MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19ede46effb82553d3c75e9421c58b8b416b0bbcdcb018f8d01131f93fa555eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



WannaCry


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments

SHA256 hash: 19ede46effb82553d3c75e9421c58b8b416b0bbcdcb018f8d01131f93fa555eb
SHA3-384 hash: 3abb39340902d6572ec37e69ad5f22946a05d86d9f9ccedea22bee3e8a36d84bb26b7207b66f7e032cd2c83be6514087
SHA1 hash: 48f2e8d41396e0dddafe6773fef4ef17a977a11b
MD5 hash: 0a7d93346a2139fac588820c491c49d8
humanhash: freddie-edward-bakerloo-crazy
File name:0a7d93346a2139fac588820c491c49d8.dll
Download: download sample
Signature WannaCry
File size:5'267'459 bytes
First seen:2026-06-22 13:14:05 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 2e5708ae5fed0403e8117c645fb23e5b (1'123 x WannaCry, 7 x Worm.Virut, 2 x Expiro)
ssdeep 49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAZ0vZ6GIk:+DqPoBhz1aRxcSUDk36SAc0B6GIk
Threatray 1'665 similar samples on MalwareBazaar
TLSH T125362801D2E53A60DAF26AF6266EDB10433A6E458D5BA66F1221500F0C77F1CDDE6F2C
TrID 71.9% (.AX) DirectShow filter (201555/2/20)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.3% (.EXE) Win64 Executable (generic) (6522/11/2)
Magika pebin
Reporter kejult
Tags:dll WannaCry

Intelligence


File Origin
# of uploads :
1
# of downloads :
164
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
99.9%
Tags:
wannacry madi
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug cmd crypto lolbin microsoft_visual_cc overlay ransomware ransomware reconnaissance smb wannacry
Verdict:
Malicious
File Type:
dll x32
First seen:
2020-01-15T08:10:00Z UTC
Last seen:
2026-06-24T08:54:00Z UTC
Hits:
~10
Gathering data
Threat name:
Win32.Ransomware.WannaCry
Status:
Malicious
First seen:
2020-01-27 18:12:29 UTC
File Type:
PE (Dll)
Extracted files:
4
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Result
Malware family:
wannacry
Score:
  10/10
Tags:
family:wannacry adware discovery persistence ransomware spyware worm
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
System Location Discovery: System Language Discovery
Drops file in Windows directory
Creates a large amount of network flows
Enumerates connected drives
Executes dropped EXE
Boot or Logon Autostart Execution: Active Setup
Contacts a large (3300) amount of remote hosts
Family: Wannacry
Unpacked files
SH256 hash:
19ede46effb82553d3c75e9421c58b8b416b0bbcdcb018f8d01131f93fa555eb
MD5 hash:
0a7d93346a2139fac588820c491c49d8
SHA1 hash:
48f2e8d41396e0dddafe6773fef4ef17a977a11b
Detections:
WannaCry
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Author:malware-lu
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:NET
Author:malware-lu
Rule name:SUSP_Imphash_Mar23_2
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WannaCry_Ransomware
Author:Florian Roth (Nextron Systems) (with the help of binar.ly)
Description:Detects WannaCry Ransomware
Reference:https://goo.gl/HG2j5T

File information


The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments