MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1602d04000a8c7221ed0d97d79f3157303e209d4640d31b8566dd52c2b09d033. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 7 File information Yara 2 Comments

SHA256 hash: 1602d04000a8c7221ed0d97d79f3157303e209d4640d31b8566dd52c2b09d033
SHA3-384 hash: 6b54a976b241ee19a72575c5f75413569ffc1369f20dabb9243ba6bb2c1793f23ede91827dcb50e867adbf911cc4adfb
SHA1 hash: 72b19c503a642770945355ea0dce96bf9d735f81
MD5 hash: 3dabfb99101821ae0e89389a9c9d28a5
humanhash: sixteen-massachusetts-tennis-alaska
File name:birch_ragnarlocker
Download: download sample
Signature RagnarLocker
File size:50'176 bytes
First seen:2020-08-01 02:09:59 UTC
Last seen:2020-08-03 10:00:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 71e01f1d08b7d8040f5b63c936a29087
ssdeep 768:fsOxTaML2oq65coDBjd/3oqab0k3RO8pF0jAwBOmav/A:fTMML2o4CFoqaXDyASOmu/
TLSH 78335C655E87E065F99308B43226BCD6B17E5EB487449BE3BE001D81247C9F2AE78733
Reporter @JAMESWT_MHT
Tags:RagnarLocker

Intelligence


File Origin
# of uploads :
3
# of downloads :
90
Origin country :
IT IT
Mail intelligence
No data
Vendor Threat Intelligence
Gathering data
Result
Threat name:
RagnarLocker
Detection:
malicious
Classification:
rans.evad
Score:
88 / 100
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to infect the boot sector
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Sigma detected: Delete shadow copy via WMIC
Writes many files with high entropy
Yara detected RagnarLocker ransomware
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255506 Sample: birch_ragnarlocker Startdate: 01/08/2020 Architecture: WINDOWS Score: 88 29 Yara detected RagnarLocker ransomware 2->29 31 Sigma detected: Delete shadow copy via WMIC 2->31 33 May disable shadow drive data (uses vssadmin) 2->33 35 3 other signatures 2->35 7 birch_ragnarlocker.exe 4 507 2->7         started        11 notepad.exe 2->11         started        process3 file4 21 C:\Users\user\Desktop\...\BXAJUJAOEO.pdf, Unknown 7->21 dropped 23 C:\Users\user\Desktop\QFAPOWPAFG.docx, Unknown 7->23 dropped 25 C:\Users\user\Desktop\BXAJUJAOEO.pdf, Unknown 7->25 dropped 27 133 other malicious files 7->27 dropped 37 May disable shadow drive data (uses vssadmin) 7->37 39 Contains functionality to infect the boot sector 7->39 41 Deletes shadow drive data (may be related to ransomware) 7->41 43 3 other signatures 7->43 13 WMIC.exe 1 7->13         started        15 vssadmin.exe 1 7->15         started        signatures5 process6 process7 17 conhost.exe 13->17         started        19 conhost.exe 15->19         started       
Threat name:
Win32.Ransomware.Ragnar
Status:
Malicious
First seen:
2020-05-16 19:30:42 UTC
AV detection:
27 of 31 (87.10%)
Threat level
  5/5
Result
Malware family:
ragnarlocker
Score:
  10/10
Tags:
ransomware persistence family:ragnarlocker bootkit
Behaviour
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Opens file in notepad (likely ransom note)
Drops file in Program Files directory
Modifies service
Drops desktop.ini file(s)
Writes to the Master Boot Record (MBR)
Drops startup file
Modifies extensions of user files
Deletes shadow copies
RagnarLocker
Threat name:
Filecoder
Score:
1.00

Yara Signatures


Rule name:ragnarlocker_ransomware
Author:Christiaan Beek | Marc Rivero | McAfee ATR Team
Description:Rule to detect RagnarLocker samples
Reference:https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/
Rule name:win_ragnarlocker_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments