MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25fa4f445a522467a2ae93388907c9d7ef7e14a68bc3a0db7ae29198d3abfe06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25fa4f445a522467a2ae93388907c9d7ef7e14a68bc3a0db7ae29198d3abfe06
SHA3-384 hash: 324aebb6ee81200f184ac9f003b78defe1aea1a12c99d9034e97e951c82f110956c71d84c90636e93ed9ed53f875c381
SHA1 hash: e4bafdd0e911e6dc0f5cf7c8e621a08db19c57c3
MD5 hash: 7e47a74dcac91b969936598c813a8dd5
humanhash: november-earth-bacon-bakerloo
File name:7e47a74d_by_Libranalysis
Download: download sample
File size:1'580'036 bytes
First seen:2021-05-11 20:05:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fadac24313d02cacf364c6b14d22b0e4
ssdeep 24576:J5JiHUEWTnziXSWkm6GpKXclGuz3u21KsH2hOiSXNB+1:0HUEWqSTm6ilf1VXI
Threatray 106 similar samples on MalwareBazaar
TLSH E0756B3568DB65BEF23B7EB02DCC3CD68C99F9735628606766444337EA40A80CE2957C
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/155215/
Detection(s):
SecuriteInfo.com.VBS.EmbeddedEXE-2.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Running batch commands
Creating a file
Creating a window
Creating a process with a hidden window
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/779079
Signature
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 411475 Sample: 7e47a74d_by_Libranalysis Startdate: 11/05/2021 Architecture: WINDOWS Score: 68 22 Antivirus / Scanner detection for submitted sample 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Machine Learning detection for sample 2->26 28 Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring 2->28 7 7e47a74d_by_Libranalysis.exe 2->7         started        process3 signatures4 30 Bypasses PowerShell execution policy 7->30 10 powershell.exe 23 7->10         started        12 powershell.exe 1 22 7->12         started        14 powershell.exe 16 7->14         started        process5 process6 16 conhost.exe 10->16         started        18 conhost.exe 12->18         started        20 conhost.exe 14->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25fa4f445a522467a2ae93388907c9d7ef7e14a68bc3a0db7ae29198d3abfe06/
Threat name:
Win32.Trojan.SelfDel
Create hunting rule
Status:
Malicious
First seen:
2021-05-08 14:30:14 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0c7591403c6672c67cd0fbb1a7d4db34a224e5388a81a82a725811999bc49b4e
0f59d4e8970f5f97d8a033783d8b9cdb8fe9a30ba4462366b254f6deb69696dd
593f9422a79559ab792b98a272ebd5db883b8a85f34de6a6f05f1c900b221dc5
7f2da313a75add2d2762a6f8ef8ca2828fb96661ab726b8aaad79ae5f89577c9
8291db6ed7f2be2e014d6ad586a2fa2021c6f59334416e1042ed88edea137d0b
ae3974aeea651951c5c5802cf7a556c7626529790db1fd34f29be31c29f58ce2
c0e6f7a4aa809d2b93ba137245380ada0a44ac5576935e13e165d02b1b937583
c7c2bb08529df1ea16244dfed79a60c039426c69823ee24731213011460ee82d
d1597e584fec8eb356aa5c831045b2ce68531e69fe70436fa3ca0d8dd1d90ca7
e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37
+ 96 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion ransomware trojan
Link:
https://tria.ge/reports/210511-t4g9484jzj/
Behaviour
Interacts with shadow copies
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Drops desktop.ini file(s)
Enumerates connected drives
Deletes itself
Modifies extensions of user files
Deletes shadow copies
Process spawned unexpected child process
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25fa4f445a522467a2ae93388907c9d7ef7e14a68bc3a0db7ae29198d3abfe06

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/155215/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-11 21:01:29 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [C0019] Data Micro-objective::Check String
2) [C0026.001] Data Micro-objective::Base64::Encode Data
3) [C0051] File System Micro-objective::Read File
4) [C0052] File System Micro-objective::Writes File
5) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
6) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
7) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
8) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
9) [C0040] Process Micro-objective::Allocate Thread Local Storage
10) [C0043] Process Micro-objective::Check Mutex
11) [C0042] Process Micro-objective::Create Mutex
12) [C0017] Process Micro-objective::Create Process
13) [C0041] Process Micro-objective::Set Thread Local Storage Value
14) [C0018] Process Micro-objective::Terminate Process