MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 191ca4833351e2e82cb080a42c4848cfbc4b1f3e97250f2700eff4e97cf72019. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 191ca4833351e2e82cb080a42c4848cfbc4b1f3e97250f2700eff4e97cf72019
SHA3-384 hash: 8c777c567aa9a43a7f60c3272da4fe36affbc1e701d350807fd65bf5fc28ed905863c9d6d21c59cd768683e6cb4d8951
SHA1 hash: 8be3c66aecd425f1f123aadc95830de49d1851b5
MD5 hash: 343fcded2aaf874342c557d3d5e5870d
humanhash: florida-hawaii-four-equal
File name:stage4.bin
Download: download sample
File size:25'092 bytes
First seen:2022-01-21 07:10:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 54cfabe19c96b84b5812f45d4663034f
ssdeep 384:6ck4phERK+NUl/9j5SddlEt4OIqXFKJBeht2FrGxg:6ckuhERW2wndVKPe2FyS
Threatray 1'800 similar samples on MalwareBazaar
TLSH T103B22B0AB18A97B1E573F2BA8ACBD77B4792E613C51B6BBFF724765862024507C14F00
Reporter Libranalysis
Tags:exe whispergate wiper


Avatar
Libranalysis
A write-up of the sample can be found here: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221368/
Detection(s):
Win.Malware.WhisperGate-9936864-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Changing a file
Moving a file to the Program Files directory
Moving a file to the Program Files subdirectory
DNS request
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/675991e6-0c99-40d1-9780-a4a74198ec56
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/925021
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/191ca4833351e2e82cb080a42c4848cfbc4b1f3e97250f2700eff4e97cf72019/
Threat name:
Win32.Network.WhisperGate
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 07:11:08 UTC
File Type:
PE (Exe)
AV detection:
24 of 28 (85.71%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
061d0bf70bd333159f63aa7bf4f05d51c6056e634df5fc2368f376b54585b530
142dc674a687ade3bc56e2e78f0a6dc0603d81f176f8a9d794d909b6839bcc5b
1db2ec499c11b096c4a468a878a9e6bb791183ca2156eb2e8c233fd7b172b607
20a605a18b48b55adb6ae9c0024013be69ec884e7407ca50b39177035dc7b948
4f48ef3036b8e2b724cbf9ec618f35baf7cb5e2017dc5fae4825659a28b58e68
623027463a2ef70f60ff6a0991019847a3fb24da3b633b52da4a99a77c99f92b
ae275aba1d935bd3045e9cd3f258b72636e6759506e183423341a992faf47f80
edba3ca498110106418658167533034aeb929276fe81de80c6de1a6bb95120e0
+ 1'790 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence ransomware spyware stealer
Link:
https://tria.ge/reports/220121-hzyceaeafj/
Behaviour
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops desktop.ini file(s)
Deletes itself
Drops startup file
Reads user/profile data of web browsers
Modifies extensions of user files
Sets service image path in registry
Unpacked files
SH256 hash:
191ca4833351e2e82cb080a42c4848cfbc4b1f3e97250f2700eff4e97cf72019
MD5 hash:
343fcded2aaf874342c557d3d5e5870d
SHA1 hash:
8be3c66aecd425f1f123aadc95830de49d1851b5
Link:
https://www.unpac.me/results/6215ded1-51a9-4559-bc5d-8ea26e6d6138/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/191ca4833351/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/191ca4833351e2e82cb080a42c4848cfbc4b1f3e97250f2700eff4e97cf72019

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/Libranalysis/status/1484422049800069120
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/221368/

Comments