MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MountLocker


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2
SHA3-384 hash: 589fe2315b737f9a15ff63b2afc6ac3efdff0f6f66d2d5ab12040bd5461ec368819f59268254d03d89fcf7b6fd9a38c6
SHA1 hash: da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1
MD5 hash: c2671bf5b5dedbfd3cfe3f0f944fbe01
humanhash: yankee-fanta-mockingbird-pizza
File name:226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2.bin
Download: download sample
Signature MountLocker
Create hunting rule
File size:204'800 bytes
First seen:2020-11-20 02:36:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 737cadd72b188399430b9cb1969015f4 (1 x MountLocker)
ssdeep 1536:ssBoz9GFuIdclwKfVPoawSL20mRbg2DrE1mHkrY0f3r6fR0ZzDWR+3itGSh6ZVvg:ssS3oifBoaXhDWA4G3eeJaeIbmC00
Threatray 4'524 similar samples on MalwareBazaar
TLSH 6E144A23E4406048E9A34471193582B429377D726291AD4F66C0DEAE2873FC7F9F6B2F
Reporter Arkbird_SOLG
Tags:MountLocker Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
683
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Launching a process
Launching a service
Using the Windows Management Instrumentation requests
Forced system process termination
Deleting a recently created file
Changing a file
Replacing files
Creating a file
Modifying an executable file
Replacing executable files
Moving a file to the Program Files directory
Creating a file in the Program Files directory
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Enabling autorun with the shell\open\command registry branches
Deleting volume shadow copies
Creating a file in the mass storage device
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/543718
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes a notice file (html or txt) to demand a ransom
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2/
Threat name:
Win32.Hacktool.SharPersist
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 01:11:03 UTC
File Type:
PE (Exe)
AV detection:
23 of 29 (79.31%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejvhep73jki5tfikrmtgcz6fwnkkwdnr3qrfk6cjjel74u4gp3za._file
Verdict:
unknown
Similar samples:
15145ed8e5ae3cf2acf9ad25bbcb3f782c4d8ba9674185d06baa66ae6d17f25a
MountLocker
2b7498abb82bfc105fb641bc1b9e9da602bfeefb252dd8d16d7c1e4fbc3a4668
MountLocker
2ea5a4fb25528051254f255dc64913ca7d4faa1ecba2f40a55b536f871624fb9
MountLocker
57c19a6393af8083c0479541d3e7ae6bf2342dfcebff8ce7263e23d2681beb76
MountLocker
5b9ba311bf0eebf151a0146d7e43c40e2b98929a07dcffc6f286e21558487a4e
MountLocker
85da31a80a4d9abbb63b08026620b12410c1865fdc8399c283af3bbfbddfd4f6
MountLocker
893033ccdb5795d90f5cad3d4e2121307a9f18b05f74c39970395a2f1a6a40ec
MountLocker
dd484dfae5095ea01d95e171b7720b4893d7f21761694b91ee8102be948cef4e
MountLocker
dea51f7f074a8d9b0e30626e11ca4a79de602da24ba64d0222ee1162a5fbb5ba
MountLocker
e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037
MountLocker
+ 4'514 additional samples on MalwareBazaar
Result
Malware family:
mountlocker
Create hunting rule
Score:
  10/10
Tags:
family:mountlocker persistence ransomware
Link:
https://tria.ge/reports/201120-9w7j71xeaj/
Behaviour
Interacts with shadow copies
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Drops file in Program Files directory
Modifies service
Drops desktop.ini file(s)
Deletes itself
Modifies extensions of user files
Deletes shadow copies
MountLocker Ransomware
Unpacked files
SH256 hash:
5a8c71be9779266e56ea0c9088ce1bd1e3b8ba4b9f6c61975e982de7469d0c0c
MD5 hash:
f46220396100e0222fe96f4cf6c05b1d
SHA1 hash:
f0264c7d0ed419fbce214759215521bb8bdf49bf
Link:
https://www.unpac.me/results/4fc5ddbf-68c9-4c40-82cf-86990e0cfef6/
SH256 hash:
a5d3ff2eb117830df989772d13fd44463034d9cd1028e16d3b30f68615b5f38c
MD5 hash:
593f426a6c18158e90cdaf4566551380
SHA1 hash:
0650e5d3c0610ca2e087988c4952f74c9b23c852
Link:
https://www.unpac.me/results/4fc5ddbf-68c9-4c40-82cf-86990e0cfef6/
SH256 hash:
934d40ab91e16ecae63f18fe5c99728f9096d40a609a5ea2a299a27b518eb08b
MD5 hash:
fa2ea61b4f019d5a75618024f7bc649e
SHA1 hash:
9b2d2e6ca1e3264272876ea12755f61adb3eb1ec
Link:
https://www.unpac.me/results/4fc5ddbf-68c9-4c40-82cf-86990e0cfef6/
SH256 hash:
1d6c40538eb4e51bb1b70f2904bbca474774345b09ad80c1d06537b36ccc0163
MD5 hash:
a60b028db4faeeb7ba09d58b66c5fa0f
SHA1 hash:
162b70e403f7babba19b7c9764559e3e30fabe12
Link:
https://www.unpac.me/results/4fc5ddbf-68c9-4c40-82cf-86990e0cfef6/
SH256 hash:
b9acda564a9f1670e1482d713f13a1617f3b3c0cde87c51122e8517bf0b30b80
MD5 hash:
28c05f3545b008935462d8dc3daff64a
SHA1 hash:
293cbe6586de08b75d94a5bf437b4984dbf3ad7a
Link:
https://www.unpac.me/results/4fc5ddbf-68c9-4c40-82cf-86990e0cfef6/
SH256 hash:
fc070ed7b3da165bf1c416dfbc859f6b663853bcfb9975fd5e13fdaafccaf4e3
MD5 hash:
c51e57ad3abfe54a8e0e26ac23aa1efc
SHA1 hash:
adf0d1711d3f15feb86a5c0e6482b419f66cf4a4
Link:
https://www.unpac.me/results/4fc5ddbf-68c9-4c40-82cf-86990e0cfef6/
SH256 hash:
c6c47d3e468e784b8d6adb8122f9ee97d46b9f2cb23c7b0ef3aaa3b5a2c6159e
MD5 hash:
231947729ad195ed069116582703a5b0
SHA1 hash:
b3bec25ce44fea56a369a3b6153c9abc3271b9bc
Link:
https://www.unpac.me/results/4fc5ddbf-68c9-4c40-82cf-86990e0cfef6/
SH256 hash:
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2
MD5 hash:
c2671bf5b5dedbfd3cfe3f0f944fbe01
SHA1 hash:
da3e830011e6f9d41dd6c93fdb48c47c1c6e35e1
Link:
https://www.unpac.me/results/4fc5ddbf-68c9-4c40-82cf-86990e0cfef6/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/4fc5ddbf-68c9-4c40-82cf-86990e0cfef6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/226a723ffb4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments