MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67
SHA3-384 hash: 9bdb75e875749404c9ab3565dbeb690c0490a9bde348f1a38c81ec9827fb1a82d5b8ed691b41c27b35b5607faafd2129
SHA1 hash: 15bb3203c9553009e0514626f5ad129a13a557fb
MD5 hash: f062697cd7a2257c290f6c3f19dd845d
humanhash: failed-two-kentucky-friend
File name:32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67.exe
Download: download sample
File size:1'287'168 bytes
First seen:2021-04-08 16:07:41 UTC
Last seen:2021-04-08 17:23:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 365b1d12b684a96b167a74679ec9e4e3
ssdeep 24576:/88lWqXTOlAiZLkk7g9WWYNranPdeDk7bE0KdYqTAY:/Tl3XTOl6ag90cPdX/Ad9TA
Threatray 1 similar samples on MalwareBazaar
TLSH 2455332AD702E4A6F38B847D747C9FA90825B4F8C4AD7653473F4D2275725E2A0CC9E2
Reporter Finch39487976
Tags:Ransomware Waiting

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67
Verdict:
No threats detected
Analysis date:
2021-04-08 15:52:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f1b1a1ea-3ce7-4899-892d-90219d858c75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133258/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.33824.30191.13205.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows directory
DNS request
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Replacing files
Creating a file
Changing a file
Moving a file to the Program Files directory
Creating a file in the Program Files directory
Moving a file to the Program Files subdirectory
Modifying an executable file
Replacing executable files
Creating a file in the Program Files subdirectories
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a system process
Deleting of the original file
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Waiting
Create hunting rule
Detection:
malicious
Classification:
rans.spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/670501
Signature
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Creates files in the recycle bin to hide itself
Creates files inside the volume driver (system volume information)
Deletes itself after installation
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Waiting ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 384195 Sample: Bxqd24ulFS.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for submitted file 2->58 60 Found ransom note / readme 2->60 62 Yara detected Waiting ransomware 2->62 64 Machine Learning detection for sample 2->64 9 Bxqd24ulFS.exe 4 1 2->9         started        13 mshta.exe 2->13         started        process3 file4 56 C:\Windows\utox.exe, PE32 9->56 dropped 74 Changes memory attributes in foreign processes to executable or writable 9->74 76 Writes to foreign memory regions 9->76 78 Allocates memory in foreign processes 9->78 80 Creates a thread in another existing process (thread injection) 9->80 15 svchost.exe 4 9->15 injected signatures5 process6 signatures7 82 Deletes itself after installation 15->82 84 Writes to foreign memory regions 15->84 86 Writes many files with high entropy 15->86 88 Creates a thread in another existing process (thread injection) 15->88 18 svchost.exe 501 15->18 injected 22 svchost.exe 501 15->22 injected 24 svchost.exe 501 15->24 injected 26 9 other processes 15->26 process8 file9 48 223 other files (216 malicious) 18->48 dropped 66 Creates files inside the volume driver (system volume information) 18->66 68 Creates files in the recycle bin to hide itself 18->68 70 Tries to harvest and steal browser information (history, passwords, etc) 18->70 38 C:\Program Files\...\nb.pak ZWWVNYOQ7.waiting, DOS 22->38 dropped 40 C:\...\AN01173_.WMF ZWWVNYOQ7.waiting, COM 22->40 dropped 50 152 other files (149 malicious) 22->50 dropped 72 Infects executable files (exe, dll, sys, html) 22->72 42 C:\...\jsse.jar ZWWVNYOQ7.waiting, COM 24->42 dropped 44 C:\...\goopdateres_fa.dll ZWWVNYOQ7.waiting, DOS 24->44 dropped 52 145 other files (131 malicious) 24->52 dropped 46 C:\...\MANIFEST-000001 ZWWVNYOQ7.waiting, COM 26->46 dropped 54 61 other files (35 malicious) 26->54 dropped 28 cmd.exe 1 26->28         started        30 conhost.exe 26->30         started        32 wevtutil.exe 26->32         started        34 11 other processes 26->34 signatures10 process11 process12 36 wevtutil.exe 1 28->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67/
Threat name:
Win64.Ransomware.Crytox
Create hunting rule
Status:
Malicious
First seen:
2021-03-23 04:29:23 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
d60dc6965f6d68a3e7c82d42e90bfda7ad3c5874d2c59a66df6212aef027b455
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware upx
Link:
https://tria.ge/reports/210408-cpwtpgjxdx/
Behaviour
Interacts with shadow copies
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Deletes itself
Loads dropped DLL
Modifies extensions of user files
Clears Windows event logs
Deletes shadow copies
Unpacked files
SH256 hash:
32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67
MD5 hash:
f062697cd7a2257c290f6c3f19dd845d
SHA1 hash:
15bb3203c9553009e0514626f5ad129a13a557fb
Link:
https://www.unpac.me/results/883b1ab8-ab99-49be-ba03-e55adf6e6777/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67/detection
Cape
Cape
https://www.capesandbox.com/analysis/133258/

Comments