MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fc6d7df9252b1e2c4eb3ad7d0d29c188d87548127c44cebc40db9abe8e5aa35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Conti


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fc6d7df9252b1e2c4eb3ad7d0d29c188d87548127c44cebc40db9abe8e5aa35
SHA3-384 hash: da6b7f95eb2661f87d719c059ce5ee531df3427c667e8e5b8e85530a3a9e12d2b6af5fd9b4068afb196838421a9252b8
SHA1 hash: d0fb9051f8f4a9063b9f19841182b1707527f89f
MD5 hash: 732a229132d455b98038e5a23432385d
humanhash: king-fillet-nine-floor
File name:Conti Ransomware
Download: download sample
Signature Conti
Create hunting rule
File size:196'096 bytes
First seen:2021-02-09 08:16:39 UTC
Last seen:2021-02-09 09:51:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 23f815785db238377f4513be54dba574 (3 x Conti)
ssdeep 3072:QmFTIW6NmG0jQm78u+aXJzuDyyUmaP/E61VoMU9FLBD9PKigvPXNYzA9:QoTIt0GkQ2JziBUma0oVmJDhKku
Threatray 48 similar samples on MalwareBazaar
TLSH 27145B15B24D4665F25A58B02AFC7DB358B85938336FC8F7B7C986786A21AD27030F43
Reporter JAMESWT_WT
Tags:conti Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
563
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2fc6d7df9252b1e2c4eb3ad7d0d29c188d87548127c44cebc40db9abe8e5aa35
Verdict:
Malicious activity
Analysis date:
2021-01-31 15:15:41 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/d3a73a8d-c72b-407c-8a48-ac9deca8e2d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Conti
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116126/
Detection(s):
SecuriteInfo.com.Variant.Razy.724663.25899.1408.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Connection attempt
Creating a file
Changing a file
Creating a file in the Program Files directory
Moving a file to the Program Files directory
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Modifying an executable file
Sending a UDP request
Reading critical registry keys
Creating a file in the mass storage device
Stealing user critical data
Encrypting user's files
Infecting executable files
Result
Threat name:
Conti
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/602654
Signature
Antivirus / Scanner detection for submitted sample
Found ransom note / readme
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Yara detected Conti ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fc6d7df9252b1e2c4eb3ad7d0d29c188d87548127c44cebc40db9abe8e5aa35/
Threat name:
Win32.Ransomware.Conti
Create hunting rule
Status:
Malicious
First seen:
2021-01-23 07:26:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7dnpx4skky6frhlhll5buu4dcgyovebe7cez26ebw42x2hfvi2q._file
Verdict:
unknown
Similar samples:
449668f18d2aa75cc9493090764722eb4f0843a8da1b354d4e2147c6d6393078
Conti
7571928dc6acfae171b7d4f256ddec34e1fc5cf7753f6dfc60a2a60a5d0fdb36
Conti
825e2003550d60067503c5f26a7d1520908c0149f707cb8b63869a34fdbe967b
Conti
9294a8ea74f411cd80db8d5b32d098e98baf1d035a64e85bca26508014ab3371
Conti
9afb1afff030f6cb575c9f66e9d21257e82fd4320751ea78dfe6711a2b047fa6
Conti
a8a6c630b10f07fff8350fa8590b67ee21f67051e2bc7f8586e5316b1675691d
Conti
bbdd04ae54b35949c3d72288b23667c248b2befd68a65801badaea7e08abe5bb
Conti
c50e9e99a365c6770569ca96ac2482b3bd82f946d41946e836a010ca429a7a4d
Conti
eb008ba066b894222717bc03df94f04541b98920f68c85a07277465dfd8afad5
Conti
ffb02246bf8c1bfed54c88e298c9e854d91836d992786a8fc58345b84aa45dbf
Conti
+ 38 additional samples on MalwareBazaar
Result
Malware family:
conti
Create hunting rule
Score:
  10/10
Tags:
family:conti ransomware spyware
Link:
https://tria.ge/reports/210209-geympv5jwx/
Behaviour
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops desktop.ini file(s)
Drops startup file
Reads user/profile data of web browsers
Modifies extensions of user files
Conti Ransomware
Unpacked files
SH256 hash:
2fc6d7df9252b1e2c4eb3ad7d0d29c188d87548127c44cebc40db9abe8e5aa35
MD5 hash:
732a229132d455b98038e5a23432385d
SHA1 hash:
d0fb9051f8f4a9063b9f19841182b1707527f89f
Link:
https://www.unpac.me/results/6a97add0-3b12-412b-9d34-f76a73c2bace/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2fc6d7df9252/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fc6d7df9252b1e2c4eb3ad7d0d29c188d87548127c44cebc40db9abe8e5aa35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Conti
Create hunting rule
Author:kevoreilly
Description:Conti Ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/116126/

Comments