MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bae281a122628561deb145beffcb3b2c1b8ab51e0c96818ef7a1203738af5d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Blackmoon


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bae281a122628561deb145beffcb3b2c1b8ab51e0c96818ef7a1203738af5d4
SHA3-384 hash: ee2e122b17481e011a3126b8316922c8347f85931ca6fdcf2f5d990744e31bfbaee5472713850b533794eb5dad4fed7c
SHA1 hash: 242f3cce8400a77ed62c99fe6f56e1d8b7cfa5b4
MD5 hash: c76aecc1eb0b47fc261a80b9fc06fb75
humanhash: victor-papa-ten-helium
File name:WsIR1.1(1).exe
Download: download sample
Signature Blackmoon
Create hunting rule
File size:864'256 bytes
First seen:2022-05-23 13:18:51 UTC
Last seen:2022-05-23 13:58:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ffd26d581651ee9980129d50bc32409 (1 x Blackmoon)
ssdeep 12288:RJ7VkgeC9saHPV0rVQLL1vVM8UyztaIJbuFmOOSKaBsX5:RJ7VVeC9DHdiaLJvRkmfSKaBsJ
Threatray 167 similar samples on MalwareBazaar
TLSH T105059F12B58280F7D615153005F66736EB3BFA460B24EBC39768DE695D331C1AA332DB
TrID 31.5% (.EXE) InstallShield setup (43053/19/16)
22.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
12.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.5% (.SCR) Windows screen saver (13101/52/3)
7.7% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon a261bae8d2a896ca (39 x Blackmoon, 9 x Gh0stRAT, 3 x CobaltStrike)
Reporter obfusor
Tags:Blackmoon exe Ransom Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
415
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WsIR1.1(1).exe
Verdict:
Malicious activity
Analysis date:
2022-05-22 07:21:15 UTC
Tags:
installer
Link:
https://app.any.run/tasks/02b1d3dc-e3fa-43e3-9739-616df6b03017

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273694/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Enabling the 'hidden' option for recently created files
Changing a file
Reading critical registry keys
Modifying an executable file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Stealing user critical data
Encrypting user's files
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19684/overview
Behaviour
MalwareBazaar
CursorPosition
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll greyware keylogger rat shell32.dll
Link:
https://www.filescan.io/uploads/628b8a07054dcf0ecae32f77/reports/c28c0b43-114b-415e-ad0d-67d4231e1e6d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1fd0912d-7366-47dd-b536-6c1beb51be6f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1000047
Signature
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3bae281a122628561deb145beffcb3b2c1b8ab51e0c96818ef7a1203738af5d4/
Threat name:
Win32.Ransomware.Encoder
Create hunting rule
Status:
Malicious
First seen:
2022-05-21 19:49:51 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
27 of 41 (65.85%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
10835966177c277d70fae42109ddacccea06ab0c576709e9a68ec768840882ae
Blackmoon
15de7f8defad6bace8c44bd3bd7725c10c0dc8336a58a7e8d92075a651fd61d0
Blackmoon
1948cbc56b010af69cab63977edb0dfb76de1520291fd9eac8777a887f006adc
Blackmoon
5430394ea19a7c57dea6d2d07c389bb5fd12bb4e3e64f98911148ae0f870dfdf
Blackmoon
56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652
Blackmoon
75b388003cc32b680abc3d9b41bc6c435af723de235eaab36a323fddcb906f62
Blackmoon
799b7395c9f279d8cd1cd24657788ecb37db7ae03c0dddeb3344a95a551d1325
Blackmoon
d003e8350d5dc3823f7c415c4b901a24c5731307bb3d0f464b3630bb1e0cb2ba
Blackmoon
d408f5343ed5b5f9fe728f6fb44f6b3255e7ef5e97408ede945a1255c18090d3
Blackmoon
e6902e5efb53a1de2af93809a5103603aa8115e0f80fa95ade2461947bff4c7e
Blackmoon
+ 157 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/220523-qkg1wadeh7/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Adds Run key to start application
Drops desktop.ini file(s)
Unpacked files
SH256 hash:
3bae281a122628561deb145beffcb3b2c1b8ab51e0c96818ef7a1203738af5d4
MD5 hash:
c76aecc1eb0b47fc261a80b9fc06fb75
SHA1 hash:
242f3cce8400a77ed62c99fe6f56e1d8b7cfa5b4
Link:
https://www.unpac.me/results/3ccd9e9e-05be-48b3-a270-7425a0ce2f44/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3bae281a1226/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3bae281a122628561deb145beffcb3b2c1b8ab51e0c96818ef7a1203738af5d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273694/

Comments