MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 055a0aaaf36b6960310ef4d266763b83815df1e29356657183fc920ad55a3acf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 055a0aaaf36b6960310ef4d266763b83815df1e29356657183fc920ad55a3acf
SHA3-384 hash: 4b864b50ac7f6fe0bc157e819853d829343428eb3f5ae50b369d34d62a4540ac6663d86dbaa68802a066274b413cec8b
SHA1 hash: 08fc239398f61d94c945babf7edad9941f36a014
MD5 hash: 731d5ed57434e05c9466107052af5a6a
humanhash: jupiter-pluto-california-nitrogen
File name:055a0aaaf36b6960310ef4d266763b83815df1e29356657183fc920ad55a3acf
Download: download sample
File size:70'481 bytes
First seen:2020-11-24 12:47:20 UTC
Last seen:2020-11-25 06:40:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 020427ce4c5955a4646766872c973541
ssdeep 768:8FMAE0wY4lhK4hZmfYQd/iYx4Jcykm2yutlxEEDMCn2Limna8je55voslL2hjvCu:M9EREJF4lStXvB8Q5RlLCj6wpT
Threatray 15 similar samples on MalwareBazaar
TLSH 93639E16F5898433ED635A341AF4C1BA9ABA7A005B74809637984D7D5FF1BC08E3873B
Reporter JAMESWT_WT
Tags:Insta Software Solution Inc. KILLAV signed

Code Signing Certificate

Organisation:AAA Certificate Services
Issuer:AAA Certificate Services
Algorithm:sha1WithRSAEncryption
Valid from:Jan 1 00:00:00 2004 GMT
Valid to:Dec 31 23:59:59 2028 GMT
Serial number: 01
Intelligence: 383 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/545991
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322092 Sample: qdgRR8FLkS Startdate: 24/11/2020 Architecture: WINDOWS Score: 80 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Machine Learning detection for sample 2->46 8 qdgRR8FLkS.exe 1 2->8         started        process3 signatures4 48 Detected unpacking (changes PE section rights) 8->48 50 Detected unpacking (overwrites its own PE header) 8->50 11 cmd.exe 1 8->11         started        14 cmd.exe 1 8->14         started        16 cmd.exe 1 8->16         started        18 8 other processes 8->18 process5 signatures6 52 Uses cmd line tools excessively to alter registry or file data 11->52 20 conhost.exe 11->20         started        22 reg.exe 1 11->22         started        24 conhost.exe 14->24         started        26 reg.exe 1 14->26         started        34 2 other processes 16->34 28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 18->32         started        36 5 other processes 18->36 process7 process8 38 conhost.exe 28->38         started        40 reg.exe 1 1 28->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/055a0aaaf36b6960310ef4d266763b83815df1e29356657183fc920ad55a3acf/
Threat name:
Win32.Ransomware.Clop
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 01:45:00 UTC
File Type:
PE (Exe)
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
20f74016f44481b525fa57d676d52355f86b4f175350eebeb6e9a9215b36b45b
389e03b1a1fd1c527d48df74d3c26a0483a5b105f36841193172f1ee80e62c1b
3d94c4a92382c5c45062d8ea0517be4011be8ba42e9c9a614a99327d0ebdf05b
6361151666574cd30d1feb4ed90e3253060d77ca062f9eb31d82179d15eded95
67fd7b558dbe2ca38784a714fcc63fe3a291228dccb0ea7c6b684f1910c66533
68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3
6a15e26804644d8c13c19260e449186899050e513b6be6ae5ef65ed799906dca
94b76ce34e5493bb59586b41f41b23baa07a55f2397e80775573714b1311103c
b6317c86864cc8dc3ff1364a536919dd3cf8fa6f16ee21df6fb81fa5220a3399
ccf93828e1b44a75820989d72a2c019ae3b0a98944bf9eb1884e77f16050c53f
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201124-r7384ettfe/
Behaviour
Suspicious use of WriteProcessMemory
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
055a0aaaf36b6960310ef4d266763b83815df1e29356657183fc920ad55a3acf
MD5 hash:
731d5ed57434e05c9466107052af5a6a
SHA1 hash:
08fc239398f61d94c945babf7edad9941f36a014
Link:
https://www.unpac.me/results/4e81bc5e-1a9b-431f-aca6-246a0d76e2db/
SH256 hash:
721deeff99567c0baa0cf3acbc9ef5c0d66a2eff5993a7f73b81fcbfa5238b3e
MD5 hash:
9d458b6835ea58e12d7e17b61fe6609b
SHA1 hash:
5bf2734a723cfcd9a1d08e241af6528d8bc1fdf6
Link:
https://www.unpac.me/results/4e81bc5e-1a9b-431f-aca6-246a0d76e2db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Hupigeon
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/055a0aaaf36b6960310ef4d266763b83815df1e29356657183fc920ad55a3acf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments