MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d6f7662f9b034063d694a32d84c538e32da8adb6a52b77eeb3aaec3871b5e47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d6f7662f9b034063d694a32d84c538e32da8adb6a52b77eeb3aaec3871b5e47
SHA3-384 hash: 03c871826e9c5db677e48e85547152273a1d6ce2791e89c823ede02a98a60dff9502e05559c13a6df08d855182e1e156
SHA1 hash: b4e595b6f7e9ec29e0ee6811cf03ffd3238d8fbb
MD5 hash: 907de29be6e943391551fccb1f6a20c8
humanhash: butter-ink-fix-echo
File name:907de29be6e943391551fccb1f6a20c8.exe
Download: download sample
File size:2'885'632 bytes
First seen:2021-02-02 17:00:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f0070935b15a909b9dc00be7997e6112 (5 x Glupteba, 5 x GravityRAT, 1 x Expiro)
ssdeep 49152:0zyXZ37wvgBsREqJQ6SPI/9xRW3tD1zpAK:0zOcvdW5PsW3tDV
Threatray 4 similar samples on MalwareBazaar
TLSH ECD55B56B8F614AACAFDF17085729721BB32346903327BC71F94457A1A1AFE4AF2D310
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Cryptfile2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115197/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36262535.16598.16196.UNOFFICIAL
Create hunting rule

Win.Ransomware.Generic-9829144-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Launching a service
Creating a file
Using the Windows Management Instrumentation requests
Searching for the window
Sending a UDP request
Sending an HTTP GET request
Launching a tool to kill processes
Launching the process to interact with network services
Downloading the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/596992
Signature
Disables security and backup related services
May drop file containing decryption instructions (likely related to ransomware)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 347533 Sample: J6CmYLB0RM.exe Startdate: 02/02/2021 Architecture: WINDOWS Score: 60 43 Multi AV Scanner detection for submitted file 2->43 45 May drop file containing decryption instructions (likely related to ransomware) 2->45 47 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->47 49 Disables security and backup related services 2->49 8 J6CmYLB0RM.exe 1 2->8         started        11 SearchUI.exe 501 201 2->11         started        13 SearchUI.exe 1 10 2->13         started        process3 signatures4 51 Disables security and backup related services 8->51 15 cmd.exe 1 8->15         started        17 cmd.exe 1 8->17         started        19 cmd.exe 1 8->19         started        21 12 other processes 8->21 process5 process6 23 net.exe 1 15->23         started        25 net.exe 1 17->25         started        27 net.exe 1 19->27         started        29 taskkill.exe 1 21->29         started        31 taskkill.exe 1 21->31         started        33 taskkill.exe 1 21->33         started        35 4 other processes 21->35 process7 37 net1.exe 1 23->37         started        39 net1.exe 1 25->39         started        41 net1.exe 1 27->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d6f7662f9b034063d694a32d84c538e32da8adb6a52b77eeb3aaec3871b5e47/
Threat name:
Win64.Ransomware.FileCoder
Create hunting rule
Status:
Malicious
First seen:
2021-01-27 00:20:50 UTC
File Type:
PE+ (Exe)
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
2ba2c20a826f51ed753f4f4dd78118d6f371a2fd5b4b0a2ff640c8f046d4fb55
6845211002813319a52b6d80f970da3a1f21d1035fdd6fe6f05dd067a131253e
cd09597d79ac4e54f27465ce0f9430e2ef375de596313999299cf88bc294f81e
ce4bc8aaec50fa170e9d4a87ec7312e6e6aa7b9fa9dcb7b2572ce03f297acaa0
Result
Malware family:
vashsorena
Create hunting rule
Score:
  10/10
Tags:
family:vashsorena evasion ransomware spyware
Link:
https://tria.ge/reports/210202-25nbxlr3ee/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Modifies Control Panel
Modifies registry class
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Drops file in Program Files directory
JavaScript code in executable
Reads user/profile data of web browsers
Blocklisted process makes network request
Clears Windows event logs
Malware Config
Dropper Extraction:
http://185.96.204.96/we_are_anon/vid.mp4
http://185.96.204.96/we_are_anon/clear.txt
Unpacked files
SH256 hash:
1d6f7662f9b034063d694a32d84c538e32da8adb6a52b77eeb3aaec3871b5e47
MD5 hash:
907de29be6e943391551fccb1f6a20c8
SHA1 hash:
b4e595b6f7e9ec29e0ee6811cf03ffd3238d8fbb
Link:
https://www.unpac.me/results/b83ef85c-aa7c-418b-a201-c5204ef8e3fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d6f7662f9b034063d694a32d84c538e32da8adb6a52b77eeb3aaec3871b5e47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QnapCrypt
Create hunting rule
Author:Intezer Labs
Reference:https://www.intezer.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1d6f7662f9b034063d694a32d84c538e32da8adb6a52b77eeb3aaec3871b5e47

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/115197/
  
URLhaus
https://urlhaus.abuse.ch/url/988010/
  
Delivery method
Distributed via web download

Comments