MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Troldesh


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash: 32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc
SHA3-384 hash: 96dec41fae3a0d94fae3d4ce799054f265365e42404c237bd6bb7c29f5bac8a0ccbe5ca487c42109f2ea58a23e920f7e
SHA1 hash: 3ad007c50fb13801f252233862dc6d8e1ecfcc5c
MD5 hash: 168557f53a1ffa882cabb043578b2216
humanhash: high-king-quebec-golf
File name:32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc
Download: download sample
Signature Troldesh
File size:1'186'061 bytes
First seen:2021-09-28 09:25:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa2d21c960425e9ec6378d6769bb3c1a (4 x Troldesh)
ssdeep 24576:0HtrdKYVVSrqGDohJ3STZG8vIn/sCBGnWsY03+8:0HtV7GwBSTc8An/4YJ8
Threatray 52 similar samples on MalwareBazaar
TLSH T12C45334A3D27A21FF49BCC70D653A92BDBF1BE22972829183DC0FB59C5637C08855497
File icon (PE):PE icon
dhash icon f8fcee8e8e88d0e0 (4 x Troldesh, 3 x LummaStealer, 1 x Rhadamanthys)
Reporter JAMESWT_WT
Tags:exe Troldesh

Intelligence


File Origin
# of uploads :
1
# of downloads :
818
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc
Verdict:
Malicious activity
Analysis date:
2021-09-28 10:17:37 UTC
Tags:
ransomware troldesh shade

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Connection attempt
Creating a file in the %temp% subdirectories
Moving a file to the %temp% subdirectory
Deleting a recently created file
Sending a custom TCP request
Delayed writing of the file
Replacing files
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Changing a file
Moving a file to the %AppData% subdirectory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Creating a file in the mass storage device
Encrypting user's files
Malware family:
Malicious Packer
Verdict:
Malicious
Result
Threat name:
CryptOne
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionalty to change the wallpaper
Deletes shadow drive data (may be related to ransomware)
Detected CryptOne packer
Drops PE files with benign system names
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Threat name:
Win32.Ransomware.AvaddonCrypt
Status:
Malicious
First seen:
2021-09-18 23:56:06 UTC
AV detection:
43 of 45 (95.56%)
Threat level:
  5/5
Result
Malware family:
troldesh
Score:
  10/10
Tags:
family:troldesh discovery persistence ransomware spyware stealer trojan upx
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Sets desktop wallpaper using registry
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Reads user/profile data of web browsers
UPX packed file
Deletes shadow copies
Troldesh, Shade, Encoder.858
Unpacked files
SH256 hash:
a783833aaf77b85746d0520632a71482be1757dfdcc0a82c1102e7df70199018
MD5 hash:
a3075c07faef09600e3fd923838efc65
SHA1 hash:
894a0bdb301d2eb5751da8d1baf505282cc4a38c
Detections:
win_troldesh_auto
SH256 hash:
32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc
MD5 hash:
168557f53a1ffa882cabb043578b2216
SHA1 hash:
3ad007c50fb13801f252233862dc6d8e1ecfcc5c
Malware family:
CryptOne
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_troldesh_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.troldesh.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments