dynamic memory) 8->51 53 Tries to detect virtualization through RDTSC time measurements 8->53 12 Dfrg 33 8->12         started        16 cmd.exe 1 8->16         started        signatures5 process6 file7 37 C:\Users\user\...37VWZAPQSQL.png.phoenix, COM 12->37 dropped 39 C:\MSOCache\All Users\...\OSMMUI.xml.phoenix, DOS 12->39 dropped 55 Multi AV Scanner detection for dropped file 12->55 57 Detected unpacking (changes PE section rights) 12->57 59 Detected unpacking (creates a PE file in dynamic memory) 12->59 63 2 other signatures 12->63 18 cmd.exe 1 12->18         started        61 Uses cmd line tools excessively to alter registry or file data 16->61 21 conhost.exe 16->21         started        23 waitfor.exe 1 16->23         started        25 attrib.exe 1 16->25         started        signatures8 process9 signatures10 47 Uses cmd line tools excessively to alter registry or file data 18->47 27 conhost.exe 18->27         started        29 waitfor.exe 1 18->29         started        31 attrib.exe 1 18->31         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549/
Threat name:
Win64.Ransomware.CryptoLock
Create hunting rule
Status:
Malicious
First seen:
2021-03-26 23:21:10 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0dfcf4d5f66310de87c2e422d7804e66279fe3e3cd6a27723225aecf214e9b00
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
2c9e0f6e90b663293874332acd2cab44b8a28011337c99e828e86e3b9d1585c2
61a70fdae6040d08c4f66f5d5ba95aba1987cda5e4715903696c3139a33d8e05
81d14d241a35f52dae782c57784168f5295776984eb55d9f88f9f0cf12e67f72
a3c2207806f9be710f3a1d1cbf1149a708bb080946e2368c8e826f5cef2293e4
c5597c29f2c4b319d151a62e448202f3af45b2edd28d95513f44badd3292623c
Result
Malware family:
n/a
Score:
  9/10
Tags:
cryptone packer ransomware
Link:
https://tria.ge/reports/210327-ap7ddjvm8n/
Behaviour
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Deletes itself
Loads dropped DLL
Executes dropped EXE
Modifies extensions of user files
CryptOne packer
Unpacked files
SH256 hash:
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
MD5 hash:
d86f451bbff804e59a549f9fb33d6e3f
SHA1 hash:
3cb0cb07cc2542f1d98060adccda726ea865db98
Link:
https://www.unpac.me/results/dd91f6dc-8fd2-4367-a2ad-589630e9cb95/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127249/

Comments