MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 155f3c2b2fe4fe43a1795c220ceb309b5e68f22ccd3a2cc7f2e6e2df5644717b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Expiro


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 155f3c2b2fe4fe43a1795c220ceb309b5e68f22ccd3a2cc7f2e6e2df5644717b
SHA3-384 hash: 6636025636198b14bd27cba4733be887a20a833844f0b470ea06e7fe1276030e8a89c9947e83619d69342d3baba911c9
SHA1 hash: 08780988a48b35d40683324e55ec1727d42b23e3
MD5 hash: be84ddd964ad16a6e8f8d4cbf8afdc35
humanhash: comet-vegan-white-delaware
File name:Encrypt.exe
Download: download sample
Signature Expiro
Create hunting rule
File size:2'854'400 bytes
First seen:2020-06-18 11:17:06 UTC
Last seen:2020-06-18 11:38:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c2a6fbef41572f4c9ce8acb5a63cde7 (2 x Expiro, 1 x Nefilim, 1 x StealthWorker)
ssdeep 49152:9OEVSUa2DnuU4cUlHriMMZEV3Aei9xPFobNYsA6FoWkQPlNyCMM:9OuSauU4cUl2M2EV3AvFaN3A6WWk04BM
Threatray 55 similar samples on MalwareBazaar
TLSH 69D56D02FCEA15EBCAFDF13085729761B671706843723BC35F94457A1A5AAE4AF2E310
Reporter JAMESWT_WT
Tags:Expiro Ransomware sorena

Intelligence

File Origin
# of uploads :
2
# of downloads :
2'118
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Encoder.31999.2063.6862.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win64.Ransomware.Sorena
Create hunting rule
Status:
Malicious
First seen:
2020-06-12 07:56:27 UTC
File Type:
PE+ (Exe)
AV detection:
27 of 48 (56.25%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cvptykzp4t7ehilzlqraz2zqtnpgr4rmzu5czr7s43rn6vseof5q._file
Verdict:
suspicious
Similar samples:
0bafde9b22d7147de8fdb852bcd529b1730acddc9eb71316b66c180106f777f5
Expiro
2339489be44f93b61688ee3b65d0bd2fede5f6dd494588a6268602d2f006bd16
Expiro
2ba2c20a826f51ed753f4f4dd78118d6f371a2fd5b4b0a2ff640c8f046d4fb55
Expiro
40a2ace8bb6e3d7d50bb346344789c2fafd25490fdaa982134aaacce6f971995
Expiro
602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9
Expiro
6845211002813319a52b6d80f970da3a1f21d1035fdd6fe6f05dd067a131253e
Expiro
690be9e806f882774ab1347302bd92236a16499f160f37e59992c220466493c0
Expiro
9354078bf0ac0e25b48624532b06b7f86f0945bfdcf2773afa7f8be26f6f723d
Expiro
c2b9f3b84e3e990e2c225e05ea65e7a3aaaf5a688864d0ee68ed2eece557fac0
Expiro
f9ed3c070a2731acbfef6d4b2af980b6e922b2dda0e9227e02f4b4f3821f4b17
Expiro
+ 45 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware spyware
Link:
https://tria.ge/reports/200624-zzhe66sh1a/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Views/modifies file attributes
Runs net.exe
Drops file in Program Files directory
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Expiro

Executable exe 155f3c2b2fe4fe43a1795c220ceb309b5e68f22ccd3a2cc7f2e6e2df5644717b

(this sample)

  
Link
http://ukks.net/controls/Encrypt.exe
  
URLhaus
https://urlhaus.abuse.ch/url/379057/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/396079/
Cape
Cape
https://www.capesandbox.com/analysis/19777/

Comments