MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a7e7f12d79130da067fd39ede7ff4dc3dc6665d88f5278745074d77132312bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

IcedID

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	0a7e7f12d79130da067fd39ede7ff4dc3dc6665d88f5278745074d77132312bf
SHA3-384 hash:	7061a39165f7c2ee44539da48ebf9547bfabba7b62e302a8d6b39802aa86713333fb4dec6c5d14f72f549ad365844904
SHA1 hash:	7e625dcf3842f97a6cc8971514da3fc0a71f8218
MD5 hash:	3bdfeff951f060b727bda303f2d8e9d0
humanhash:	quebec-rugby-butter-uncle
File name:	0a7e7f12d79130da067fd39ede7ff4dc3dc6665d88f5278745074d77132312bf
Download:	download sample
Signature	IcedID Create hunting rule
File size:	494'080 bytes
First seen:	2020-10-19 17:54:08 UTC
Last seen:	2023-03-10 19:02:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3a9d4d2c59e0c1d757e5c2619e698904 (1 x IcedID, 1 x Conti)
ssdeep	6144:/RgShjoXXwlIynSXph/hlsPdB9RW39SAOESp1vmUWVvKuf1hL2AS:unwl1nMhQd5W39JvSnvCd1C
Threatray	1'067 similar samples on MalwareBazaar
TLSH	D9B4CF1276D0C432C2763A3448EA97756BBABC705E35D78F6B903B7D5F306D2892831A
Reporter	JAMESWT_WT
Tags:	IcedID

Intelligence

File Origin

# of uploads :

# of downloads :

142

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Contiv2

Link:

https://www.capesandbox.com/analysis/73024/

Detection(s):

PUA.Win.Downloader.Firseria-6804617-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Sending a UDP request

Launching a service

Launching a process

Connection attempt

Creating a file

Creating a file in the Program Files directory

Creating a file in the Program Files subdirectories

Changing a file

Moving a file to the Program Files directory

Moving a file to the Program Files subdirectory

Modifying an executable file

Creating a file in the %AppData% directory

Reading critical registry keys

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Stealing user critical data

Enabling autorun by creating a file

Encrypting user's files

Infecting executable files

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/495823

Signature

Found potential dummy code loops (likely to delay analysis)

Found Tor onion address

Multi AV Scanner detection for submitted file

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0a7e7f12d79130da067fd39ede7ff4dc3dc6665d88f5278745074d77132312bf/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-10-17 20:50:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bj7h6ewxseynubt72opn477u3q64mzs5rd2spb2fa5gxoezdck7q._file

Verdict:

unknown

Result

Malware family:

conti

Score:

10/10

Tags:

ransomware persistence spyware family:conti

Link:

https://tria.ge/reports/201019-xvnbnaljls/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Control Panel

Drops file in Program Files directory

Drops file in Windows directory

Modifies service

Drops desktop.ini file(s)

Drops startup file

Reads user/profile data of web browsers

Modifies extensions of user files

Conti Ransomware

Unpacked files

SH256 hash:

d0b06e33aa5caa58d6c3babedef4f3b729dab16ea7ba9e0f7ded08c75dee40af

MD5 hash:

3e2227c2883dfbc14dad9cd25a58e16a

SHA1 hash:

69eb320b7af487998cad57f3665ca8b5bb312cb2

Link:

https://www.unpac.me/results/43229335-a454-4ac5-b64e-ebd22da76ab5/

SH256 hash:

633b9d373da7d2916f4d3b2902d4817c0f3ad5de5466ac85f34bdd37a8d3dd37

MD5 hash:

4fa0d124f79560778913f5b0ffdf2a4c

SHA1 hash:

f58945901e78e219a7b4fe4328a45a15cc35a407

Link:

https://www.unpac.me/results/43229335-a454-4ac5-b64e-ebd22da76ab5/

SH256 hash:

0a7e7f12d79130da067fd39ede7ff4dc3dc6665d88f5278745074d77132312bf

MD5 hash:

3bdfeff951f060b727bda303f2d8e9d0

SHA1 hash:

7e625dcf3842f97a6cc8971514da3fc0a71f8218

Link:

https://www.unpac.me/results/43229335-a454-4ac5-b64e-ebd22da76ab5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Emotet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0a7e7f12d79130da067fd39ede7ff4dc3dc6665d88f5278745074d77132312bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	win_sisfader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/hatching_io/status/1318213481213165570?s=20

Cape

https://www.capesandbox.com/analysis/73024/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample