MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1326c4b5f16b37e3474154b0497d09583257a88c050637749e5ee9e91f705b74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1326c4b5f16b37e3474154b0497d09583257a88c050637749e5ee9e91f705b74
SHA3-384 hash: 50ff54e78e724fc6b46e79824bba30a3fa98729fe34f24c34ac05ff1610c47250406284283d72988abc74685279210e5
SHA1 hash: 7f321078ac516a70b57f230bc3707cd6fef6ec04
MD5 hash: f6527b71c1c9644fd0a8649c5387c529
humanhash: artist-may-alabama-magnesium
File name:f6527b71_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:2'245'120 bytes
First seen:2021-05-05 08:02:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b03fc98833cfa46fb1839ddeb916a11e (1 x VirLock)
ssdeep 24576:A3MfY2n8s/7fmnnILaxuIPa5l0XuWnJolVZ03WmCpomeb+eWhAHdhxfis+3GDtJt:A8g2nn/7Taxupl0Xx1iPG/Tqy
Threatray 28 similar samples on MalwareBazaar
TLSH 99A569E4696DFFECB003D2295B2B87BD497E17190ADD40E75EC3E21E5C92A1A2738314
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/149947/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6803820-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Creating a service
Launching a service
DNS request
Sending an HTTP GET request
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Searching for the window
Running batch commands
Deleting a recently created file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1326c4b5f16b37e3474154b0497d09583257a88c050637749e5ee9e91f705b74/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2020-05-14 16:44:27 UTC
AV detection:
45 of 48 (93.75%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
04790dd0de0013a93ab854a222a4ec7ff04a428953eef222c8ec54e18fcaf5cb
VirLock
0591dfda9a2c55d18848b91dde076c61c333dc6ae14b2166cd30891e949607c2
VirLock
3bd7dcf904cb67945b0393b17213877bcec87f8a0ddf2000033ad32a6ac06f8a
VirLock
728406539dbbb175ad0e0f346d6c9e563c7b95507e91c71af64f220a382525cf
VirLock
8926a917f30b552fa4aa51861c526754c8033c286526a2fb95ed7663fbd690ab
VirLock
90761262c9ec61d2a8e6de72eeeec48ba96b847332d509e3be357581be133598
VirLock
aa3f8ef2a80b074eabd6b3947b9b61612775890c1963c7d0cc01a60053971a24
VirLock
c3cab87bb11691778b8aa91cd39945710eeb947e34ed4b980f0df655ed557b32
VirLock
e32e01f3602e769a1b6a7965573648b420035c74fdae200213a992a16044a220
VirLock
f3b8d88cf155e8649ab7a08800d17a63a18b92187f3af8db279e60da670059c8
VirLock
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210505-qp619jnh7a/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
c6878502ac0ff18e4bccd8bc778acdc78a1c127df596a55c37d2278b01862792
MD5 hash:
b5cad318320c5de174c3b6e1807eec25
SHA1 hash:
1fb6b3fa0a7595b0ca1fd21b0c066a9fd0f7e422
Link:
https://www.unpac.me/results/8301bb48-2326-4044-b2fa-10522714ace0/
SH256 hash:
3f7ebc5bfa388dcded18b4e3ffbdd74588a24589befcbb2e748ebf07e08be4c5
MD5 hash:
d4fd6444503897f9488beb6b964ffc15
SHA1 hash:
940089e128901798c3b11a7f5dde8920622460fd
Link:
https://www.unpac.me/results/8301bb48-2326-4044-b2fa-10522714ace0/
SH256 hash:
1326c4b5f16b37e3474154b0497d09583257a88c050637749e5ee9e91f705b74
MD5 hash:
f6527b71c1c9644fd0a8649c5387c529
SHA1 hash:
7f321078ac516a70b57f230bc3707cd6fef6ec04
Link:
https://www.unpac.me/results/8301bb48-2326-4044-b2fa-10522714ace0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
VirLock
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1326c4b5f16b37e3474154b0497d09583257a88c050637749e5ee9e91f705b74

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149947/

Comments