MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06b48b839fd1bb191a782960a68fd36e15aa7e77ecbc525d279bfeee81870bdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Troldesh


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06b48b839fd1bb191a782960a68fd36e15aa7e77ecbc525d279bfeee81870bdd
SHA3-384 hash: 0517dceb7f97e579edf7ab912184f1e83b84dcc7d37637996bd0a361eb0de47154cb054b532401d5ae0dbe7bb63d0dc5
SHA1 hash: 2d7fc6af5cb981919d33df9d060058547e22d938
MD5 hash: 1679317535ee2de0a84de7f8c8040c83
humanhash: green-salami-utah-london
File name:LisectAVT_2403002A_8.exe
Download: download sample
Signature Troldesh
Create hunting rule
File size:1'427'976 bytes
First seen:2024-07-25 00:48:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f4aae2cc8a2971ab9714645e85b7edb6 (3 x Troldesh)
ssdeep 12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK
TLSH T11665E05473F49606E1B7AA399A7689B8083EBC01FD70D96F31C0FD0F7831BA1986535A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 31e8f0d8d4e87800 (3 x Troldesh)
Reporter Anonymous
Tags:exe Troldesh


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
Win.Ransomware.Troldesh-9881927-0
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Creating a file in the %temp% subdirectories
Moving a file to the %temp% subdirectory
Searching for the window
Using the Windows Management Instrumentation requests
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
apt crypto embarcadero_delphi fingerprint installer keylogger lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66a1a1034c5c17942a7d32ab/reports/65f3d73c-6716-4a2a-9bd0-333d64ddd93d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Shade
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d9b93036-1ed1-4765-bbb3-4e79d5189731
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1482157
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/06b48b839fd1bb191a782960a68fd36e15aa7e77ecbc525d279bfeee81870bdd
Detection:
troldesh
Create hunting rule
Link:
https://mwdb.cert.pl/sample/06b48b839fd1bb191a782960a68fd36e15aa7e77ecbc525d279bfeee81870bdd/
Threat name:
Win32.Ransomware.Troldesh
Create hunting rule
Status:
Malicious
First seen:
2024-07-25 00:49:07 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a22ixa472g5rsgtyffqknd6tnyk2u7tx5s6fexjhtp7o5amhbpoq._file
Result
Malware family:
troldesh
Create hunting rule
Score:
  10/10
Tags:
family:troldesh discovery persistence ransomware trojan upx
Link:
https://tria.ge/reports/240725-a5v58sxejn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
UPX packed file
Troldesh, Shade, Encoder.858
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/739fb933-6df5-4d08-9910-b61710611dce
Unpacked files
SH256 hash:
73c38bdd7a586248bd8d9712d30c16f995f8a171de4694fdc9f7f4790fced708
MD5 hash:
622d17261bbdf542506ceee39bbe0e80
SHA1 hash:
d0114ecc0f2add429a1fc5a5fa0db7a8a04310be
Detections:
win_troldesh_auto
Create hunting rule
Link:
https://www.unpac.me/results/ed0e1fde-967c-4caa-b36a-f40dca5f01b1/
Parent samples :
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
1f0399899fa16b89773167d87b10d2add2364e2ad9a1e32da537220ad0253c50
06b48b839fd1bb191a782960a68fd36e15aa7e77ecbc525d279bfeee81870bdd
SH256 hash:
06b48b839fd1bb191a782960a68fd36e15aa7e77ecbc525d279bfeee81870bdd
MD5 hash:
1679317535ee2de0a84de7f8c8040c83
SHA1 hash:
2d7fc6af5cb981919d33df9d060058547e22d938
Link:
https://www.unpac.me/results/ed0e1fde-967c-4caa-b36a-f40dca5f01b1/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/06b48b839fd1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Troldesh

Executable exe 06b48b839fd1bb191a782960a68fd36e15aa7e77ecbc525d279bfeee81870bdd

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationUSER32.dll::GetUserObjectSecurity
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoFreeUnusedLibraries
ole32.dll::CoInitializeSecurity
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteEx
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetDiskFreeSpaceExW
SHELL32.dll::SHGetFileInfoW
SHELL32.dll::SHGetFileInfo
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindFirstVolumeW
KERNEL32.dll::FindFirstVolumeMountPointW
KERNEL32.dll::FindNextVolumeW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::ReadConsoleInputW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::GetConsoleAliasExesLengthA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
SHELL32.dll::SHCreateDirectoryExA
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileW
KERNEL32.dll::DeleteFileA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::QueryDosDeviceW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptGenRandom
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegOpenKeyW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowW
USER32.dll::OpenClipboard
USER32.dll::GetOpenClipboardWindow

Comments