MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19c8d8a63ec85a1f77ae4a28bdc4cb149c84d7101883ee8db4a0769f93e2d288. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19c8d8a63ec85a1f77ae4a28bdc4cb149c84d7101883ee8db4a0769f93e2d288
SHA3-384 hash: 1a43b03caa92ef04ba79a1dc3b6ee3eea5d3328d98282e02b809801610ed50339529179eeb54ce76a4dcde5b08c44075
SHA1 hash: d4ed6e763514ba48af462fce0390d735aaf04548
MD5 hash: 129d0cd030ecb4574dc7e55e58999c06
humanhash: burger-butter-coffee-summer
File name:129d0cd0_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:918'528 bytes
First seen:2021-05-05 08:03:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8ed625e9ed4bf0306ae522b4fb312a20 (1 x VirLock)
ssdeep 24576:6BOxMQ77KruSaUEJKQkDUIK7pvTdAtyoB9xw0KrIpO:6BOCENGQk/K9vityoDBO
Threatray 34 similar samples on MalwareBazaar
TLSH 2C15AF7F0C397A26D39815722587B7A3689A0FCFF4A1D2A7D53562C7DBA1B220CC5270
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/149998/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6804475-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a service
Sending a UDP request
DNS request
Searching for the window
Launching a service
Creating a file in the %temp% directory
Running batch commands
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Creating a file in the Windows subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711628
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates an undocumented autostart registry key
Delayed program exit found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404745 Sample: 129d0cd0_by_Libranalysis Startdate: 05/05/2021 Architecture: WINDOWS Score: 100 64 Antivirus / Scanner detection for submitted sample 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Machine Learning detection for sample 2->68 7 129d0cd0_by_Libranalysis.exe 3 15 2->7         started        11 uQQUokws.exe 4 2->11         started        13 svchost.exe 2->13         started        15 9 other processes 2->15 process3 dnsIp4 52 C:\Users\user\WCMgMEwk\YiwMEskY.exe, PE32 7->52 dropped 54 C:\ProgramData\XMMooswI\uQQUokws.exe, PE32 7->54 dropped 56 C:\ProgramData\FUoEIEkg\beEEAsco.exe, PE32 7->56 dropped 58 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 7->58 dropped 80 Creates an undocumented autostart registry key 7->80 82 Uses cmd line tools excessively to alter registry or file data 7->82 84 Tries to detect virtualization through RDTSC time measurements 7->84 18 YiwMEskY.exe 10 7->18         started        21 beEEAsco.exe 7 7->21         started        24 cmd.exe 1 7->24         started        32 3 other processes 7->32 86 Antivirus detection for dropped file 11->86 88 Machine Learning detection for dropped file 11->88 90 Delayed program exit found 11->90 92 Changes security center settings (notifications, updates, antivirus, firewall) 13->92 26 MpCmdRun.exe 13->26         started        62 127.0.0.1 unknown unknown 15->62 28 WerFault.exe 15->28         started        30 WerFault.exe 15->30         started        file5 signatures6 process7 dnsIp8 70 Antivirus detection for dropped file 18->70 72 Machine Learning detection for dropped file 18->72 74 Contains functionality to detect hardware virtualization (CPUID execution measurement) 18->74 78 2 other signatures 18->78 34 WerFault.exe 18->34         started        60 192.168.2.1 unknown unknown 21->60 76 Tries to detect virtualization through RDTSC time measurements 21->76 36 YiwMEskY.exe 21->36         started        38 YiwMEskY.exe 21->38         started        40 setup.exe 24->40         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 32->46         started        48 conhost.exe 32->48         started        50 conhost.exe 32->50         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19c8d8a63ec85a1f77ae4a28bdc4cb149c84d7101883ee8db4a0769f93e2d288/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2020-05-14 20:53:20 UTC
AV detection:
45 of 48 (93.75%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
006a6bed71198de86f59e003a891e431d75e47c3a6ead1b612af6c2f896f6e0b
VirLock
0c707a14cb7de3e7380454c6659a0493d8b328b09d38204e431dc584d9e66249
VirLock
659b76788cccfc9c993dd9047e86844c7183957478fabe32455dc2a2ddea49fb
VirLock
8926a917f30b552fa4aa51861c526754c8033c286526a2fb95ed7663fbd690ab
VirLock
ae9b1b8104c668bd930dd7fa999bb9f21bd951862a777a77ec9e3af1cd201c71
VirLock
af774eb13f15ead4f2419305bbfd652dfbb413e957125a944b8247b77a9cf0ef
VirLock
afad289c4180b56d4e597d4304f5928c4ceba337fe3ac08b524246fbb656e46e
VirLock
bb610c8d918c1d4b8e8d9a6d7b6a47b2c0af2364c5462cc5362724773ae4ab9f
VirLock
bc1abcd5c8c6806af001b19a4357bd83444f12c31f9a0fc0b88dc9df6fad7ca2
VirLock
ce110be24e6986a96b43b83b15c1d8d6a20274e47e677fccb47b97c8818a268c
VirLock
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/210505-y2ys8hnvxs/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
32bbb1f8fa3560dc04b6f2fa76e8f3b3a9402c3a0e9dd33b5b8d0f6640c92842
MD5 hash:
97f47a2bcbbb0c889a13acfeb1a28cb0
SHA1 hash:
219a1e715f2b6103eb2ccf7dd91355ceb0508f8b
Link:
https://www.unpac.me/results/8269e23d-64b9-4ab6-b2bd-59ccdd397ba5/
SH256 hash:
c78959c345564855ce7a8c227c441c595aff2c626f1bd432db4bbcf0e8e4640b
MD5 hash:
2440e830ae814e2f614b46c01c34b42f
SHA1 hash:
eb2c492837a371579bf76c8a9a7d1992254f9737
Link:
https://www.unpac.me/results/8269e23d-64b9-4ab6-b2bd-59ccdd397ba5/
SH256 hash:
19c8d8a63ec85a1f77ae4a28bdc4cb149c84d7101883ee8db4a0769f93e2d288
MD5 hash:
129d0cd030ecb4574dc7e55e58999c06
SHA1 hash:
d4ed6e763514ba48af462fce0390d735aaf04548
Link:
https://www.unpac.me/results/8269e23d-64b9-4ab6-b2bd-59ccdd397ba5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
VirLock
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19c8d8a63ec85a1f77ae4a28bdc4cb149c84d7101883ee8db4a0769f93e2d288

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149998/

Comments