MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20f7fce0e0f522a1fe1c6b51967fc1236e428d8ce45dc2a10738d03db57beb44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


4444


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20f7fce0e0f522a1fe1c6b51967fc1236e428d8ce45dc2a10738d03db57beb44
SHA3-384 hash: 75983f5ec2de074338d87e2522b6f16c87bab4f67604644e24461c11715976915c8dcc83e26cfa4cbb5c5489374a14e4
SHA1 hash: 32bbfef73761af6d23575e6483b1d417acc4afd1
MD5 hash: fe0a568b8a02fc0acfeba4bfc778e14f
humanhash: high-stairway-winter-princess
File name:fe0a568b8a02fc0acfeba4bfc778e14f.exe
Download: download sample
Signature 4444
Create hunting rule
File size:348'672 bytes
First seen:2021-02-15 08:04:47 UTC
Last seen:2022-09-29 12:32:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:411zMVnAbQOhpxzRF1k1NgXfeST46q4RjoiDzQULq/EDoqAd+ovl7GOH84wyCs8W:S1zMVnAb9FOQXTw4Rj9XpL+E3rot7GIX
Threatray 11 similar samples on MalwareBazaar
TLSH C1740264B3D4D369C5BE4BF968F0912102B16544BA07FB1D2F9A10792AB77D0CB3229F
Reporter abuse_ch
Tags:4444 exe Ransomware

Intelligence

File Origin
# of uploads :
3
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fe0a568b8a02fc0acfeba4bfc778e14f.exe
Verdict:
Malicious activity
Analysis date:
2021-02-15 08:16:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c401ccdc-08d2-49ca-aba2-aae31e2f894f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117158/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36347471.27143.10964.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
4444_Ransomware
Create hunting rule
Detection:
malicious
Classification:
rans.spre.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/607881
Signature
Antivirus detection for dropped file
Deletes shadow drive data (may be related to ransomware)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Spreads via windows shares (copies files to share folders)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected 4444_Ransomware
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 352971 Sample: V0ePEI5dPg.exe Startdate: 15/02/2021 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected AntiVM_3 2->46 48 5 other signatures 2->48 8 V0ePEI5dPg.exe 3 2->8         started        12 V0ePEI5dPg.exe 2 2->12         started        process3 file4 24 C:\Users\user\AppData\...\V0ePEI5dPg.exe.log, ASCII 8->24 dropped 50 Drops PE files to the document folder of the user 8->50 52 Drops PE files to the user root directory 8->52 54 Drops PE files to the startup folder 8->54 14 V0ePEI5dPg.exe 501 8->14         started        18 V0ePEI5dPg.exe 501 12->18         started        signatures5 process6 file7 26 C:\Users\user\HOW TO BACK YOUR FILES.exe, PE32 14->26 dropped 28 C:\Users\user\...\HOW TO BACK YOUR FILES.exe, PE32 14->28 dropped 30 C:\Users\user\...\HOW TO BACK YOUR FILES.exe, PE32 14->30 dropped 38 1020 other files (12 malicious) 14->38 dropped 56 Spreads via windows shares (copies files to share folders) 14->56 20 cmd.exe 1 14->20         started        32 C:\Users\user\...\HOW TO BACK YOUR FILES.exe, PE32 18->32 dropped 34 C:\Users\user\...\HOW TO BACK YOUR FILES.exe, PE32 18->34 dropped 36 C:\Users\user\...\HOW TO BACK YOUR FILES.exe, PE32 18->36 dropped 40 223 other files (none is malicious) 18->40 dropped signatures8 process9 process10 22 conhost.exe 20->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20f7fce0e0f522a1fe1c6b51967fc1236e428d8ce45dc2a10738d03db57beb44/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-15 03:44:57 UTC
AV detection:
6 of 47 (12.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ed37zyha6urkd7q4nnizm76benxefdmm4ro4fiihhdid3nl35nca._file
Verdict:
malicious
Similar samples:
052a57afa8493f1396d73ab451c6df0135cf674529a26f692110b6ddb91c2672
4444
228cb0b4f58f72e44a6325c45da54adf0892deedcece6b010659f354f863c260
4444
30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513
4444
750984dff0d13260e17e9bb1a3482f1bae834d6e0de1bcd199028748a9f998dc
4444
8577f2b2527925efb4a0a024cecaf3b41ef3b7d9fd5da314c31b8e4fe665df03
4444
9a55095bce5f28440aeed18e9997322e0b1786208f6029d42a189804dc19738b
4444
a03c3a2ce5f96b1b367f3a751c36190516bce61c51f79c58e1e1ecff1f70e41a
4444
acd3819ea42caf7fabc03c7e56b03e673f6a3b16ac3a131b57f7e4549de7b16d
4444
cab9baeed0b5b271cf9de3361483d662e52c75dd6a73544701980f29210dc49e
4444
e43f0cf8905305adbb28597ad256c8e0547fe3ce3c648095635c1ae94ab0dbb9
4444
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan upx
Link:
https://tria.ge/reports/210215-n38pm4nn4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
UPX packed file
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/e3cbf56d-157e-4b56-b574-25b18c668b81/
SH256 hash:
20f7fce0e0f522a1fe1c6b51967fc1236e428d8ce45dc2a10738d03db57beb44
MD5 hash:
fe0a568b8a02fc0acfeba4bfc778e14f
SHA1 hash:
32bbfef73761af6d23575e6483b1d417acc4afd1
Link:
https://www.unpac.me/results/e3cbf56d-157e-4b56-b574-25b18c668b81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20f7fce0e0f522a1fe1c6b51967fc1236e428d8ce45dc2a10738d03db57beb44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

4444

Executable exe 20f7fce0e0f522a1fe1c6b51967fc1236e428d8ce45dc2a10738d03db57beb44

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1002464/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117158/

Comments