MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ba9ef8703b10a0f158636a138b120835e9588c21ec2e78be898afcae54b0142. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Wintenzz


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ba9ef8703b10a0f158636a138b120835e9588c21ec2e78be898afcae54b0142
SHA3-384 hash: 09ba9ff9af6cc9983ff83256805d14dbf1919a72a8b58c689157a29260baaa9ce2c1e673d43d1a646fbcc970b7258e4f
SHA1 hash: 0428a2ead08f005f3c90a493e10207322d8a429b
MD5 hash: 2716659c3b1e8927dcb2e418e99b1ea5
humanhash: july-cup-delaware-wisconsin
File name:1ba9ef8703b10a0f158636a138b120835e9588c21ec2e78be898afcae54b0142
Download: download sample
Signature Wintenzz
Create hunting rule
File size:941'568 bytes
First seen:2021-04-11 10:54:50 UTC
Last seen:2021-05-19 09:13:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d15f30a012d1f18a10b3b2009ac828a9 (1 x Wintenzz)
ssdeep 12288:6Bqk8tIzpnRc3hg098BDtcQxFVx2DyxLbWURXwNi5DHkJ9TbJtJ:6BHr8D90DtBFVxYILbbRXwNz/Tbl
TLSH 0F155C29774E95ADD02BC4B883928622AA3130CA17717DFF06C559342F5BAF41F3E399
Reporter fbgwls245
Tags:Ransomware wintenzz

Intelligence

File Origin
# of uploads :
3
# of downloads :
379
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133561/
Detection(s):
SecuriteInfo.com.Heur.Ransom.REntS.Gen.1.4848.706.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Creating a process from a recently created file
Running batch commands
Reading critical registry keys
Changing a file
Stealing user critical data
Deleting volume shadow copies
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Wintennz
Create hunting rule
Detection:
malicious
Classification:
rans.adwa.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/672226
Signature
Deletes shadow drive data (may be related to ransomware)
Drops HTML or HTM files to system directories
Drops PE files to the startup folder
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Yara detected Wintennz Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385060 Sample: IJht2pqbVh Startdate: 11/04/2021 Architecture: WINDOWS Score: 88 85 Multi AV Scanner detection for dropped file 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 Yara detected Wintennz Ransomware 2->89 91 2 other signatures 2->91 8 IJht2pqbVh.exe 69 2->8         started        12 winstrt10.exe 2->12         started        14 iexplore.exe 1 75 2->14         started        process3 dnsIp4 65 C:\Users\user\AppData\...\winstrt10.exe, PE32+ 8->65 dropped 67 C:\Users\user\Desktop\...\BQJUWOYRTO.pdf, data 8->67 dropped 69 C:\Users\user\Desktop\LHEPQPGEWF.xlsx, data 8->69 dropped 73 3 other malicious files 8->73 dropped 93 Suspicious powershell command line found 8->93 95 Drops HTML or HTM files to system directories 8->95 97 Drops PE files to the startup folder 8->97 99 Modifies existing user documents (likely ransomware behavior) 8->99 17 powershell.exe 3 13 8->17         started        19 powershell.exe 19 8->19         started        21 cmd.exe 1 8->21         started        71 C:\ProgramData\winfrce.bat, DOS 12->71 dropped 23 powershell.exe 12->23         started        25 powershell.exe 12->25         started        27 powershell.exe 12->27         started        79 192.168.2.1 unknown unknown 14->79 29 iexplore.exe 30 14->29         started        file5 signatures6 process7 dnsIp8 32 cmd.exe 1 17->32         started        35 conhost.exe 17->35         started        37 conhost.exe 19->37         started        39 conhost.exe 21->39         started        41 cmd.exe 23->41         started        43 conhost.exe 23->43         started        45 cmd.exe 25->45         started        47 conhost.exe 25->47         started        49 conhost.exe 27->49         started        75 upload.wikimedia.org 91.198.174.208, 443, 49750, 49751 WIKIMEDIAUS Netherlands 29->75 77 2no.co 88.99.66.31, 443, 49748, 49749 HETZNER-ASDE Germany 29->77 process9 signatures10 81 May disable shadow drive data (uses vssadmin) 32->81 83 Deletes shadow drive data (may be related to ransomware) 32->83 51 conhost.exe 32->51         started        53 vssadmin.exe 1 32->53         started        55 vssadmin.exe 1 32->55         started        57 conhost.exe 41->57         started        59 vssadmin.exe 41->59         started        61 vssadmin.exe 41->61         started        63 conhost.exe 45->63         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ba9ef8703b10a0f158636a138b120835e9588c21ec2e78be898afcae54b0142/
Threat name:
Win64.Ransomware.Genasom
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 13:22:15 UTC
File Type:
PE+ (Exe)
AV detection:
26 of 48 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dou67bydwefa6fmgg2qtrmjaqnpjlcgcd3bopc7itcx4vzklafba._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  9/10
Tags:
ransomware
Link:
https://tria.ge/reports/210411-644wb29rwa/
Behaviour
Interacts with shadow copies
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops startup file
Modifies extensions of user files
Deletes shadow copies
Unpacked files
SH256 hash:
1ba9ef8703b10a0f158636a138b120835e9588c21ec2e78be898afcae54b0142
MD5 hash:
2716659c3b1e8927dcb2e418e99b1ea5
SHA1 hash:
0428a2ead08f005f3c90a493e10207322d8a429b
Link:
https://www.unpac.me/results/92e9e710-9ede-46f9-b75b-b06a10b385b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ba9ef8703b10a0f158636a138b120835e9588c21ec2e78be898afcae54b0142

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SUSP_RANSOMWARE_Indicator_Jul20
Create hunting rule
Author:Florian Roth
Description:Detects ransomware indicator
Reference:https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/siri_urz/status/1379754707053338624
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/133561/

Comments