MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ba2c20a826f51ed753f4f4dd78118d6f371a2fd5b4b0a2ff640c8f046d4fb55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Expiro


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ba2c20a826f51ed753f4f4dd78118d6f371a2fd5b4b0a2ff640c8f046d4fb55
SHA3-384 hash: 1294a022f08c866ceb0908729b9092274b1c0dd238ab12683bbe7cbbb8758bc1606246bc82898779605dfd6c5d31414c
SHA1 hash: fd1a1709b4346a4ca307d01cb85b5d6beb633733
MD5 hash: 5a4135a79283d211cf21820a67e01a4f
humanhash: bacon-spaghetti-uranus-potato
File name:1.exe
Download: download sample
Signature Expiro
Create hunting rule
File size:2'863'616 bytes
First seen:2020-06-06 14:35:43 UTC
Last seen:2020-06-06 15:56:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f0070935b15a909b9dc00be7997e6112 (5 x Glupteba, 5 x GravityRAT, 1 x Expiro)
ssdeep 24576:4Wrd9DgUhnyLCydJNj/uD2johpZYy13ZFb2v9xuxSJdqXy8YzK9tlQQ:4Wrd9DLyLvdJTohpth2v9x/dMqzKNQQ
Threatray 81 similar samples on MalwareBazaar
TLSH ACD55C03F8E619FACAFDE13185729721B671706903323B971F94467A192BBE4AF2D314
Reporter vm001cn
Tags:Expiro golang Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Heur.Ransom.REntS.Gen.1.9822.3559.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win64.Ransomware.Sorena
Create hunting rule
Status:
Malicious
First seen:
2020-06-05 18:49:54 UTC
AV detection:
21 of 31 (67.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=formecucn5i625j7j5g5paiy23zxdix5lnfqul7wideparwu7nkq._file
Verdict:
unknown
Similar samples:
1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593
Expiro
2339489be44f93b61688ee3b65d0bd2fede5f6dd494588a6268602d2f006bd16
Expiro
40a2ace8bb6e3d7d50bb346344789c2fafd25490fdaa982134aaacce6f971995
Expiro
602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9
Expiro
6845211002813319a52b6d80f970da3a1f21d1035fdd6fe6f05dd067a131253e
Expiro
690be9e806f882774ab1347302bd92236a16499f160f37e59992c220466493c0
Expiro
8a99a4c58ef5e27d112f0efb4719abe01bcddb5e516114711ee4991f7922ab5f
Expiro
d00ee0e6eab686424f8d383e151d22005f19adbda5b380a75669629e32fe12a6
Expiro
e50d52fbac295a37f0ed0b724d4ddafca8c86bcd2391b4c481d51d5e279afd20
Expiro
fefb3c7053a1332b03a4c0523862e8e387a5065b263cf10cb0d7f33f02afc646
Expiro
+ 71 additional samples on MalwareBazaar
Result
Malware family:
vashsorena
Create hunting rule
Score:
  10/10
Tags:
family:vashsorena ransomware spyware
Link:
https://tria.ge/reports/201109-6xljjz9eyj/
Behaviour
Enumerates system info in registry
Modifies Control Panel
Modifies registry class
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Kills process with taskkill
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
JavaScript code in executable
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
QVM360 commented on 2020-06-06 14:42:50 UTC

hunt: Jirehlov