MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BlueSky

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef
SHA3-384 hash:	acafc9521cf92461d19de5ec41f5edc55e805e4d9893a9b0406e29c1a868c7819b56688705c5214be048753ae2040dac
SHA1 hash:	1bab1913533d5748e9cda388f55c446be6b770ff
MD5 hash:	01d66a03a0de2ee2eacacaa3ac98f0aa
humanhash:	delta-queen-winner-table
File name:	2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef.bin
Download:	download sample
Signature	BlueSky Create hunting rule
File size:	72'704 bytes
First seen:	2022-08-12 00:41:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	1536:G+5geBR2Q+a8M124Zl2i5SADBDg8trv4t9MBY5ytv:GDeBgQ+a8M12Y2i59hrvWMBxv
Threatray	6 similar samples on MalwareBazaar
TLSH	T12563D64AB749EB30F59694B996FC2A17688E8938835F85C3FBD0C05A7651CC6B834F13
TrID	42.7% (.EXE) Win32 Executable (generic) (4505/5/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter	Arkbird_SOLG
Tags:	BlueSky exe Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

4'295

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef.bin

Verdict:

Malicious activity

Analysis date:

2022-08-12 00:43:35 UTC

Tags:

ransomware

Link:

https://app.any.run/tasks/40b6302f-01b9-42c3-bd9e-56898347393f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Conti

Link:

https://www.capesandbox.com/analysis/298112/

Detection(s):

SecuriteInfo.com.Trojan.Encoder.35508.6690.7270.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Changing a file

Moving a recently created file

Searching for synchronization primitives

Reading critical registry keys

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Launching a process

Creating a file in the mass storage device

Stealing user critical data

Encrypting user's files

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/28736/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62f5a1dc810e2831b73b3d5f/reports/1d6b2470-85fe-47ff-a303-7c68a349addd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BlueSky Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8e8d247b-04db-45c4-8ace-e345ecddafe9

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1050297

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Contains functionality to hide a thread from the debugger

Found Tor onion address

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May encrypt documents and pictures (Ransomware)

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef/

Threat name:

Win32.Ransomware.Conti

Status:

Malicious

First seen:

2022-06-29 08:48:44 UTC

File Type:

PE (Exe)

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ekaitdfst6xrpbphqjmw3abjzndrkn7mha2s4xaxzqtd6h2sxdxq._file

Verdict:

malicious

BlueSky

3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb

BlueSky

6b0d42e53e09e8e294cdc18c507dac165293e73b2390f9185fae69583b85da2c

BlueSky

840af927adbfdeb7070e1cf73ed195cf48c8d5f35b6de12f58b73898d7056d3d

BlueSky

b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec

BlueSky

c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df

BlueSky

Result

Malware family:

n/a

Score:

10/10

Tags:

ransomware

Link:

https://tria.ge/reports/220812-a2b8ysggg2/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Deletes itself

Modifies extensions of user files

Unpacked files

SH256 hash:

ad5ce9f0a4866b64be9acf78eb8c4889ee458f9ddf034d93f627bfb1b7c33ebe

MD5 hash:

367505f2f2bb7af19924dab39317c089

SHA1 hash:

fad6d2ef1daa809748668a5eed1ab68841a63763

Link:

https://www.unpac.me/results/772210a0-ce55-4712-89f2-f81abdfc5f79/

SH256 hash:

d46cd899b121ac59cc793ee8937f7d4ff19b60c2afe5b419aad2ae6649c8a201

MD5 hash:

fabd4cba79f8168b5a5cebb7557e3c59

SHA1 hash:

976ed474d5dcd9267845334056670e9e404d1718

Link:

https://www.unpac.me/results/772210a0-ce55-4712-89f2-f81abdfc5f79/

SH256 hash:

0ff9644a9960ef7fbf413716634f43b744ca76e42c9313862c9bed7e005ef37b

MD5 hash:

419df99e91d2481281b2574b7a7d1936

SHA1 hash:

7aa73cd1b105f69e3a5667b5a62f134b4d9e490c

Link:

https://www.unpac.me/results/772210a0-ce55-4712-89f2-f81abdfc5f79/

SH256 hash:

b6e7bbb6bbb55d0b9aa2b5ca2bed86f62186ddaf333cd7f67888700ea17ce953

MD5 hash:

229b6917dfa43f3569fa1d58622d48d6

SHA1 hash:

1df08eddd3fc95ac25a025c9fa918a7745abc90c

Link:

https://www.unpac.me/results/772210a0-ce55-4712-89f2-f81abdfc5f79/

SH256 hash:

7dc1eba071cde3a61a6e8190251743b25969f4af262274ba8ad428433787e7cc

MD5 hash:

e5934caf57a59e2c73c40604e2a0f863

SHA1 hash:

192df07acb13c06d1ee7c03a63dfc0614d3dfb31

Link:

https://www.unpac.me/results/772210a0-ce55-4712-89f2-f81abdfc5f79/

SH256 hash:

a805259e152f0bd1ca50930888934dbce8f3e719786c3640d961c87b1f8734a7

MD5 hash:

20f76ba6fc0f863d49ef826c03035317

SHA1 hash:

18420c7c803596713ea7cfb0db26135dce79b3a5

Link:

https://www.unpac.me/results/772210a0-ce55-4712-89f2-f81abdfc5f79/

SH256 hash:

2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef

MD5 hash:

01d66a03a0de2ee2eacacaa3ac98f0aa

SHA1 hash:

1bab1913533d5748e9cda388f55c446be6b770ff

Link:

https://www.unpac.me/results/772210a0-ce55-4712-89f2-f81abdfc5f79/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2280898cb29f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/2280898cb29faf1785e782596d8029cb471537ec38352e5c17cc263f1f52b8ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Conti Create hunting rule
Author:	kevoreilly
Description:	Conti Ransomware

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://unit42.paloaltonetworks.com/bluesky-ransomware/

Cape

https://www.capesandbox.com/analysis/298112/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample