MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b30e0509075234edd5f46ed054ad56bb6cf8d234341e0c72fe27407027e94de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b30e0509075234edd5f46ed054ad56bb6cf8d234341e0c72fe27407027e94de
SHA3-384 hash: 88859863c9aa55f8e4f62ed8d865eea058d1de9e5c00899f7ea6e564623b116e8937219380b9fb86169f326553461db7
SHA1 hash: 24f3a8c071c436017baee73e9ce7770f7a8c0111
MD5 hash: 45bd8c50b18ea46215b084bd4b909232
humanhash: beer-table-west-mexico
File name:45bd8c50_by_Libranalysis
Download: download sample
File size:361'472 bytes
First seen:2021-05-12 13:02:03 UTC
Last seen:2021-05-12 14:19:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b07f22478371f305e0756828f83a594c
ssdeep 6144:0pC0yCr2a6sjZxzP2OzusUD+8g861P2GKDcvIKgg8h8u+hyF8MALZS0iUUJJPA+W:09QIZxD21s8+8g7HwKyWuCLMZUUJtzOl
Threatray 3 similar samples on MalwareBazaar
TLSH DD7423DAD6E0717EE835C6F6A069A544A871D2E1243CCFDD839004ADA27192CBB4CFDD
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/155320/
Detection(s):
SecuriteInfo.com.DeepScan.Generic.Ransom.Fonix.2.4644150A.7525.2192.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Sending a UDP request
Launching a process
Creating a file in the %AppData% directory
Creating a file
Using the Windows Management Instrumentation requests
Searching for the window
Creating a file in the %temp% directory
Launching a service
Creating a file in the Windows subdirectories
Moving a file to the Windows subdirectory
Changing a file
Modifying an executable file
Moving a file to the Program Files directory
Creating a window
Moving a file to the Program Files subdirectory
Launching a tool to kill processes
Blocking the System Restore
Preventing system recovery
Deleting volume shadow copies
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Blocking the Windows Defender launch
Creating a file in the mass storage device
Moving of the original file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/779878
Signature
Antivirus / Scanner detection for submitted sample
Contain functionality to detect virtual machines
Contains functionality to check if the process is started with administrator privileges
Creates files in the system32 config directory
Deletes shadow drive data (may be related to ransomware)
Detected suspicious e-Mail address in disassembly
Multi AV Scanner detection for submitted file
Spreads via windows shares (copies files to share folders)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected RansomwareGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 412277 Sample: 45bd8c50_by_Libranalysis Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 69 Antivirus / Scanner detection for submitted sample 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected RansomwareGeneric 2->73 75 2 other signatures 2->75 8 45bd8c50_by_Libranalysis.exe 172 2->8         started        12 45bd8c50_by_Libranalysis.exe 169 2->12         started        14 45bd8c50_by_Libranalysis.exe 2->14         started        16 explorer.exe 2->16         started        process3 file4 53 MSOHEV.DLL.ID-9479...firemail.cc].phobos, DOS 8->53 dropped 55 osetupui.dll.ID-94...firemail.cc].phobos, DOS 8->55 dropped 57 PSGet.Resource.psd...firemail.cc].phobos, data 8->57 dropped 65 105 other malicious files 8->65 dropped 81 Creates files in the system32 config directory 8->81 83 Spreads via windows shares (copies files to share folders) 8->83 18 conhost.exe 8->18         started        59 UpdateUx_Temp.1.et...firemail.cc].phobos, data 12->59 dropped 61 C:\ProgramData\Microsoft\Windows\...\info.txt, ASCII 12->61 dropped 63 C:\ProgramData\Microsoft\Windows\...\info.hta, HTML 12->63 dropped 67 5 other malicious files 12->67 dropped 85 Contain functionality to detect virtual machines 12->85 87 Writes many files with high entropy 12->87 89 Detected suspicious e-Mail address in disassembly 12->89 91 Contains functionality to check if the process is started with administrator privileges 12->91 20 cmd.exe 1 12->20         started        23 cmd.exe 12->23         started        25 cmd.exe 12->25         started        29 17 other processes 12->29 27 conhost.exe 14->27         started        signatures5 process6 signatures7 77 Uses cmd line tools excessively to alter registry or file data 20->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 20->79 31 reg.exe 1 1 20->31         started        33 reg.exe 23->33         started        35 reg.exe 25->35         started        37 cmd.exe 1 29->37         started        39 cmd.exe 1 29->39         started        41 taskkill.exe 1 29->41         started        43 2 other processes 29->43 process8 process9 45 icacls.exe 1 37->45         started        47 conhost.exe 37->47         started        49 conhost.exe 39->49         started        51 taskkill.exe 39->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b30e0509075234edd5f46ed054ad56bb6cf8d234341e0c72fe27407027e94de/
Threat name:
Win64.Ransomware.FonixCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-05-12 06:38:00 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
475df55bf31e8c58a8646cad8863913d3fd2d58b72a48ecef4cb1057efd1268c
e3f297dcc0aac80152ba1af99a2c4c101a1ee88759900da7cdfcc9cb5955f06d
f8b132d8c750482bd5b6f03bae58f6805fb3480ef0904a21f0111ede5a1ebb1b
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion ransomware spyware stealer upx
Link:
https://tria.ge/reports/210512-v56hd666v6/
Behaviour
Creates scheduled task(s)
Interacts with shadow copies
Kills process with taskkill
Modifies Internet Explorer settings
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Drops startup file
Modifies file permissions
Reads user/profile data of web browsers
Deletes backup catalog
Disables Task Manager via registry modification
Disables use of System Restore points
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/1b30e0509075234edd5f46ed054ad56bb6cf8d234341e0c72fe27407027e94de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shad0w_beacon_16June
Create hunting rule
Author:SBousseaden
Description:Shad0w beacon compressed
Reference:https://github.com/bats3c/shad0w
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/155320/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-12 14:08:03 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
2) [F0001.008] Anti-Behavioral Analysis::UPX
3) [C0018] Process Micro-objective::Terminate Process