MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30a028001a68cdf37581ab6f3ce9a246ace357589a0f01105f432c09746e317d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30a028001a68cdf37581ab6f3ce9a246ace357589a0f01105f432c09746e317d
SHA3-384 hash: ad03da4eb7fdebfca20b1c1604862bff947cc8b18d9496e7a4909a0758a72d3f398d933a9b100b2e4db9a130ac0343c1
SHA1 hash: 5d350944358d02ae36c40fd539e944b7aac901c8
MD5 hash: 639a06151b0ae8984026cf1c44860587
humanhash: white-alabama-shade-kansas
File name:639a0615_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:672'768 bytes
First seen:2021-05-05 08:07:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1dfdfc74a9b7676c1576b0d959d36f3e (1 x VirLock)
ssdeep 12288:KIYm74HHRmpTDZRrl9uLoVaHorG2iyg5u+eCWGuq0LKHoPc5ahlhYlsF:Ktm74nkBDj6eakniyZ5CWGR0uH4ly6F
Threatray 54 similar samples on MalwareBazaar
TLSH 1DE4E1CBBBB5568CCCBD4AF6DA0A92A4F9CA8641CE81409DC739FEDA9704591CC543CC
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150057/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6804475-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Sending a UDP request
Creating a process from a recently created file
Creating a service
Launching a service
Creating a file in the Windows subdirectories
DNS request
Creating a file in the %temp% directory
Running batch commands
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Searching for the window
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Blocking the User Account Control
Changing the Windows explorer settings to hide files extension
Enabling autorun
Enabling a "Do not show hidden files" option
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711696
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes the view of files in windows explorer (hidden files and folders)
Command shell drops VBS files
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to check if Internet connection is working
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates an undocumented autostart registry key
Delayed program exit found
Drops batch files with force delete cmd (self deletion)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404776 Sample: 639a0615_by_Libranalysis Startdate: 05/05/2021 Architecture: WINDOWS Score: 100 98 Antivirus / Scanner detection for submitted sample 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 Machine Learning detection for sample 2->102 104 Sigma detected: WScript or CScript Dropper 2->104 11 639a0615_by_Libranalysis.exe 3 16 2->11         started        15 IyQAMkkE.exe 4 2->15         started        17 svchost.exe 2->17         started        20 5 other processes 2->20 process3 dnsIp4 82 C:\Users\user\RiEwQcUg\jyccIYIc.exe, PE32 11->82 dropped 84 C:\ProgramData\pwwgoAcM\IyQAMkkE.exe, PE32 11->84 dropped 86 C:\ProgramData\BcYMsoUU\ZEskcEoU.exe, PE32 11->86 dropped 88 C:\Users\user\AppData\Local\...\tMkkQoQQ.bat, ASCII 11->88 dropped 122 Creates an undocumented autostart registry key 11->122 124 Uses cmd line tools excessively to alter registry or file data 11->124 126 Drops batch files with force delete cmd (self deletion) 11->126 128 Delayed program exit found 11->128 22 ZEskcEoU.exe 11 11->22         started        25 cmd.exe 1 11->25         started        27 jyccIYIc.exe 6 11->27         started        29 4 other processes 11->29 130 Antivirus detection for dropped file 15->130 132 Machine Learning detection for dropped file 15->132 134 Tries to detect virtualization through RDTSC time measurements 15->134 94 127.0.0.1 unknown unknown 17->94 file5 signatures6 process7 signatures8 106 Antivirus detection for dropped file 22->106 108 Contains functionality to check if Internet connection is working 22->108 110 Machine Learning detection for dropped file 22->110 118 2 other signatures 22->118 31 639a0615_by_Libranalysis.exe 4 25->31         started        35 conhost.exe 25->35         started        112 Tries to detect virtualization through RDTSC time measurements 27->112 114 Delayed program exit found 27->114 116 Changes the view of files in windows explorer (hidden files and folders) 29->116 37 conhost.exe 29->37         started        39 conhost.exe 29->39         started        41 conhost.exe 29->41         started        43 conhost.exe 29->43         started        process9 file10 92 C:\Users\user\AppData\Local\...\IOYwYckU.bat, ASCII 31->92 dropped 96 Uses cmd line tools excessively to alter registry or file data 31->96 45 cmd.exe 2 31->45         started        49 cmd.exe 1 31->49         started        51 reg.exe 1 31->51         started        53 2 other processes 31->53 signatures11 process12 file13 90 C:\Users\user\AppData\Local\Temp\file.vbs, ASCII 45->90 dropped 136 Command shell drops VBS files 45->136 55 conhost.exe 45->55         started        57 cscript.exe 45->57         started        59 639a0615_by_Libranalysis.exe 2 49->59         started        62 conhost.exe 49->62         started        64 conhost.exe 51->64         started        66 conhost.exe 53->66         started        68 conhost.exe 53->68         started        signatures14 process15 signatures16 120 Uses cmd line tools excessively to alter registry or file data 59->120 70 reg.exe 59->70         started        72 reg.exe 59->72         started        74 reg.exe 59->74         started        process17 process18 76 conhost.exe 70->76         started        78 conhost.exe 72->78         started        80 conhost.exe 74->80         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30a028001a68cdf37581ab6f3ce9a246ace357589a0f01105f432c09746e317d/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 01:14:47 UTC
AV detection:
46 of 48 (95.83%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0a9e2160871be8409cb531b94c71e5411d8f5dcfcfc40c37b65a56923ec71daf
VirLock
3bd7dcf904cb67945b0393b17213877bcec87f8a0ddf2000033ad32a6ac06f8a
VirLock
728406539dbbb175ad0e0f346d6c9e563c7b95507e91c71af64f220a382525cf
VirLock
89164a030c95d2445557ae7a793a7ab7d849b628fbafb0f483100c580a043a93
VirLock
8926a917f30b552fa4aa51861c526754c8033c286526a2fb95ed7663fbd690ab
VirLock
aa3f8ef2a80b074eabd6b3947b9b61612775890c1963c7d0cc01a60053971a24
VirLock
c3cab87bb11691778b8aa91cd39945710eeb947e34ed4b980f0df655ed557b32
VirLock
d662eebe16b90f597adeb4a215b05fc65db54078ad55e1d2bd013fda84a64b96
VirLock
e32e01f3602e769a1b6a7965573648b420035c74fdae200213a992a16044a220
VirLock
e7f4ee5fe23b5c2d98044b31c5e858b451ef78539c708f1cf14dbfc152617817
VirLock
+ 44 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/210505-85eeyt2lf2/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
d47f8acf0c151d90eb513de99ac1d861896067722e793d99d4c2d37119d7d3fc
MD5 hash:
5dc31cff29c8c7587b7b707c930e359d
SHA1 hash:
061a145300935b24c162bfa372d6bf803f01dc41
Link:
https://www.unpac.me/results/c4a2ba73-879f-4c77-ac03-1f4d4007f20d/
SH256 hash:
30a028001a68cdf37581ab6f3ce9a246ace357589a0f01105f432c09746e317d
MD5 hash:
639a06151b0ae8984026cf1c44860587
SHA1 hash:
5d350944358d02ae36c40fd539e944b7aac901c8
Link:
https://www.unpac.me/results/c4a2ba73-879f-4c77-ac03-1f4d4007f20d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150057/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 09:08:40 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication