MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0
SHA3-384 hash: 1bd18bb99af1c0b7ad90c6c5e50e579072f3ad5f47710f075172c6afa9ac328e9d20e2e7c563df08ad8be26207b820cc
SHA1 hash: 749b5283028a6f2c9df529eb14e051a5bf620f25
MD5 hash: 14e610e2acb5f15e72f528b385f3e20f
humanhash: summer-wyoming-cardinal-fillet
File name:30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0
Download: download sample
File size:1'210'768 bytes
First seen:2020-07-29 07:12:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e5ac8ab7be27ac2d1c548e5589378b6 (11 x GuLoader, 6 x Stealc, 5 x RedLineStealer)
ssdeep 24576:zdl2DdwGi0f101VQSv+K7X8eH6rkCd9k6uCimPmgsolRLUT9:z32xc0f1DSWa86PCiNgrRLUx
TLSH D74533BFB2112115D9FD8ABAEEC8512CFC3A431E00A5B74A616236D15B060CC9DDBDDB
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34313/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

PUA.Win.Adware.Browsefox-6628766-0
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Launching a process
Creating a service
Launching a service
Changing a file
Creating a file
Deleting a recently created file
Running batch commands
Deleting volume shadow copies
Enabling autorun for a service
Creating a file in the mass storage device
Encrypting user's files
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401461
Signature
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Creates files in alternative data streams (ADS)
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
PE file has nameless sections
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252968 Sample: R9FReTMI4g Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 71 cdn.onenote.net 2->71 73 g.msn.com 2->73 75 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->75 77 May disable shadow drive data (uses vssadmin) 2->77 79 Machine Learning detection for sample 2->79 81 Machine Learning detection for dropped file 2->81 83 4 other signatures 2->83 9 R9FReTMI4g.exe 2 2->9         started        13 Mui.exe 130 2->13         started        15 svchost.exe 2->15         started        17 10 other processes 2->17 signatures3 process4 dnsIp5 63 C:\Users\user\AppData\Roaming\Mui:bin, PE32 9->63 dropped 65 C:\Users\user\AppData\Roaming\Mui, PE32 9->65 dropped 95 Detected unpacking (changes PE section rights) 9->95 97 Detected unpacking (overwrites its own PE header) 9->97 99 Creates files in alternative data streams (ADS) 9->99 20 Mui:bin 1 9->20         started        24 cmd.exe 1 9->24         started        67 C:\MSOCache\...\Proof.xml.garminwasted_info, DOS 13->67 dropped 101 Machine Learning detection for dropped file 13->101 103 Hides threads from debuggers 13->103 105 Modifies existing user documents (likely ransomware behavior) 13->105 26 cmd.exe 1 13->26         started        107 Changes security center settings (notifications, updates, antivirus, firewall) 15->107 28 MpCmdRun.exe 15->28         started        69 192.168.2.1 unknown unknown 17->69 file6 signatures7 process8 file9 61 C:\Windows\SysWOW64\Mui.exe, PE32 20->61 dropped 85 Detected unpacking (changes PE section rights) 20->85 87 Detected unpacking (overwrites its own PE header) 20->87 89 May disable shadow drive data (uses vssadmin) 20->89 93 2 other signatures 20->93 30 cmd.exe 1 20->30         started        33 vssadmin.exe 1 20->33         started        35 takeown.exe 1 20->35         started        37 icacls.exe 1 20->37         started        91 Uses cmd line tools excessively to alter registry or file data 24->91 39 conhost.exe 24->39         started        47 2 other processes 24->47 41 conhost.exe 26->41         started        43 choice.exe 1 26->43         started        45 attrib.exe 26->45         started        signatures10 process11 signatures12 109 Uses cmd line tools excessively to alter registry or file data 30->109 49 conhost.exe 30->49         started        51 choice.exe 1 30->51         started        53 attrib.exe 30->53         started        55 conhost.exe 33->55         started        57 conhost.exe 35->57         started        59 conhost.exe 37->59         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0/
Threat name:
Win32.Ransomware.WastedLocker
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 01:32:45 UTC
File Type:
PE (Exe)
AV detection:
43 of 48 (89.58%)
Threat level:
  5/5
Verdict:
suspicious
Result
Malware family:
wastedlocker
Create hunting rule
Score:
  10/10
Tags:
ransomware discovery exploit family:wastedlocker persistence
Link:
https://tria.ge/reports/200729-xd76xeexns/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NTFS ADS
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Modifies service
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Loads dropped DLL
Modifies file permissions
Deletes itself
Executes dropped EXE
Modifies extensions of user files
Possible privilege escalation attempt
Deletes shadow copies
WastedLocker
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Magania
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30af561ec0b6d4a37654f9838750abde60d0d38e2370bb250007eb946425add0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34313/

Comments