MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Troldesh

Vendor detections: 17

Intelligence 17 IOCs YARA 6 File information Comments

SHA256 hash:	2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA3-384 hash:	a49af682c9b8b493fb451135638a3b73fd6d10982f0ea41d0bff7584ce59718780df75bb5ff5220416575ec3df379f44
SHA1 hash:	57edd72391d710d71bead504d44389d0462ccec9
MD5 hash:	63210f8f1dde6c40a7f3643ccf0ff313
humanhash:	nuts-virginia-harry-emma
File name:	Endermanch@NoMoreRansom.exe
Download:	download sample
Signature	Troldesh Create hunting rule
File size:	1'427'968 bytes
First seen:	2024-02-03 13:31:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f4aae2cc8a2971ab9714645e85b7edb6 (3 x Troldesh)
ssdeep	12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK
Threatray	61 similar samples on MalwareBazaar
TLSH	T10B65E05473F49606E1B7AA399A7689B8083EBC01FD70D96F31C0FD0F7831BA1986535A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon	31e8f0d8d4e87800 (3 x Troldesh)
Reporter	Anonymous
Tags:	exe Troldesh

Intelligence

File Origin

# of uploads :

# of downloads :

403

Origin country :

Vendor Threat Intelligence

Malware family:

troldesh

ID:

File name:

NoMoreRansom.exe

Verdict:

Suspicious activity

Analysis date:

2020-11-11 01:49:18 UTC

Tags:

ransomware troldesh shade

Link:

https://app.any.run/tasks/ebc21d55-7b61-4b45-8bee-01e1986cadfe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/474362/

Detection(s):

Win.Ransomware.Troldesh-9881927-0

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

apt cerber crypto fingerprint hook keylogger lolbin packed ransomware shade shell32 troldesh

Link:

https://www.filescan.io/uploads/65be40531a072d565264af18/reports/91c130e4-3307-41ff-af8f-b7d68e88dd67/overview

Verdict:

Malicious

Labled as:

Ransom.Shade.Generic

Link:

https://www.hybrid-analysis.com/sample/2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Shade

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4fc77dc0-04ee-45be-8fe1-799d442f11fa

Result

Threat name:

Troldesh / Shade, CryptOne

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1386086

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Contains functionalty to change the wallpaper

Deletes shadow drive data (may be related to ransomware)

Detected Troldesh / Shade Ransomware

Drops PE files with benign system names

Found Tor onion address

Machine Learning detection for dropped file

Machine Learning detection for sample

May disable shadow drive data (uses vssadmin)

May use the Tor software to hide its network traffic

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Stores a public key to the registry (likely related to ransomware)

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Yara detected CryptOne packer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

Detection:

troldesh

Link:

https://mwdb.cert.pl/sample/2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f/

Threat name:

Win32.Ransomware.Troldesh

Status:

Malicious

First seen:

2017-05-27 00:50:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

36 of 38 (94.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fkvrhve3maab3y5ki75y64srvfz7vj7tyu5dqqgn6x6qwjxjucpq._file

Verdict:

malicious

Result

Malware family:

troldesh

Score:

10/10

Tags:

family:troldesh persistence ransomware trojan upx

Link:

https://tria.ge/reports/240203-qsyctscghj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Enumerates physical storage devices

Adds Run key to start application

UPX packed file

Troldesh, Shade, Encoder.858

Unpacked files

SH256 hash:

73c38bdd7a586248bd8d9712d30c16f995f8a171de4694fdc9f7f4790fced708

MD5 hash:

622d17261bbdf542506ceee39bbe0e80

SHA1 hash:

d0114ecc0f2add429a1fc5a5fa0db7a8a04310be

Detections:

win_troldesh_auto

Link:

https://www.unpac.me/results/dab6b651-57f1-43cb-a19f-045edb247192/

Parent samples :

2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
1f0399899fa16b89773167d87b10d2add2364e2ad9a1e32da537220ad0253c50
06b48b839fd1bb191a782960a68fd36e15aa7e77ecbc525d279bfeee81870bdd

SH256 hash:

2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

MD5 hash:

63210f8f1dde6c40a7f3643ccf0ff313

SHA1 hash:

57edd72391d710d71bead504d44389d0462ccec9

Link:

https://www.unpac.me/results/dab6b651-57f1-43cb-a19f-045edb247192/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2aab13d49b60/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.67

Link:

https://yomi.yoroi.company/submissions/2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_DustSquad_PE_Nov19_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	APT_DustSquad_PE_Nov19_2 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_troldesh_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/474362/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample