MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4
SHA3-384 hash: de771c17ab51c2cc410e5f2a95a1e0ab68f18e4c901562977267fd41b3e8bfa9176c03310270b7571a8adba30828b4e9
SHA1 hash: a21e07517c61d11c3bf85768e77981f591fe6f75
MD5 hash: 51fd05fa1ff6631a2eb929677e0156e1
humanhash: paris-table-white-five
File name:162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4
Download: download sample
File size:1'342'464 bytes
First seen:2021-02-28 07:11:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fada6cba5bb68b74e893b0c75c1220be (2 x Voidcrypt)
ssdeep 24576:uB+mjykAz5oSMF8xjPkdhMlxg4IlcHklaL6QtBgRcypt6saUJDXbQcB8iD4:Ij9AtPUle6tjk0bQcBxD
Threatray 4 similar samples on MalwareBazaar
TLSH 3D55AE617A43C1B2D55100F049BDAB7B4A2CAF290B318AD7E3C86F3E59305D16E3779A
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4
Verdict:
Malicious activity
Analysis date:
2021-02-28 07:16:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2cd2fd82-50fb-4ad1-9b19-5115fbf419a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119823/
Detection(s):
Win.Ransomware.Vipasana-9783618-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Sending a UDP request
Launching a process
Launching the process to change network settings
Launching a service
Launching the process to change the firewall settings
Creating a window
Sending a custom TCP request
DNS request
Searching for the window
Sending an HTTP GET request
Sending an HTTP POST request
Changing a file
Modifying an executable file
Creating a file in the Program Files directory
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Deleting a recently created file
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Launching the process to interact with network services
Enabling autorun for a service
Creating a file in the mass storage device
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621106
Signature
Creates files in the recycle bin to hide itself
Disables security and backup related services
Disables the windows firewall (over ALG)
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Infects executable files (exe, dll, sys, html)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WannaCry Ransomware
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 359546 Sample: 4qKipyi9T9 Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 63 r3.o.lencr.org 2->63 71 Sigma detected: WannaCry Ransomware 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 5 other signatures 2->77 10 4qKipyi9T9.exe 1 265 2->10         started        signatures3 process4 dnsIp5 65 94.130.46.250, 49727, 80 HETZNER-ASDE Germany 10->65 67 api.my-ip.io 157.245.5.40, 443, 49724 DIGITALOCEAN-ASNUS United States 10->67 69 127.0.0.1 unknown unknown 10->69 55 C:\Users\...\Built-In Building Blocks.dotx, COM 10->55 dropped 57 GostTitle.XSL.[Ope...13480965].Snoopdogg, DOS 10->57 dropped 59 C:\Users\user\AppData\...\Qt5Widgets.dll, DOS 10->59 dropped 61 107 other files (100 malicious) 10->61 dropped 79 Creates files in the recycle bin to hide itself 10->79 81 Drops PE files to the startup folder 10->81 83 Uses bcdedit to modify the Windows boot settings 10->83 85 5 other signatures 10->85 15 cmd.exe 1 10->15         started        17 cmd.exe 1 10->17         started        19 cmd.exe 1 10->19         started        21 9 other processes 10->21 file6 signatures7 process8 process9 23 net.exe 1 15->23         started        25 conhost.exe 15->25         started        27 net.exe 1 17->27         started        37 2 other processes 17->37 29 net.exe 1 19->29         started        31 conhost.exe 19->31         started        33 net.exe 1 21->33         started        35 netsh.exe 1 3 21->35         started        39 6 other processes 21->39 process10 41 net.exe 1 23->41         started        43 conhost.exe 23->43         started        45 net1.exe 1 23->45         started        47 net1.exe 1 27->47         started        49 net1.exe 1 29->49         started        51 net1.exe 1 33->51         started        process11 53 net1.exe 1 41->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4/
Threat name:
Win32.Ransomware.Amnesia
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 17:47:22 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2e75096b3364e2e9fef81fac5626e1fb15d9e5f76afe308cf7d4053040f65685
318c6717d3881cbc9b1f24325a85e79d5c5768a03387dfb2cf605638a4b45056
581122114ad28f404b2cc4f8df5d77b6ed447f8f26f862960bb0181776bfacd9
a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner spyware
Link:
https://tria.ge/reports/210228-2ffpyp5af6/
Behaviour
NTFS ADS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Drops desktop.ini file(s)
Drops startup file
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Modifies Windows Firewall
xmrig
Unpacked files
SH256 hash:
162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4
MD5 hash:
51fd05fa1ff6631a2eb929677e0156e1
SHA1 hash:
a21e07517c61d11c3bf85768e77981f591fe6f75
Link:
https://www.unpac.me/results/3a225326-c21c-4c2b-9176-3734cb83899a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119823/

Comments