MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6
SHA3-384 hash: b3fa2f6277528840701e6fdb6a9921bfed0a7b5dd88b0d76c30a433a869c36bfc422fc54e4e06ac941311b03726ea95a
SHA1 hash: 8a5b126a8d49865551a993166c070aed739bcddb
MD5 hash: 631101614bb5dac04fed6a14470b045e
humanhash: potato-bacon-uniform-wyoming
File name:63110161_by_Libranalysis
Download: download sample
File size:2'861'568 bytes
First seen:2021-05-16 04:03:57 UTC
Last seen:2021-05-16 04:36:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c2a6fbef41572f4c9ce8acb5a63cde7 (2 x Expiro, 1 x Nefilim, 1 x StealthWorker)
ssdeep 49152:RaSvIdg68DIJ3GHFB4Wg9xfaw/18wosV+rXCqP+EO:RaPdfqFB4Vt/18vHTp
Threatray 3 similar samples on MalwareBazaar
TLSH 5BD56C12FCE625EACAFDE23085729731B671706543323B835F95457A2926BE4AF2E310
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8070.exe
Verdict:
No threats detected
Analysis date:
2021-05-13 17:06:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/81d3feb7-f470-400d-81b3-296ee20c97fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
QnapCrypt
Create hunting rule
Link:
https://www.capesandbox.com/analysis/157511/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Searching for the window
Sending a UDP request
DNS request
Sending a custom TCP request
Launching a tool to kill processes
Launching the process to interact with network services
Downloading the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/782942
Signature
Disables security and backup related services
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: PowerShell DownloadFile
Writes a notice file (html or txt) to demand a ransom
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 415338 Sample: 63110161_by_Libranalysis Startdate: 16/05/2021 Architecture: WINDOWS Score: 64 52 Multi AV Scanner detection for submitted file 2->52 54 Machine Learning detection for sample 2->54 56 Sigma detected: PowerShell DownloadFile 2->56 8 63110161_by_Libranalysis.exe 244 2->8         started        process3 file4 44 C:\Users\user\Desktop\Decrypt_files.txt, ASCII 8->44 dropped 46 C:\Users\Public\Desktop\Decrypt_files.txt, ASCII 8->46 dropped 48 C:\Users\Default\Desktop\Decrypt_files.txt, ASCII 8->48 dropped 50 C:\Decrypt_files.txt, ASCII 8->50 dropped 58 Writes a notice file (html or txt) to demand a ransom 8->58 60 Disables security and backup related services 8->60 12 cmd.exe 1 8->12         started        14 cmd.exe 1 8->14         started        16 cmd.exe 1 8->16         started        18 14 other processes 8->18 signatures5 process6 process7 20 net.exe 1 12->20         started        22 net.exe 1 14->22         started        24 net.exe 1 16->24         started        26 net.exe 1 18->26         started        28 net.exe 1 18->28         started        30 taskkill.exe 1 18->30         started        32 5 other processes 18->32 process8 34 net1.exe 1 20->34         started        36 net1.exe 1 22->36         started        38 net1.exe 1 24->38         started        40 net1.exe 1 26->40         started        42 net1.exe 1 28->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6/
Threat name:
Win64.Ransomware.Sorena
Create hunting rule
Status:
Malicious
First seen:
2021-05-15 22:18:56 UTC
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1d6f7662f9b034063d694a32d84c538e32da8adb6a52b77eeb3aaec3871b5e47
2ba2c20a826f51ed753f4f4dd78118d6f371a2fd5b4b0a2ff640c8f046d4fb55
6845211002813319a52b6d80f970da3a1f21d1035fdd6fe6f05dd067a131253e
Result
Malware family:
vashsorena
Create hunting rule
Score:
  10/10
Tags:
family:vashsorena evasion ransomware spyware stealer
Link:
https://tria.ge/reports/210516-hd7xrbzhej/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Drops file in Program Files directory
Reads user/profile data of web browsers
Blocklisted process makes network request
Clears Windows event logs
Malware Config
Dropper Extraction:
https://moonlightkrippe.ch/DesktopModules/Journal/clear.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39908c43e4124d6fd3362a5cf04cfbc4ac601ee35faf84a21c7979fdf74f05a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:MALWARE_Win_QnapCrypt
Create hunting rule
Author:ditekSHen
Description:Detects QnapCrypt/Lockedv1/Cryptfile2 ransomware
Rule name:QnapCrypt
Create hunting rule
Author:Intezer Labs
Reference:https://www.intezer.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/157511/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-16 05:02:52 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [C0002.014] Communication Micro-objective::Read Header::HTTP Communication
2) [C0027.001] Cryptography Micro-objective::AES::Encrypt Data
3) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
4) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
5) [C0026.001] Data Micro-objective::Base64::Encode Data
6) [C0026.002] Data Micro-objective::XOR::Encode Data
7) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash