MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HermeticWiper

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
SHA3-384 hash:	11331dcad0780d2ba57a5ad73ea3d1d1058e357af448cc3b70762fbf34dd8d55c2671203205d7594c80ec892eb19b77b
SHA1 hash:	61b25d11392172e587d8da3045812a66c3385451
MD5 hash:	3f4a16b29f2f0532b7ce3e7656799125
humanhash:	thirteen-coffee-victor-robert
File name:	1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
Download:	download sample
Signature	HermeticWiper Create hunting rule
File size:	117'000 bytes
First seen:	2022-02-23 21:20:14 UTC
Last seen:	2022-05-02 19:46:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fe4a2284122da348258c83ef437fbd7b (2 x HermeticWiper)
ssdeep	1536:sBOoa7Nn52wurilmw9BgjKu1sPPxaSLyqC:sBOoa7P2wxlPwV1qPkSuqC
TLSH	T172B326539AEC3CC6D43813B137BFA7E5D72EECA46A90C09E96D01182D57C9533A227E4
File icon (PE):
dhash icon	f0968ee8aae8e8b2 (9 x Urelas, 9 x ValleyRAT, 5 x HermeticWiper)
Reporter	Arkbird_SOLG
Tags:	exe Hermetica Digital Ltd HermeticWiper signed Ukraine Wiper

Code Signing Certificate

Organisation:	Hermetica Digital Ltd
Issuer:	DigiCert EV Code Signing CA (SHA2)
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-04-13T00:00:00Z
Valid to:	2022-04-14T23:59:59Z
Serial number:	0c48732873ac8ccebaf8f0e1e8329cec
Intelligence:	5 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	14ffc96c8cc2ea2d732ed75c3093d20187a4c72d02654ff4520448ba7f8c7df6
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

1'313

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

Verdict:

Suspicious activity

Analysis date:

2022-02-23 19:23:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b742d4cc-f570-4692-8858-975c0418ab28

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/243939/

Detection(s):

SecuriteInfo.com.Win32.KillDisk.NCV.32529.25663.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the drivers directory

Low-level writing to the hard drive

Creating a service

Launching a service

Loading a system driver

Creating a file in the Windows subdirectories

Creating a file

Sending a custom TCP request

Enabling autorun for a service

Writing to the volume boot record

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7199/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

killdisk overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6216a53fa2660f3bb9336030/reports/9bc7818c-5978-4dcc-b0f0-93a7947a6b1f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8b6f0643-7ad3-411b-bc1a-b3d49f864286

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/945230

Signature

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to infect the boot sector

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591/

Threat name:

Win32.Ransomware.KillDisk

Status:

Malicious

First seen:

2022-02-23 21:07:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dpce533vo6pdzipo7oh7ljsia7n4sqvr4srgollxxh3jfdjjewiq._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220223-z7bbaabda7/

Behaviour

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Drops file in Drivers directory

Unpacked files

SH256 hash:

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

MD5 hash:

3f4a16b29f2f0532b7ce3e7656799125

SHA1 hash:

61b25d11392172e587d8da3045812a66c3385451

Link:

https://www.unpac.me/results/69fda6e3-7609-42b6-91f9-5c0f88dc22a9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/ESETresearch/status/1496581903205511181

Cape

https://www.capesandbox.com/analysis/243939/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample