MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 191ca4833351e2e82cb080a42c4848cfbc4b1f3e97250f2700eff4e97cf72019. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments

SHA256 hash: 191ca4833351e2e82cb080a42c4848cfbc4b1f3e97250f2700eff4e97cf72019
SHA3-384 hash: 8c777c567aa9a43a7f60c3272da4fe36affbc1e701d350807fd65bf5fc28ed905863c9d6d21c59cd768683e6cb4d8951
SHA1 hash: 8be3c66aecd425f1f123aadc95830de49d1851b5
MD5 hash: 343fcded2aaf874342c557d3d5e5870d
humanhash: florida-hawaii-four-equal
File name:stage4.bin
Download: download sample
Signature n/a
File size:25'092 bytes
First seen:2022-01-21 07:10:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 54cfabe19c96b84b5812f45d4663034f
ssdeep 384:6ck4phERK+NUl/9j5SddlEt4OIqXFKJBeht2FrGxg:6ckuhERW2wndVKPe2FyS
Threatray 1'800 similar samples on MalwareBazaar
TLSH T103B22B0AB18A97B1E573F2BA8ACBD77B4792E613C51B6BBFF724765862024507C14F00
Reporter @Libranalysis
Tags:exe whispergate wiper


Twitter
@Libranalysis
A write-up of the sample can be found here: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html

Intelligence


File Origin
# of uploads :
1
# of downloads :
226
Origin country :
NL NL
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
–°reating synchronization primitives
Changing a file
Moving a file to the Program Files directory
Moving a file to the Program Files subdirectory
DNS request
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
60 / 100
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Threat name:
Win32.Network.WhisperGate
Status:
Malicious
First seen:
2022-01-21 07:11:08 UTC
File Type:
PE (Exe)
AV detection:
24 of 28 (85.71%)
Threat level:
  3/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence ransomware spyware stealer
Behaviour
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops desktop.ini file(s)
Deletes itself
Drops startup file
Reads user/profile data of web browsers
Modifies extensions of user files
Sets service image path in registry
Unpacked files
SH256 hash:
191ca4833351e2e82cb080a42c4848cfbc4b1f3e97250f2700eff4e97cf72019
MD5 hash:
343fcded2aaf874342c557d3d5e5870d
SHA1 hash:
8be3c66aecd425f1f123aadc95830de49d1851b5

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments