MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26bbd10d6fa04b957de85d976141cd849d21cf790694e3145cc34b3c48439103. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26bbd10d6fa04b957de85d976141cd849d21cf790694e3145cc34b3c48439103
SHA3-384 hash: 5d694116c852da1b5bf15a633742f9e4977b820d89c582a2e042ddd34c36df58837150876e4c568539f654d0f8052116
SHA1 hash: 8cf460a74c78075a65feed8b1b6f99697eb89964
MD5 hash: a771bf132eb5a52ef65d263957ad83fa
humanhash: friend-early-kansas-kilo
File name:RuntimeBroker_protected.bin
Download: download sample
File size:1'177'600 bytes
First seen:2020-07-01 09:38:11 UTC
Last seen:2020-07-01 11:09:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 113 x njrat, 80 x RedLineStealer)
ssdeep 24576:1hkoslstFm4R5a24uKDFcNCd9/xQTj2j+0G5SxxvzLvYT4fthVAAtC9NG:bkose5XKyqQvw7G0DLTYT4fPlyN
Threatray 60 similar samples on MalwareBazaar
TLSH E345336DE034ED40F699F338FAB604BD27E623A5107697F97185CB4E909EE42B471423
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18159/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26bbd10d6fa04b957de85d976141cd849d21cf790694e3145cc34b3c48439103/
Threat name:
Win32.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2019-12-11 12:00:58 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
01214329917b407fed2ff876f8867214125c6f27ada5623891253a2ee012288a
0137eab9ffb892bcff1aabd6bba89c41459cf49087222ebb2723c3ce5a755ad3
7ea8e3c5414b0264c420a0d58d0807738c61aa5c1784ad0f555399b76f7ac4ca
97b4fea61d49c93281c6a9b0e058bd747c1cc85458889ce745e577414db2a8dd
9930543939f97818319ed031530d9e084994331aa4b06a304faeb321bbcc63db
9a76fa2bd0df22fd79b7e38248b3a765a524070bc68175811914968c731fe6eb
a14dc3eb54f3876b3a2bfc6e0aa105c832fc5424130c43248995cceda6790133
d2ae3fabca5021b33bfa9326b06dea2cc82a56537a1d473934553bdcdfaddb74
ea74eac48adf2b19c3102578cb14ee0cd1d51f5e5e1da2fb4ab5b0d3f7e91827
f54e2a18f9a6b1f5fa144306a9ad3e277e0dfa581543c5156a6a59b644c913da
+ 50 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware persistence spyware
Link:
https://tria.ge/reports/200701-4vh4bw1l82/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies control panel
Suspicious behavior: RenamesItself
Drops file in Program Files directory
Drops file in Program Files directory
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run entry to start application
Looks up external IP address via web service
Looks up external IP address via web service
Adds Run entry to start application
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18159/

Comments