MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Makop


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
SHA3-384 hash: 79d789ce6055c2f7af4aaa9b63fe91622b8b0ca0e50ec0d5f3de057a18338e466c9defdfca2596fbb3d98d47707552f7
SHA1 hash: 783d08fe374f287a4e0412ed8b7f5446c6e65687
MD5 hash: b33e8ce6a7035bee5c5472d5b870b68a
humanhash: queen-nine-oklahoma-magnesium
File name:b33e8ce6a7035bee5c5472d5b870b68a.vir
Download: download sample
Signature Makop
Create hunting rule
File size:117'649 bytes
First seen:2020-10-27 03:58:11 UTC
Last seen:2020-10-27 05:32:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 3072:Rf1BDZ0kVB67Duw9AMcUTeQnbZ7pgHzL8O1oc8rEUvZfqv8dOWVIc:R9X0GGZpYzL8VcFUvZyUdb
Threatray 16 similar samples on MalwareBazaar
TLSH 40B3D00322D0D8E3C6960B700D77FB2A9B7E9611234A8F0B6F545E5E3E125835A3F65E
Reporter Anonymous
Tags:makop Makop Ransom

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79619/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Launching a service
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Creating a file in the Windows subdirectories
Creating a window
Changing a file
Behavior that indicates a threat
Creating a file
Modifying an executable file
Moving a file to the Program Files subdirectory
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting volume shadow copies
Creating a file in the mass storage device
Encrypting user's files
Result
Threat name:
Makop
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/512900
Signature
Creates files in the recycle bin to hide itself
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Detected unpacking (overwrites its own PE header)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Maps a DLL or memory area into another process
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Sigma detected: Delete shadow copy via WMIC
Sigma detected: WannaCry Ransomware
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes many files with high entropy
Yara detected Makop ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 305566 Sample: 8iXMaDlgKZ.vir Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 56 clientconfig.passport.net 2->56 62 Sigma detected: WannaCry Ransomware 2->62 64 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 6 other signatures 2->68 9 8iXMaDlgKZ.exe 17 2->9         started        13 8iXMaDlgKZ.exe 16 2->13         started        15 wbengine.exe 3 2->15         started        17 6 other processes 2->17 signatures3 process4 file5 52 C:\Users\user\AppData\Local\...\System.dll, PE32 9->52 dropped 74 Detected unpacking (overwrites its own PE header) 9->74 76 Maps a DLL or memory area into another process 9->76 78 Writes many files with high entropy 9->78 19 8iXMaDlgKZ.exe 11 9->19         started        54 C:\Users\user\AppData\Local\...\System.dll, PE32 13->54 dropped 24 8iXMaDlgKZ.exe 13->24         started        80 Creates files inside the volume driver (system volume information) 15->80 26 explorer.exe 17->26 injected 28 SearchUI.exe 17->28 injected signatures6 process7 dnsIp8 58 192.168.2.1 unknown unknown 19->58 50 C:\ProgramData\Microsoft\...\edbres00001.jrs, DOS 19->50 dropped 70 Creates files in the recycle bin to hide itself 19->70 72 Opens the same file many times (likely Sandbox evasion) 19->72 30 cmd.exe 1 19->30         started        33 8iXMaDlgKZ.exe 16 19->33         started        36 WerFault.exe 26->36         started        60 93.184.220.29, 49687, 49689, 80 EDGECASTUS European Union 28->60 file9 signatures10 process11 file12 82 May disable shadow drive data (uses vssadmin) 30->82 84 Deletes shadow drive data (may be related to ransomware) 30->84 86 Deletes the backup plan of Windows 30->86 38 WMIC.exe 1 30->38         started        40 conhost.exe 30->40         started        42 wbadmin.exe 3 30->42         started        44 vssadmin.exe 1 30->44         started        48 C:\Users\user\AppData\Local\...\System.dll, PE32 33->48 dropped 88 Maps a DLL or memory area into another process 33->88 46 8iXMaDlgKZ.exe 33->46         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 22:32:25 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fnndsngt5ap64rsuxmnhfcgidlyvrjwurjtgz6hdpgyesjkrdchq._file
Verdict:
malicious
Similar samples:
129b18021507b44508f64ed547562936ffd6bb54bf984902d4df9d9532f1e2b1
Makop
14c63d1c8979ac3e55720fbfedd7f1f7fb68bbf16a2ca2882284817cf01ccd8f
Makop
3712c1a9e9ab864ee28897d0802179db4a2f664f61629f1154437640be377530
Makop
6785ac0d25c3b5a7fa54aa4df7d2a00611305c06b51f1d5d4fb27d1ff2ccdba9
Makop
7d3a5cd80e21098c2ea4a35396fb9ccec326054f45937eae3207a3f5f2d09464
Makop
9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9
Makop
9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
Makop
a456769302254d2e6609a7832d93937572b7b73cca217873d7f60678414645e0
Makop
a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78
Makop
e1612e3d774b3ebd2559eb3ec8b59890d64712386563bee84da82e7b7dfbebe7
Makop
+ 6 additional samples on MalwareBazaar
Result
Malware family:
makop
Create hunting rule
Score:
  10/10
Tags:
ransomware persistence family:makop spyware
Link:
https://tria.ge/reports/201027-r3l9vpcwl2/
Behaviour
Interacts with shadow copies
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Drops file in Program Files directory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Deletes backup catalog
Modifies extensions of user files
Deletes shadow copies
Deletes system backup catalog
Makop
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2b5a3934d3e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RANSOM_makop
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect the unpacked Makop ransomware samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/79619/

Comments