MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Zeppelin


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50
SHA3-384 hash: 5ba729ffff6d439b842d2701b2cee1e41f914173d6f8e9975a44ef0a48505b3f87ef896c72a73a5c1c21d0e74d4ad9b1
SHA1 hash: 8d7effb5a456289d13f725486a30bed727a01be0
MD5 hash: 61506482ddd28756e443b3de05a3b1cf
humanhash: four-thirteen-queen-saturn
File name:Aksip.bin
Download: download sample
Signature Zeppelin
Create hunting rule
File size:352'256 bytes
First seen:2020-07-28 07:47:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bcd242babe76d65887a5afa410efd13c (1 x Zeppelin)
ssdeep 6144:lulpMmWxFAppqxH1Hj1uJGEYpxQoCM4TU79zJlDpIafgul3:klp8Huqv8YTQoC9U7HlDpZY
Threatray 42 similar samples on MalwareBazaar
TLSH F174CF10B690C035E4F611F84A7A93ACB93E7EE09B6458CF62D52AEE16346E5FC31317
Reporter JAMESWT_WT
Tags:Zeppelin

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33351/
Detection(s):
SecuriteInfo.com.Trojan.Heur2.LPTvuW@by3DVfoab.19466.23157.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Running batch commands
Creating a process with a hidden window
Changing a file
Creating a file
Moving a file to the Program Files subdirectory
Creating a file in the Program Files subdirectories
Modifying an executable file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Creating a file in the mass storage device
Deleting volume shadow copies
Unauthorized injection to a system process
Deleting of the original file
Encrypting user's files
Result
Threat name:
Zeppelin
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/399637
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
Sleep loop found (likely to delay execution)
Writes to foreign memory regions
Yara detected Ransomware_Generic
Yara detected Zeppelin Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252092 Sample: Aksip.bin Startdate: 28/07/2020 Architecture: WINDOWS Score: 100 46 cdn.onenote.net 2->46 48 geoiptool.com 2->48 50 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->50 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 6 other signatures 2->82 8 Aksip.exe 2 19 2->8         started        13 lsass.exe 2->13         started        signatures3 process4 dnsIp5 52 www.geodatatool.com 158.69.65.151, 443, 49723, 49724 OVHFR Canada 8->52 54 192.168.2.1 unknown unknown 8->54 56 geoiptool.com 8->56 42 C:\Users\user\AppData\Roaming\...\lsass.exe, PE32 8->42 dropped 44 C:\Users\user\...\lsass.exe:Zone.Identifier, ASCII 8->44 dropped 84 Detected unpacking (changes PE section rights) 8->84 86 Detected unpacking (overwrites its own PE header) 8->86 88 Contains functionality to inject threads in other processes 8->88 90 4 other signatures 8->90 15 lsass.exe 8->15         started        19 notepad.exe 8->19         started        21 WerFault.exe 9 8->21         started        26 8 other processes 8->26 58 geoiptool.com 13->58 24 WerFault.exe 13->24         started        file6 signatures7 process8 dnsIp9 60 iplogger.org 88.99.66.31, 443, 49743, 49744 HETZNER-ASDE Germany 15->60 62 www.geodatatool.com 15->62 64 geoiptool.com 15->64 66 Multi AV Scanner detection for dropped file 15->66 68 Detected unpacking (changes PE section rights) 15->68 70 Detected unpacking (overwrites its own PE header) 15->70 74 2 other signatures 15->74 28 WerFault.exe 15->28         started        30 WerFault.exe 15->30         started        72 Deletes itself after installation 19->72 32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 26->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 26->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 26->38 dropped 40 5 other malicious files 26->40 dropped file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-02-20 15:54:26 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1561967cff081a9b139de45a82e6a61e2f5b01834d4666f2fc88cf0c52220268
Zeppelin
1c6c9635f0c01cc93b504293351215058cf9ef8b62ca38ce71012a4875fbe0a4
Zeppelin
1cdadad999b9e70c87560fcd9821c2b0fa4c0a92b8f79bded44935dd4fdc76a5
Zeppelin
32640c3a14f6feca788c15675729b6233f2469be4ef0a238b0be76557492e3e3
Zeppelin
4b7a2dff949a14956a679adb981bbec0aec0e198c04a454f54c5e9dcf5854b54
Zeppelin
82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55
Zeppelin
8453b8c2d323f6a67f213a69dab577abec447468f002f90ca30afd2d81f92e0c
Zeppelin
8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6
Zeppelin
998d7e8ad93c6fd33a3e0e3db9352132fc1d0d2aa249c3479ac152c25a29f7c5
Zeppelin
f40b9e6f7cfed63bba3b6eae6b0403ab26906caa77830027ed39a05918c4b877
Zeppelin
+ 32 additional samples on MalwareBazaar
Result
Malware family:
buran
Create hunting rule
Score:
  10/10
Tags:
ransomware family:buran persistence
Link:
https://tria.ge/reports/200728-nzvd3g7j66/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Drops file in Program Files directory
Modifies service
Enumerates connected drives
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Loads dropped DLL
Deletes itself
Executes dropped EXE
Deletes shadow copies
Buran
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Swisyn
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_zeppelin_ransomware_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Zeppelin

Executable exe 15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/316684/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/33351/

Comments