MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20c1f2c87396f3f2f839e0da61742daac245b80b80af94da1db36b50b07d27cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20c1f2c87396f3f2f839e0da61742daac245b80b80af94da1db36b50b07d27cb
SHA3-384 hash: f9138261f5a5e7fad8bbc591207df703dce242271be0da080f38881d66637ad0a820a264b247f6497a1301817ec79acf
SHA1 hash: 75ab505d7d07619989e4008ec955160806b57d35
MD5 hash: b8fc5474163c85dfe0aaeee320459100
humanhash: enemy-jersey-golf-purple
File name:b8fc5474_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:640'512 bytes
First seen:2021-05-05 08:05:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 615d736f15e9c4ae83d21df872e9948a (1 x VirLock)
ssdeep 12288:QfJhxVOpIZskqh9bEhbajb29PcE6oEuf9X08Frz1JEcosUFTan9A0Tm:QbOAIEhbajbC65uf9X0kX73A0Tm
Threatray 78 similar samples on MalwareBazaar
TLSH 2ED4ADA2BCB30B1DF24043326E450BD2E266B772D637D02C95477265B64EE2362B6F47
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150002/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6804475-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a service
DNS request
Sending a UDP request
Launching a service
Creating a file in the Windows subdirectories
Sending an HTTP GET request
Searching for the window
Creating a file in the %temp% directory
Running batch commands
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20c1f2c87396f3f2f839e0da61742daac245b80b80af94da1db36b50b07d27cb/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 00:57:50 UTC
AV detection:
45 of 48 (93.75%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
006a6bed71198de86f59e003a891e431d75e47c3a6ead1b612af6c2f896f6e0b
VirLock
02c295951551d06d573f8631d699d5ce0a1170591fe4e2700754c2bdf8556be7
VirLock
0c707a14cb7de3e7380454c6659a0493d8b328b09d38204e431dc584d9e66249
VirLock
41e20476662e14ce7e2df3f3755fcbe3cc7c31b7f8a08654eb56333b32272098
VirLock
5065428bc91f6a12f48944a8c7299d559faf3d53e2c7c47db05bb9103450ab8d
VirLock
659b76788cccfc9c993dd9047e86844c7183957478fabe32455dc2a2ddea49fb
VirLock
afad289c4180b56d4e597d4304f5928c4ceba337fe3ac08b524246fbb656e46e
VirLock
bb610c8d918c1d4b8e8d9a6d7b6a47b2c0af2364c5462cc5362724773ae4ab9f
VirLock
bc1abcd5c8c6806af001b19a4357bd83444f12c31f9a0fc0b88dc9df6fad7ca2
VirLock
eccea2a8934f0b0c39fdbde0f312e881028122a9f41db0d3a2279ef055ff3d16
VirLock
+ 68 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210505-t1mktvvvyj/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
2618c865040a26afa6f3c0b3e49a0ee687e29644519c0fd57e5cc512ba687686
MD5 hash:
e14ac67990bcd5e37f24347f1358c922
SHA1 hash:
7163e4c8f1d9bc1ce547a8fd92e0a4a8429eabfb
Link:
https://www.unpac.me/results/36b3740b-f689-414d-96dd-2d9c27a2878d/
SH256 hash:
a7d98730b1ce7edee5561ad5441615a9d75f00ef8ebe11aa9a1e928aaca40977
MD5 hash:
887d30c4f419c2376f695d94ac99d26e
SHA1 hash:
5dbdfeb6d747eeb7bafe7eb28925be9c677f4a0c
Link:
https://www.unpac.me/results/36b3740b-f689-414d-96dd-2d9c27a2878d/
SH256 hash:
9193866ed5d0b051cb85e33dc78b5dc54e96bdc7399f78ec30b2e1e08735b2ad
MD5 hash:
9db2d378455d11d27228dc2d140a7443
SHA1 hash:
cc276d6abaac025c1b1b857a4e1599b300754af4
Link:
https://www.unpac.me/results/36b3740b-f689-414d-96dd-2d9c27a2878d/
SH256 hash:
20c1f2c87396f3f2f839e0da61742daac245b80b80af94da1db36b50b07d27cb
MD5 hash:
b8fc5474163c85dfe0aaeee320459100
SHA1 hash:
75ab505d7d07619989e4008ec955160806b57d35
Link:
https://www.unpac.me/results/36b3740b-f689-414d-96dd-2d9c27a2878d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150002/

Comments