MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36f5b30256119951b473fb8afb278276aa4a246188cc49d52f13c134f3845661. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36f5b30256119951b473fb8afb278276aa4a246188cc49d52f13c134f3845661
SHA3-384 hash: a2ed048831f56b45deff51f5980f79212eef86ed4dd48af401dc759a0a1d2f4b41b1a2a3df7e41b6fb015a05ea52f2ac
SHA1 hash: c3a75d18afcd5529878a87224d1490878a1fbec3
MD5 hash: 596b9d37f0c58dc7358425145feec15b
humanhash: yellow-north-louisiana-michigan
File name:596b9d37_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:1'089'024 bytes
First seen:2021-05-05 09:02:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d461b17c0213650930ae22ed89204b1 (1 x VirLock)
ssdeep 24576:6D/+gA9Dac1eJVec2GttqN6niWmfnZu7oKeIJQFXXOnBYZQBD1KP1EumjFsVucPY:u/lA99voiWmfnY7oKeIPGY
Threatray 131 similar samples on MalwareBazaar
TLSH B535BE7B957F83B0D8A4016A8C064976698AC22DF24174F83F62E754BF83113B4DEAF5
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150096/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6803820-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Creating a process from a recently created file
Creating a service
Launching a service
DNS request
Sending an HTTP GET request
Searching for the window
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Running batch commands
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36f5b30256119951b473fb8afb278276aa4a246188cc49d52f13c134f3845661/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 00:33:19 UTC
AV detection:
46 of 48 (95.83%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0a9e2160871be8409cb531b94c71e5411d8f5dcfcfc40c37b65a56923ec71daf
VirLock
10af65f100aa24aeb7c8de2ddd865398da6ebcde671f9d61874023bafec67280
VirLock
2109fa71b6cb894611ef5d30ce2aac8144eeeca21da28d56ddddca6d79a7561a
VirLock
219e4ba0ba1f5379b52731d88487b23ab66a091ce1542c1c5475058e7c04c0fd
VirLock
3bd7dcf904cb67945b0393b17213877bcec87f8a0ddf2000033ad32a6ac06f8a
VirLock
3fd471944c8650c8883d23f0f7bf54d8aef165b0aad140353244b2a43be760f7
VirLock
728406539dbbb175ad0e0f346d6c9e563c7b95507e91c71af64f220a382525cf
VirLock
81363899c2c1afb314220a28bc2a73e428dea6bda248e0d354c933a884aaabeb
VirLock
904c908a4fbde1b76cc9466543fa36b18fc861efaafc315a1481634feb2ccff8
VirLock
e32e01f3602e769a1b6a7965573648b420035c74fdae200213a992a16044a220
VirLock
+ 121 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/210505-hq4662wl4x/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
76a9c8b969715c3615f3b4ebea90e9210283f4fbf457ea28ac08a932c562c471
MD5 hash:
69fa2a8f53881c427f2dbb15e19b5ea7
SHA1 hash:
3f137fa26fc3a701ab05c733427a9ce426125b71
Link:
https://www.unpac.me/results/67ea975d-2107-4859-aa38-34f22d3f4d05/
SH256 hash:
7825394718d685aaacfa44552405933bd7cb71f9a627bc96f6c2ca3f0b115923
MD5 hash:
be79ba036501803358e3bec42b42214b
SHA1 hash:
821bd2259797e9d7a0c97f0e872b83c1369366a3
Link:
https://www.unpac.me/results/67ea975d-2107-4859-aa38-34f22d3f4d05/
SH256 hash:
1d529dda33d7ee64ecae252447dad255433eb752a26e6f9d4cfb5320a3d3d705
MD5 hash:
34707b4119b9830509c30b16e9ca8638
SHA1 hash:
bee12ba65385c595172a695e610fcd9172ab3243
Link:
https://www.unpac.me/results/67ea975d-2107-4859-aa38-34f22d3f4d05/
SH256 hash:
36f5b30256119951b473fb8afb278276aa4a246188cc49d52f13c134f3845661
MD5 hash:
596b9d37f0c58dc7358425145feec15b
SHA1 hash:
c3a75d18afcd5529878a87224d1490878a1fbec3
Link:
https://www.unpac.me/results/67ea975d-2107-4859-aa38-34f22d3f4d05/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150096/

Comments