MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f
SHA3-384 hash: da4f8ad02ee88d4884f893ca3243225c00266bcd107826484dfc5382b5293cddfebe048d5646d60b24ffd575c5e63985
SHA1 hash: 83bff855966cf72a2dd85acae7187caeab556abf
MD5 hash: 0210d88f1a9c5a5a7eff5c44cf4f7fbc
humanhash: undress-connecticut-table-potato
File name:HITLER_RANSOMWARE.bin
Download: download sample
File size:286'720 bytes
First seen:2022-03-20 05:19:54 UTC
Last seen:2022-03-20 05:21:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2814ee4bf500fa4a49b9308f453071bd
ssdeep 3072:il+Lkqpd5vh6+RDuUZbEl+Lkqpd5vlpcslRnXfFdRIVLdkVz1ZIGWSt8t81U3Uxu:Ppd5vhrDuUZxpd5vbXfNSLdkryGdY
Threatray 1'419 similar samples on MalwareBazaar
TLSH T19A54C083F6C155E2E7410270046B36B2E7369E3A4B289FDFE748350BDEB15E189706E9
dhash icon f86eeae6b696c6cc (6 x AgentTesla, 3 x LummaStealer, 3 x Floxif)
Reporter petikvx
Tags:exe hitlercrypt

Intelligence

File Origin
# of uploads :
5
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HITLER_RANSOMWARE.bin.zip
Verdict:
Malicious activity
Analysis date:
2020-11-28 14:20:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e81af359-dd65-4397-aec3-23536dacb857

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253048/
Detection(s):
Win.Malware.Hyptkript-9867913-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file
Moving a file to the %temp% subdirectory
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9883/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe packed shell32.dll
Link:
https://www.filescan.io/uploads/6236b9830cd58dbd92c4123b/reports/4a1a1e5d-19e8-463f-9af2-783bf1d47bca/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Hitler Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/64aa072c-321a-4d7c-bf12-7b7879df3894
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/960236
Signature
Antivirus / Scanner detection for submitted sample
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 592716 Sample: HITLER_RANSOMWARE.bin Startdate: 20/03/2022 Architecture: WINDOWS Score: 88 68 Antivirus / Scanner detection for submitted sample 2->68 70 Multi AV Scanner detection for dropped file 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 5 other signatures 2->74 9 HITLER_RANSOMWARE.exe 8 2->9         started        process3 file4 40 C:\Users\user\AppData\Local\...\firefox32.exe, PE32 9->40 dropped 42 C:\Users\user\AppData\Local\...\chrst.exe, PE32 9->42 dropped 44 C:\Users\user\AppData\...xtraTools.bat, ISO-8859 9->44 dropped 46 C:\Users\user\AppData\Local\...rOne.vbs, ASCII 9->46 dropped 12 cmd.exe 3 3 9->12         started        process5 file6 48 C:\Users\user\AppData\Local\...\chrst (copy), PE32 12->48 dropped 50 C:\ProgramData\Microsoft\...\firefox32.exe, PE32 12->50 dropped 52 C:\Users\user\AppData\...\firefox32 (copy), PE32 12->52 dropped 76 Drops PE files to the startup folder 12->76 16 chrst.exe 12 12->16         started        19 wscript.exe 12->19         started        21 conhost.exe 12->21         started        signatures7 process8 signatures9 66 Multi AV Scanner detection for dropped file 16->66 23 chrome.exe 14 255 16->23         started        27 chrome.exe 7 16->27         started        process10 dnsIp11 54 192.168.2.1 unknown unknown 23->54 56 192.168.2.4 unknown unknown 23->56 58 2 other IPs or domains 23->58 34 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 23->34 dropped 36 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 23->36 dropped 38 C:\Users\user\...\pnacl_public_x86_64_ld_nexe, ELF 23->38 dropped 29 chrome.exe 27 23->29         started        32 chrome.exe 27->32         started        file12 process13 dnsIp14 60 part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49778, 49779 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->60 62 accounts.google.com 142.250.203.109, 443, 49767 GOOGLEUS United States 29->62 64 8 other IPs or domains 29->64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f/
Threat name:
Win32.Ransomware.Hyptkript
Create hunting rule
Status:
Malicious
First seen:
2016-08-06 15:49:41 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
37 of 42 (88.10%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2534eecca5ed157444298473d7c9c82d9def5b0a93ac581b75dede2f1a0c0a56
2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279
371aab310f82dd4f64f09981c1d3d8974f18227c98679af43bd0559ec6752dde
37c3db846b611722768b95c17585624f476def65d0332b3cfb93709c1273a685
5ef0b6ab46bb6853ddf281a6b12ca1b6c9d77a6b25a8db00e5f0771e793357a5
730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a
82732e47492148243ee3fb338c93d43b9a9984f39e3409327600cffc5766af1b
e04732a7a7207be7219222c607009220d68c047fc3eeed1d5925f790b1c7cd63
fb6bf8580ff8831da630b82fab6bcdd0de64f28368e522a83366a2c078bd232e
+ 1'409 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220320-f1fsmsheb8/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
a02565ec78fa1221433e720bd57b044938345b8c65a73143bd9ff73529767526
MD5 hash:
c657daf595b5d535ccc757ad837eebe8
SHA1 hash:
894e953e86e54a830a14fac94e57569d184a9c09
Link:
https://www.unpac.me/results/b0f3cffa-8821-4f41-a958-756058fd7400/
SH256 hash:
06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f
MD5 hash:
0210d88f1a9c5a5a7eff5c44cf4f7fbc
SHA1 hash:
83bff855966cf72a2dd85acae7187caeab556abf
Link:
https://www.unpac.me/results/b0f3cffa-8821-4f41-a958-756058fd7400/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/06c8e0f6fa26/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/253048/

Comments