MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f
SHA3-384 hash: df098c35b01b4186d6bb2db215f937dbc365b3968b512a090058870632f3fdd7e500a67a92ae0c93058a6a03d3f47a52
SHA1 hash: 6b0deb67a178fe20e81691133b257df3bafa3006
MD5 hash: 01492156ce8b4034c5b1027130f4cf4e
humanhash: two-sixteen-october-april
File name:2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f
Download: download sample
File size:3'085'318 bytes
First seen:2022-10-04 16:29:56 UTC
Last seen:2022-10-13 09:34:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 150bdf1f53f6260c91ec3fcff5867019 (1 x Royal)
ssdeep 49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzk+5k:wm+GaNqqJJ12vlZol8cJ7rc
Threatray 3 similar samples on MalwareBazaar
TLSH T1FBE58D6AF6A800D8D56AC13CC5564227E3B1FC2517B287CB1AB4AA790F73AD55F3E700
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter petikvx
Tags:exe Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
536
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316588/
Detection(s):
SecuriteInfo.com.Trojan.DelShadows.21.16918.30482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Searching for the window
Deleting volume shadow copies
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41121/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
CallSleep
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
explorer.exe greyware overlay
Link:
https://www.filescan.io/uploads/633c5f8cd089a0c15dd5177b/reports/e2123554-327d-4cfd-a717-96d0854f1e28/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5ce83426-8af2-4541-b71a-a3aa2cc575f6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1083414
Signature
Antivirus / Scanner detection for submitted sample
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f/
Threat name:
Win64.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2022-10-02 14:21:15 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
26 of 42 (61.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ewmorlnypf3kxzepb25exo42ps3jiopayez3egxohbc57tht7ohq._file
Verdict:
malicious
Similar samples:
162a1141709e329765d4798ebfded2b1740edbdd5a8c3d8bdf7b7703fb3f8375
7b7e104ca9e6eff6351c60c93a1054cb70c7744f5736b980b363a577be2d732d
9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926
Result
Malware family:
n/a
Score:
  9/10
Tags:
ransomware
Link:
https://tria.ge/reports/221004-tzsygabghq/
Behaviour
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Deletes shadow copies
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6dbfeab7-dde7-4e0c-9d10-c8d6c6bab8c6
Unpacked files
SH256 hash:
2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f
MD5 hash:
01492156ce8b4034c5b1027130f4cf4e
SHA1 hash:
6b0deb67a178fe20e81691133b257df3bafa3006
Link:
https://www.unpac.me/results/3d7f3fd2-92ae-433e-b6d4-920ecac75371/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RansomwareTest8
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316588/

Comments