MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fd2df2e477e32ea67ae753d401f8b760a9d44e8f8198f6e4c71fdd136bdd17e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Troldesh


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fd2df2e477e32ea67ae753d401f8b760a9d44e8f8198f6e4c71fdd136bdd17e
SHA3-384 hash: d66a93fe91ee526e663ef0d010813e5bdc2688ec0b8b7d0df4595c40da8d8833f51f87523c2fb4e0110ee5a43306db72
SHA1 hash: 70ebd893b56767ac910a8f045fd60eb089de1bcc
MD5 hash: 64213e0f66738792dafd21a9d45f9d5b
humanhash: sodium-cat-eight-double
File name:0fd2df2e477e32ea67ae753d401f8b760a9d44e8f8198f6e4c71fdd136bdd17e
Download: download sample
Signature Troldesh
Create hunting rule
File size:1'405'709 bytes
First seen:2021-09-22 13:18:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7f5bc360b889d00502e2590e4514e224 (2 x Troldesh)
ssdeep 24576:zMJm6zq5rr3fhK8LOT3elmV3skfSt9QXGASh3huhS:6zq5rr3JxLnS3sRrAC3w0
Threatray 46 similar samples on MalwareBazaar
TLSH T1145523350040B107E5FFFF39209C7ABDA8156640237D4E8FDB784C465B72A60B5B96EA
Reporter JAMESWT_WT
Tags:exe Troldesh

Intelligence

File Origin
# of uploads :
1
# of downloads :
805
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0fd2df2e477e32ea67ae753d401f8b760a9d44e8f8198f6e4c71fdd136bdd17e
Verdict:
Malicious activity
Analysis date:
2021-09-22 13:24:30 UTC
Tags:
ransomware troldesh shade
Link:
https://app.any.run/tasks/aa031773-9bb1-4c60-a1e6-738da5883384

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190210/
Detection(s):
Win.Malware.Generickdz-9825606-0
Create hunting rule

Win.Ransomware.Generickdz-9848011-0
Create hunting rule

Win.Malware.Generickdz-9848013-0
Create hunting rule

Win.Packed.Generickdz-9848014-0
Create hunting rule

Win.Ransomware.Generickdz-9852293-0
Create hunting rule

Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4eb4fcde-84dd-4ada-95a9-2ea26af82c14
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855926
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionalty to change the wallpaper
Detected CryptOne packer
Drops PE files with benign system names
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Stores a public key to the registry (likely related to ransomware)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488358 Sample: IIfekfeu6C Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 63 Antivirus / Scanner detection for submitted sample 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Machine Learning detection for sample 2->67 69 3 other signatures 2->69 7 IIfekfeu6C.exe 10 25 2->7         started        12 csrss.exe 2->12         started        14 csrss.exe 2->14         started        16 2 other processes 2->16 process3 dnsIp4 57 96.238.153.207 UUNETUS United States 7->57 59 85.214.128.156 STRATOSTRATOAGDE Germany 7->59 61 24 other IPs or domains 7->61 47 C:\Users\user\AppData\Local\...\edb.log, COM 7->47 dropped 49 C:\ProgramData\Windows\csrss.exe, PE32 7->49 dropped 51 pZbs8OOLa1FUvDL93Q...rypted000007 (copy), data 7->51 dropped 53 282 other files (276 malicious) 7->53 dropped 71 Detected CryptOne packer 7->71 73 Stores a public key to the registry (likely related to ransomware) 7->73 75 May disable shadow drive data (uses vssadmin) 7->75 85 3 other signatures 7->85 18 cmd.exe 7->18         started        20 cmd.exe 7->20         started        22 cmd.exe 7->22         started        27 6 other processes 7->27 77 Antivirus detection for dropped file 12->77 79 Multi AV Scanner detection for dropped file 12->79 81 Contains functionalty to change the wallpaper 12->81 83 Machine Learning detection for dropped file 12->83 24 WerFault.exe 16->24         started        file5 signatures6 process7 file8 29 conhost.exe 18->29         started        31 chcp.com 18->31         started        33 conhost.exe 20->33         started        35 chcp.com 20->35         started        37 conhost.exe 22->37         started        39 chcp.com 22->39         started        55 C:\ProgramData\Microsoft\...\WER5219.tmp.dmp, Mini 24->55 dropped 41 conhost.exe 27->41         started        43 conhost.exe 27->43         started        45 9 other processes 27->45 process9
Detection:
troldesh
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0fd2df2e477e32ea67ae753d401f8b760a9d44e8f8198f6e4c71fdd136bdd17e/
Threat name:
Win32.Ransomware.CerberCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 21:05:19 UTC
AV detection:
38 of 45 (84.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b7jn6lshpyzouz5oou6uah4loyfj2rhi7amy63smoh65cnv52f7a._file
Verdict:
malicious
Similar samples:
62214ccdcb1052b518e6059060daec143430c1ae13a799873ebabea7f3eae217
Troldesh
6d6089fee5f86170c5b3485a626cc6073631d09004f298da7b690b12a9482086
Troldesh
c8aa0a26ce1bab524dd88d314d197a2af59b5b67db0fff3d82690b74e7d95c4e
Troldesh
cd2bc2ceb0e1b7d7c31f7a2aec7e838d3a90767ed3d02e1720170875e4a23cb6
Troldesh
e32998012af31476e39dedb2f725269dbd0a165d74b53a32e5e359da3a01221d
Troldesh
e920835548ad7b62943d9e1f9fac3cb32112b9cf8c02acbeb8d60c17e08c0818
Troldesh
ed801a3e54843afe989aadd69cdab5e6fbf00e8e02742f354519b4b16de8f31c
Troldesh
f03f892b1615d0151f7b2784ad3f0f6c77eea3bceb7cd1117b2ac5f011f343cf
Troldesh
+ 36 additional samples on MalwareBazaar
Result
Malware family:
troldesh
Create hunting rule
Score:
  10/10
Tags:
family:troldesh discovery persistence ransomware spyware stealer trojan upx
Link:
https://tria.ge/reports/210922-qkjvgacgc6/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Adds Run key to start application
Checks installed software on the system
Reads user/profile data of web browsers
Modifies extensions of user files
UPX packed file
Deletes shadow copies
Troldesh, Shade, Encoder.858
Unpacked files
SH256 hash:
085c2bfa1590e88e8a829a6c52f8e3542c92c5df044cbefd4146d3c855ce1379
MD5 hash:
a1a4f6f8bab73ec777aa74a0a73141bb
SHA1 hash:
125c9225adbec4d49dd3b669cf5593ee1e497fb5
Detections:
win_troldesh_auto
Create hunting rule
Link:
https://www.unpac.me/results/62792609-12fb-4cd2-af6c-c4b6381437cc/
Parent samples :
f03f892b1615d0151f7b2784ad3f0f6c77eea3bceb7cd1117b2ac5f011f343cf
0fd2df2e477e32ea67ae753d401f8b760a9d44e8f8198f6e4c71fdd136bdd17e
SH256 hash:
0fd2df2e477e32ea67ae753d401f8b760a9d44e8f8198f6e4c71fdd136bdd17e
MD5 hash:
64213e0f66738792dafd21a9d45f9d5b
SHA1 hash:
70ebd893b56767ac910a8f045fd60eb089de1bcc
Link:
https://www.unpac.me/results/62792609-12fb-4cd2-af6c-c4b6381437cc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0fd2df2e477e32ea67ae753d401f8b760a9d44e8f8198f6e4c71fdd136bdd17e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:win_troldesh_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.troldesh.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190210/

Comments