MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23ad77a2be48a81e4460c894c41a35db18308a8f85eb841f5bf7ae99265f7310. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WannaCry


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23ad77a2be48a81e4460c894c41a35db18308a8f85eb841f5bf7ae99265f7310
SHA3-384 hash: 5935ef58f6eb8094add9fecae75010df33e3409c69987307c98f5908b00265ca1376b6ff87925df43ebbe4d60af8765e
SHA1 hash: 45c076d83c648f195444799aa2eacaf7dde7392a
MD5 hash: afbe6bba36be6ad384e6feccab258960
humanhash: bulldog-fix-table-maine
File name:zenhaolauvirus3.0.bin
Download: download sample
Signature WannaCry
Create hunting rule
File size:4'578'163 bytes
First seen:2023-04-12 16:16:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ab9ff6e4872ea2766a5f5c6af5649e9d (20 x CryptOne, 13 x RedLineStealer, 6 x RecordBreaker)
ssdeep 98304:GJ4izQvct0rXAAlWmUX5vLxwvfYSU3YD6Si4ftjZWIVTpj1JEOux5uA3mm:GJ/zQvcYAAXUlxcfYRYDZi46IJ3JEO4B
Threatray 39 similar samples on MalwareBazaar
TLSH T17E2612E1D88095F8D9A91FF108B45E26AE6A3D3727B4156E82A132BB4EF74134437D0F
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 000603412400801b (1 x WannaCry)
Reporter petikvx
Tags:WannaCry

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lol.exe
Verdict:
Malicious activity
Analysis date:
2023-01-15 07:39:43 UTC
Tags:
ransomware trojan
Link:
https://app.any.run/tasks/9db50183-bec1-4193-86e3-4a726ba299f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381851/
Detection(s):
Win.Ransomware.Wannacry-9982112-0
Create hunting rule

Win.Ransomware.WannaCry-6313787-0
Create hunting rule

Win.Malware.Djwy-6775897-0
Create hunting rule

Win.Ransomware.Wanna-6888027-0
Create hunting rule

SecuriteInfo.com.Variant.Fugrafa.249470.10364.14457.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Moving a recently created file
Changing a file
Using the Windows Management Instrumentation requests
Modifying a system executable file
Setting browser functions hooks
Launching a tool to kill processes
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Low-level writing
Creating a file in the mass storage device
Rewriting of the hard drive's master boot record
Encrypting user's files
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77628/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
alien autorun darkkomet filecoder greyware overlay packed setupapi.dll shdocvw.dll shell32.dll unsafe wanna wannacry wannacrypt
Link:
https://www.filescan.io/uploads/6436d97e0530985b5cccce93/reports/4093418f-c5bf-438d-b1a8-16a0c8360103/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/23ad77a2be48a81e4460c894c41a35db18308a8f85eb841f5bf7ae99265f7310
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
WannaCry
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec6cad13-7598-4b28-a0f4-558c3edf8fcc
Result
Threat name:
Babadeda, Wannacry
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1212721
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (overwrites its own PE header)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Found Tor onion address
Infects the boot sector of the hard disk
Infects the VBR (Volume Boot Record) of the hard disk
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses shutdown.exe to shutdown or reboot the system
Writes directly to the primary disk partition (DR0)
Yara detected Babadeda
Yara detected Wannacry ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 845637 Sample: zenhaolauvirus3.0.bin.exe Startdate: 12/04/2023 Architecture: WINDOWS Score: 100 107 Snort IDS alert for network traffic 2->107 109 Multi AV Scanner detection for domain / URL 2->109 111 Malicious sample detected (through community Yara rule) 2->111 113 15 other signatures 2->113 10 zenhaolauvirus3.0.bin.exe 10 2->10         started        14 EXCEL.EXE 2->14         started        process3 file4 89 C:\Users\user\Desktop\oh.exe, PE32 10->89 dropped 91 C:\Users\user\Desktop\lol3.exe, PE32 10->91 dropped 93 C:\Users\user\Desktop\lol2.exe, PE32 10->93 dropped 95 2 other malicious files 10->95 dropped 141 Multi AV Scanner detection for dropped file 10->141 16 lol3.exe 8 10->16         started        signatures5 process6 signatures7 103 Multi AV Scanner detection for dropped file 16->103 105 Detected unpacking (overwrites its own PE header) 16->105 19 cmd.exe 1 16->19         started        process8 signatures9 129 Uses shutdown.exe to shutdown or reboot the system 19->129 22 oh.exe 1 5 19->22         started        26 lol1.exe 477 19->26         started        28 kill.exe 8 19->28         started        30 7 other processes 19->30 process10 file11 75 C:\Users\user\Desktop\._cache_oh.exe, PE32 22->75 dropped 77 C:\ProgramData\Synaptics\Synaptics.exe, PE32 22->77 dropped 79 C:\ProgramData\Synaptics\RCXEE51.tmp, PE32 22->79 dropped 131 Multi AV Scanner detection for dropped file 22->131 32 Synaptics.exe 22->32         started        37 ._cache_oh.exe 22->37         started        81 C:\Users\user\Documents\@WanaDecryptor@.exe, PE32 26->81 dropped 83 C:\Users\user\Desktop\u.wnry, PE32 26->83 dropped 85 C:\Users\user\Desktop\taskse.exe, PE32 26->85 dropped 87 9 other malicious files 26->87 dropped 133 Creates files in the recycle bin to hide itself 26->133 135 Drops PE files to the document folder of the user 26->135 137 Modifies existing user documents (likely ransomware behavior) 26->137 39 taskdl.exe 26->39         started        41 attrib.exe 26->41         started        43 icacls.exe 26->43         started        47 15 other processes 26->47 139 Detected unpacking (overwrites its own PE header) 28->139 45 cmd.exe 1 28->45         started        signatures12 process13 dnsIp14 97 docs.google.com 142.250.203.110, 443, 49702, 49703 GOOGLEUS United States 32->97 99 freedns.afraid.org 69.42.215.252, 49704, 80 AWKNET-LLCUS United States 32->99 101 xred.mooo.com 32->101 65 C:\Users\user\Downloads\ChromeSetup.exe, PE32 32->65 dropped 67 C:\Users\user\Documents\HMPPSXQPQV\~$cache1, PE32 32->67 dropped 69 C:\Users\user\...\zenhaolauvirus3.0.bin.exe, PE32 32->69 dropped 73 14 other malicious files 32->73 dropped 115 Antivirus detection for dropped file 32->115 117 Multi AV Scanner detection for dropped file 32->117 119 Drops PE files to the document folder of the user 32->119 49 WerFault.exe 32->49         started        71 \Device\Harddisk0\DR0, DOS/MBR 37->71 dropped 121 Machine Learning detection for dropped file 37->121 123 Writes directly to the primary disk partition (DR0) 37->123 125 Infects the VBR (Volume Boot Record) of the hard disk 37->125 127 Infects the boot sector of the hard disk 37->127 51 conhost.exe 41->51         started        53 conhost.exe 43->53         started        55 conhost.exe 45->55         started        57 taskkill.exe 45->57         started        59 taskkill.exe 45->59         started        63 22 other processes 45->63 61 conhost.exe 47->61         started        file15 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23ad77a2be48a81e4460c894c41a35db18308a8f85eb841f5bf7ae99265f7310/
Threat name:
Win32.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2022-11-30 03:10:30 UTC
File Type:
PE (Exe)
Extracted files:
87
AV detection:
34 of 37 (91.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eowxpiv6jcub4rdazckmigrv3mmdbcupqxvyih2366xjsjs7omia._file
Verdict:
malicious
Similar samples:
012cedcd51898228db8bf8b1acfc84fdac3bfcee0fbc5be1acc1dc66b95a15d2
WannaCry
04aa55e1600b801ddda368268eaf6f2ab9858f402b526468d727a943eadfb122
WannaCry
1d0e642944902e1e597158a6029e56ccc7fd2877ec27aec420ff81b20c1fd180
WannaCry
9360554f2e28415c1060e32aed40757998e0b16db0905f4ae5e1d21676b00ec5
WannaCry
d3cf4b037c360479189571116894759683426af15cf85197f7e7dc9c180f7963
WannaCry
d6e217e6d822b7db300fbd2df88de22ba5826a9b977b317904abdd40376cf54b
WannaCry
d7c3bb09aa5e1d92564315ab491476d795850f7503dbad7e2835a87c7904d5b2
WannaCry
de8c1aa37dd523e0699a10be71185f7a8ac1cde972d04107068f49250ef7317e
WannaCry
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a
WannaCry
+ 29 additional samples on MalwareBazaar
Result
Malware family:
wannacry
Create hunting rule
Score:
  10/10
Tags:
family:wannacry bootkit discovery persistence ransomware spyware stealer worm
Link:
https://tria.ge/reports/230412-trcaradd33/
Behaviour
Delays execution with timeout.exe
Interacts with shadow copies
Kills process with taskkill
Modifies registry class
Modifies registry key
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
Enumerates physical storage devices
Sets desktop wallpaper using registry
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Modifies extensions of user files
Deletes shadow copies
Wannacry
Unpacked files
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/4f42a802-363f-4a39-be0a-5824f0501b1b/
SH256 hash:
0ed5efeee2afd5df6f051205b5e3c53376fb29bfdab8f6afa38b49ad1e364977
MD5 hash:
8505a39acf1524cf9c58e2034179f7b2
SHA1 hash:
9adaf829c3d93622ccaa1312fbd79f1afff74ab5
Link:
https://www.unpac.me/results/4f42a802-363f-4a39-be0a-5824f0501b1b/
SH256 hash:
1f63b4e7c2e63637357adb36871f8598e1e56d549820493314ba745c9b17adba
MD5 hash:
37aacde531994cdadf5688571e1fb376
SHA1 hash:
b18c61e564dc552f6405d323ef259ddcf70edcf7
Link:
https://www.unpac.me/results/4f42a802-363f-4a39-be0a-5824f0501b1b/
SH256 hash:
22d7d9e74fc6f62adb3ef88dfbc3d542447b9b9e0cf74a2e742c6dd1cff26678
MD5 hash:
0569aa018df1fb65375b2eeca90d4f94
SHA1 hash:
2d5c2d4538a878440e8f136221b352cf122a6342
Link:
https://www.unpac.me/results/4f42a802-363f-4a39-be0a-5824f0501b1b/
SH256 hash:
23ad77a2be48a81e4460c894c41a35db18308a8f85eb841f5bf7ae99265f7310
MD5 hash:
afbe6bba36be6ad384e6feccab258960
SHA1 hash:
45c076d83c648f195444799aa2eacaf7dde7392a
Link:
https://www.unpac.me/results/4f42a802-363f-4a39-be0a-5824f0501b1b/
Malware family:
Petya
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/23ad77a2be48/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23ad77a2be48a81e4460c894c41a35db18308a8f85eb841f5bf7ae99265f7310

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/381851/

Comments