MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 109230b81c5025e202292bdad8bb868569245c98bae720cef3e19c23e926d175. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 109230b81c5025e202292bdad8bb868569245c98bae720cef3e19c23e926d175
SHA3-384 hash: 787fd23bf01526fbcf5c495ede9c9d362599a5213e23d6156076cfc8358be5f104b4bf641507067f547e65ccfcd8ac9f
SHA1 hash: fe77b6a7b69326af21b57c3d30d78e3f43e3e954
MD5 hash: 005e7afa609b4091b2ab72c8d918ed38
humanhash: maine-robert-edward-single
File name:Skid
Download: download sample
File size:2'174'976 bytes
First seen:2020-07-23 04:57:48 UTC
Last seen:2020-07-23 05:44:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b4da9e889395992d5f4eb4569d03d810
ssdeep 24576:9EU2i3bdb/JQi37kfwPgCIwwvgcCEM975W8ti2B0W1HZCZao:9Ek3TPgCDcCEM97NcWFZCP
Threatray 1 similar samples on MalwareBazaar
TLSH 0DA53901BB915029F9F706F78EFE206D552CBAE0076890CB91C816DE9629BF17D32763
Reporter JAMESWT_WT
Tags:badjoke

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31418/
Detection(s):
SecuriteInfo.com.Win32.DH_Dg.21242.13426.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Creating a window
Running batch commands
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Windows subdirectories
Sending a custom TCP request
Launching a tool to kill processes
Forced shutdown of a system process
Deleting volume shadow copies
Rewriting of the hard drive's master boot record
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/395513
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249889 Sample: Skid Startdate: 23/07/2020 Architecture: WINDOWS Score: 60 42 Sigma detected: WannaCry Ransomware 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Sigma detected: Delete shadow copy via WMIC 2->46 48 3 other signatures 2->48 7 Skid.exe 3 2->7         started        11 wlrmdr.exe 2->11         started        13 OpenWith.exe 2->13         started        process3 file4 40 \Device\Harddisk0\DR0, DOS/MBR 7->40 dropped 50 Writes directly to the primary disk partition (DR0) 7->50 52 Deletes shadow drive data (may be related to ransomware) 7->52 54 Uses bcdedit to modify the Windows boot settings 7->54 15 cmd.exe 1 7->15         started        18 cmd.exe 1 7->18         started        20 cmd.exe 1 7->20         started        22 19 other processes 7->22 signatures5 process6 signatures7 56 Deletes shadow drive data (may be related to ransomware) 15->56 24 WMIC.exe 1 15->24         started        26 vssadmin.exe 1 18->26         started        28 taskkill.exe 1 20->28         started        30 taskkill.exe 1 20->30         started        32 taskkill.exe 1 22->32         started        34 taskkill.exe 1 22->34         started        36 taskkill.exe 1 22->36         started        38 5 other processes 22->38 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/109230b81c5025e202292bdad8bb868569245c98bae720cef3e19c23e926d175/
Threat name:
Win32.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2020-07-23 04:53:26 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
330662b9121761f04693442e1a7d9d847c5ec530b347f09af6b36201384bca21
Result
Malware family:
n/a
Score:
  9/10
Tags:
bootkit persistence discovery ransomware
Link:
https://tria.ge/reports/200723-mp8e351kz6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Checks whether UAC is enabled
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Kills process with taskkill
Kills process with taskkill
Interacts with shadow copies
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Writes to the Master Boot Record (MBR)
Writes to the Master Boot Record (MBR)
Modifies file permissions
Modifies file permissions
Deletes shadow copies
Deletes shadow copies
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/109230b81c5025e202292bdad8bb868569245c98bae720cef3e19c23e926d175

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/31418/

Comments