MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Conti

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce
SHA3-384 hash:	6021d0160cac105da3c0ea3b1bade1114651ba97ee85d5ac8ef71e168fc295a7e06f5efd79107d937fc50b2be48ce69f
SHA1 hash:	85c434fbaa94fb4d73d77429a32e88b184ec2f88
MD5 hash:	77078664b4bbfbe25be44004431c1a37
humanhash:	beer-washington-sink-robin
File name:	26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce
Download:	download sample
Signature	Conti Create hunting rule
File size:	429'056 bytes
First seen:	2020-12-15 11:32:54 UTC
Last seen:	2020-12-15 13:41:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	39dafb68ebe9859afe79428db28af625 (2 x Conti)
ssdeep	12288:gXmIvf3KJmshWo/vwUG2mXmIvf3KJmshWo/vwUG2:gXmIvf3KJmOWo/vwUvmXmIvf3KJmOWo3
TLSH	BD9413610B435783E6FDD7B5CA269E8EEB57FD981B3088879D3411DC082B3E0AA1D1B5
Reporter	JAMESWT_WT
Tags:	conti Ransomware v3

Intelligence

File Origin

# of uploads :

# of downloads :

600

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce

Verdict:

Malicious activity

Analysis date:

2020-12-15 11:33:42 UTC

Tags:

ransomware

Link:

https://app.any.run/tasks/08a242f7-8d43-46e9-8925-f77d8967395a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Conti

Link:

https://www.capesandbox.com/analysis/108131/

Detection(s):

SecuriteInfo.com.Trojan.Encoder.33199.8660.27503.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Connection attempt

Creating a file

Changing a file

Creating a file in the Program Files directory

Moving a file to the Program Files directory

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Modifying an executable file

Sending a UDP request

Reading critical registry keys

Creating a file in the mass storage device

Stealing user critical data

Encrypting user's files

Infecting executable files

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Conti

Detection:

malicious

Classification:

rans.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/563090

Signature

Found ransom note / readme

Found Tor onion address

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Conti ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-12-13 05:13:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=e2zeaeqro2os7ikbkiuljmjql3xo2je2tfwrjgwyhnx4trhxapha._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

10/10

Tags:

ransomware spyware

Link:

https://tria.ge/reports/201215-pnbx3bkdga/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Control Panel

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Drops file in Program Files directory

Drops file in Windows directory

Drops desktop.ini file(s)

Reads user/profile data of web browsers

Drops startup file

Modifies extensions of user files

Unpacked files

SH256 hash:

26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce

MD5 hash:

77078664b4bbfbe25be44004431c1a37

SHA1 hash:

85c434fbaa94fb4d73d77429a32e88b184ec2f88

Link:

https://www.unpac.me/results/b948c900-1b36-4b51-97ef-208cb096ab9d/

SH256 hash:

64a3a3ec70d20636299b8fe4f50c2b4d077f9934ee2d6ccf7d440b05b9770f56

MD5 hash:

c52046a1816a698f1a5a3d3072e616a6

SHA1 hash:

c72bd50be0a494634fbfdee9df4b6c7bdfcaa504

Link:

https://www.unpac.me/results/b948c900-1b36-4b51-97ef-208cb096ab9d/

SH256 hash:

f092b985b75a702c784f0936ce892595b91d025b26f3387a712b76dcc3a4bc81

MD5 hash:

23a6691939ae3e33b3c31ada6eeed7b8

SHA1 hash:

deae30bdc505699a61f65d4e629e5b66adf57034

Link:

https://www.unpac.me/results/b948c900-1b36-4b51-97ef-208cb096ab9d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Conti

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	Conti Create hunting rule
Author:	kevoreilly
Description:	Conti Ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/108131/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample