MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Conti

Vendor detections: 16

Intelligence 16 IOCs YARA 13 File information Comments

SHA256 hash:	2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e
SHA3-384 hash:	df9281abdcd75f11fd86040040b413b565cf9c58f4756a2c798e249a107684e7b75841dccc5262c5c1338639785084d3
SHA1 hash:	68f1e3ce4782a242cfcc4fee968b150a3f208bf7
MD5 hash:	b2306ae0dcd36a0d84f954825178d594
humanhash:	chicken-carpet-maryland-network
File name:	2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e
Download:	download sample
Signature	Conti Create hunting rule
File size:	5'126'144 bytes
First seen:	2023-02-03 15:45:44 UTC
Last seen:	2023-03-10 04:42:37 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	98304:w3StAYjEtOdVEfrmNNTC2zM9yklTIh5DBWM2UPXY+3C:w3St3dRNUj9rlgeMK
Threatray	23 similar samples on MalwareBazaar
TLSH	T10F360112BAC2C0BDE052D0F48B6A6B3F9638BD26472165CBE3C05E2D1D31AD29B35757
TrID	51.9% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 19.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 8.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 7.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
Reporter	petikvx
Tags:	conti

Intelligence

File Origin

# of uploads :

# of downloads :

216

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e

Verdict:

Malicious activity

Analysis date:

2023-02-03 15:48:54 UTC

Tags:

ransomware

Link:

https://app.any.run/tasks/4dd79ef5-cd1d-4387-8561-39f8d6f642dc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Conti

Link:

https://www.capesandbox.com/analysis/359962/

Detection(s):

Win.Ransomware.Vipasana-9783618-1

Win.Ransomware.Hydracrypt-9878672-0

Win.Ransomware.Bluesky-9980052-0

PUA.Win.Packed.ConfuserEx-6391397-0

PUA.Win.Packed.ConfuserEx-6582917-0

SecuriteInfo.com.Trojan.Encoder.35508.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file

Changing a file

Searching for synchronization primitives

Moving a recently created file

Reading critical registry keys

Sending a custom TCP request

Creating a file in the mass storage device

Stealing user critical data

Encrypting user's files

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/65067/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

confuserex conti filecoder fingerprint overlay packed qadars ransomware stealer vipasana windows

Link:

https://www.filescan.io/uploads/63dd2c3b2d4f6d560e242204/reports/8802874d-7788-4aad-8123-1243022e6a5b/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LockBit Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8831d4b9-5d40-4472-ac19-743a19bac477

Result

Threat name:

BlueSky, Chaos, Conti

Detection:

malicious

Classification:

rans.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1165233

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Contains functionality to hide a thread from the debugger

Deletes shadow drive data (may be related to ransomware)

Found Tor onion address

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May encrypt documents and pictures (Ransomware)

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Writes a notice file (html or txt) to demand a ransom

Yara detected BlueSky Ransomware

Yara detected Chaos Ransomware

Yara detected Conti ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e/

Threat name:

Win32.Ransomware.BlueSky

Status:

Malicious

First seen:

2023-02-01 16:52:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 25 (92.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f3tn7p5sv7luile7eijowfbiozuyquod762vf3scbqbidy22qnxa._file

Verdict:

malicious

Conti

3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb

Conti

840af927adbfdeb7070e1cf73ed195cf48c8d5f35b6de12f58b73898d7056d3d

Conti

b39fcf37d9019cc92127ee82c03df5e37aa8238cd76cc6eca2e3d1e7e977fc26

Conti

b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec

Conti

c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df

Conti

+ 13 additional samples on MalwareBazaar

Result

Malware family:

chaos

Score:

10/10

Tags:

family:chaos ransomware

Link:

https://tria.ge/reports/230203-s7lzfsbe2x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Modifies extensions of user files

Unpacked files

SH256 hash:

4dd484e54dfb0bf26e3cd3e857394d0901800dad269766a4c2742278d5c00a49

MD5 hash:

9d811396ef048ca1851bd4fc7fb029c6

SHA1 hash:

29d92d2c60541a3d1af29dca73022efedee42151

Link:

https://www.unpac.me/results/15a70a0c-8f35-4606-a2be-bae7642fa2da/

SH256 hash:

3a6d4f7b9a084ed62b4506796e72ca24b853723a9aa9ea47847cb982087dac66

MD5 hash:

c5fe6f9dcfc54f911e3d39d4b2de781f

SHA1 hash:

f84a14b4e16130ea2dc480ddfafcbcfd08871158

Detections:

win_void_auto

Link:

https://www.unpac.me/results/15a70a0c-8f35-4606-a2be-bae7642fa2da/

SH256 hash:

c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2

MD5 hash:

a8e0d56f8c67f1f7b6e592c12d87acab

SHA1 hash:

ed555f0162ea6ec5b8b8bada743cfc628d376274

Detections:

win_lockbit_auto

Link:

https://www.unpac.me/results/15a70a0c-8f35-4606-a2be-bae7642fa2da/

Parent samples :

c690148b6baec765c65fe91ea9f282d6a411ae90c08d74d600515b3e075e21b2
2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e

SH256 hash:

c1941061adad1b747b3ea1585ea0859f0bfd295189809221a633e35e57dd8077

MD5 hash:

029b5d34e91b7ee1e4084d4f6a76710d

SHA1 hash:

eba9b85d8d6800fa7ccfc2bc78f9ca8029a0d0d5

Link:

https://www.unpac.me/results/15a70a0c-8f35-4606-a2be-bae7642fa2da/

SH256 hash:

c21841807f7625eda4a388a0aed508f6b315345b9d85ff7407e5b4c71060ef68

MD5 hash:

533e39425d8eceb8604e926069c6bd2c

SHA1 hash:

911b65a953ab08f5c0447b333b127b8064fac9de

Link:

https://www.unpac.me/results/15a70a0c-8f35-4606-a2be-bae7642fa2da/

SH256 hash:

c230758a0b4389848b032ca8ef0fec581763c0ba51f49ff267d39ade19366ffd

MD5 hash:

81f5893f673b81ed4a271634c899aed2

SHA1 hash:

7ccd3b7434b908f060a56f90594fc3d46252113b

Link:

https://www.unpac.me/results/15a70a0c-8f35-4606-a2be-bae7642fa2da/

SH256 hash:

ce238ba398d47de6aff6fc24f0922d68c16c46f1a523497228bcffe275575917

MD5 hash:

fab8c2b3441b2eab899e71f3da34417b

SHA1 hash:

f38d91e7426d83f9d93e2a509deabd4bfb41e235

Link:

https://www.unpac.me/results/15a70a0c-8f35-4606-a2be-bae7642fa2da/

SH256 hash:

b726c49ca4357ebb9586a8824bd5e63fc13cf8ab75b9cd684876eb0125805159

MD5 hash:

b464bf07254fff436e1f96b30f661d2e

SHA1 hash:

d58f4d8eb6045c5378732b58bc17cfe3992c6694

Link:

https://www.unpac.me/results/15a70a0c-8f35-4606-a2be-bae7642fa2da/

SH256 hash:

39625b8a7d6e53bbfc124c0db828da50b4aef3c599e4529196259a4a12ed8a17

MD5 hash:

a0f3053ef699ea2104e082584aef24ef

SHA1 hash:

c6ac1954fc5ccc28739646fbba3cebc5a34dcbe0

Link:

https://www.unpac.me/results/15a70a0c-8f35-4606-a2be-bae7642fa2da/

SH256 hash:

f63449980b7d3314d1ed9323ec2822a2907710915884925be5d73a19be683064

MD5 hash:

6ebcab1d979cf59af4d67801063ab629

SHA1 hash:

9cbdae06277956b619645d7be086e540fad460f0

Link:

https://www.unpac.me/results/15a70a0c-8f35-4606-a2be-bae7642fa2da/

SH256 hash:

762fe5365b99e26f53588e7cb0a8ce86cfb0e4a207aa715afe4ab8025c67e88b

MD5 hash:

73351b719472c032201995ec9ce674af

SHA1 hash:

9a3ff51db2ac74ef663f963bb66dee641d090f68

Link:

https://www.unpac.me/results/15a70a0c-8f35-4606-a2be-bae7642fa2da/

SH256 hash:

ab3259347d6ba789af4d3a413cdd5616f591cc1b4e6be2d165166f5d9952f22b

MD5 hash:

da42a9c7256a663e9155ca128a8ef899

SHA1 hash:

58ba7837df5689c07e865847e10ac25db80ebacb

Link:

https://www.unpac.me/results/15a70a0c-8f35-4606-a2be-bae7642fa2da/

SH256 hash:

2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e

MD5 hash:

b2306ae0dcd36a0d84f954825178d594

SHA1 hash:

68f1e3ce4782a242cfcc4fee968b150a3f208bf7

Link:

https://www.unpac.me/results/15a70a0c-8f35-4606-a2be-bae7642fa2da/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2ee6dfbfb2af/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2ee6dfbfb2afd7442c9f2212eb142876698851c3ffb552ee420c0281e35a836e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	bitrat_unpacked Create hunting rule
Author:	jeFF0Falltrades
Description:	Experimental rule to detect unpacked BitRat payloads on disk or in memory, looking for a combination of strings and decryption/decoding patterns
Reference:	https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/

Rule name:	Conti Create hunting rule
Author:	kevoreilly
Description:	Conti Ransomware

Rule name:	CRIME_WIN32_RANSOM_BLACKMATTER Create hunting rule
Author:	Rony (@r0ny_123)
Description:	Detects Blackmatter ransomware

Rule name:	Darkside Create hunting rule
Author:	@bartblaze
Description:	Identifies Darkside ransomware.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	detects command variations typically used by ransomware

Rule name:	MALWARE_Win_Chaos Create hunting rule
Author:	ditekSHen
Description:	Detects Chaos ransomware

Rule name:	MALWARE_Win_Spyro Create hunting rule
Author:	ditekSHen
Description:	Detects Spyro / VoidCrypt / Limbozar ransomware

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	RAN_BlueSky_Aug_2022_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect the BlueSky ransomware
Reference:	https://unit42.paloaltonetworks.com/bluesky-ransomware/

Rule name:	Windows_Ransomware_Conti_89f3f6fa Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Ransomware_Lockbit_369e1e94 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/359962/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample