MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 261af19bb09ed5d1165dd031a3b6e5fa37edbdead61bd41ad9c6956935b3b72d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 261af19bb09ed5d1165dd031a3b6e5fa37edbdead61bd41ad9c6956935b3b72d
SHA3-384 hash: 87d5d40ea12876195e6c023bb29f7b0755c18182cf5cdda0f29204dbb86bcc20aebd17d4d3820a8761a29ccc5f1ca2b6
SHA1 hash: 3e4d8db9c3ca8fe506597bf0287508d8c520ec18
MD5 hash: fe5bfa40d9105c92f65e176effbf1b97
humanhash: london-nuts-missouri-zulu
File name:fe5bfa40_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:766'976 bytes
First seen:2021-05-05 10:02:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fdd668e67acc177084128cb151e831a5 (1 x VirLock)
ssdeep 12288:Jc7t++qFRH1+fx3Z868Wz/53F30cO8zhOZIRj68pPaafElaZqjEqxvPETm:2Yofx3ZiWz/t10yUZAj6GaIv6HETm
Threatray 184 similar samples on MalwareBazaar
TLSH 0AF4ADA943DAF54BDCB53FB8697AFF8201740ABB96E05398B0A47C3A1CF91F510D4891
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150261/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6804475-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Sending a UDP request
Creating a service
Launching a service
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Running batch commands
Deleting a recently created file
Launching a process
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/261af19bb09ed5d1165dd031a3b6e5fa37edbdead61bd41ad9c6956935b3b72d/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 10:03:16 UTC
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0a9e2160871be8409cb531b94c71e5411d8f5dcfcfc40c37b65a56923ec71daf
VirLock
3fd471944c8650c8883d23f0f7bf54d8aef165b0aad140353244b2a43be760f7
VirLock
728406539dbbb175ad0e0f346d6c9e563c7b95507e91c71af64f220a382525cf
VirLock
896ebf31e9026da59e7af72c1842dec8157dc5d4ff645a029ff7a5ed4527832a
VirLock
8ee51302e53d652b2c2e5683e9810240bdc903b19b2e3b1aae712d123405e4d0
VirLock
c3cab87bb11691778b8aa91cd39945710eeb947e34ed4b980f0df655ed557b32
VirLock
d2b219340753ab7af23e9de41a88961e11e4df5a9e4ad27c0ed30d8e1bff2cf9
VirLock
d68ddb6796783f305bd44868cf5d99b91a1010f879bd08e1d3898e55f77fe109
VirLock
e32e01f3602e769a1b6a7965573648b420035c74fdae200213a992a16044a220
VirLock
ffba1f9ea3ffde1803a9fa84158c9768f9b6a2b017a05687457cb0f4680c5cca
VirLock
+ 174 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/210505-2wt456bacj/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
00f73295ca0e31bf6b2e9de4019334fef68ffdc062aed3897cbfefc1d509e4b2
MD5 hash:
d016b8710711f364b98b3ea04943e55e
SHA1 hash:
4104a0a296738b8c5c327699933d28fc6fc72bb1
Link:
https://www.unpac.me/results/7af9710e-5e76-47c9-a18c-618d6f63b533/
SH256 hash:
4c6ccd5ee38c4d79704ffda1094afc1ca289c2b93d4d7163f0a4c2a954c26795
MD5 hash:
21957840e1b337d7973d429c9b851085
SHA1 hash:
1a711737ff20e98335f76ac26c19af95042afa00
Link:
https://www.unpac.me/results/7af9710e-5e76-47c9-a18c-618d6f63b533/
SH256 hash:
c0ad4888500c285ff35cc0d47d164c8c0a04266b30abda32a32562b6aae7be2d
MD5 hash:
6a1dcbf3640d2e0aa78049a03bcec546
SHA1 hash:
88dcbe791e0629f1ec78ef290da1b62084f95f80
Link:
https://www.unpac.me/results/7af9710e-5e76-47c9-a18c-618d6f63b533/
SH256 hash:
261af19bb09ed5d1165dd031a3b6e5fa37edbdead61bd41ad9c6956935b3b72d
MD5 hash:
fe5bfa40d9105c92f65e176effbf1b97
SHA1 hash:
3e4d8db9c3ca8fe506597bf0287508d8c520ec18
Link:
https://www.unpac.me/results/7af9710e-5e76-47c9-a18c-618d6f63b533/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150261/

Comments