MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d94c4a92382c5c45062d8ea0517be4011be8ba42e9c9a614a99327d0ebdf05b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d94c4a92382c5c45062d8ea0517be4011be8ba42e9c9a614a99327d0ebdf05b
SHA3-384 hash: 94bbf316bdd36602d07dcfb0172eaadd4b0bd392b753096afce5a9eec0f3ca08f73b6f16b4ec3a23f94428c4527d086d
SHA1 hash: 2d92a9ec1091cb801ff86403374594c74210cd44
MD5 hash: 8b6c413e2539823ef8f8b85900d19724
humanhash: indigo-vermont-sixteen-mars
File name:SysvolYSysZLogonQ.exe
Download: download sample
File size:186'440 bytes
First seen:2020-11-23 19:22:37 UTC
Last seen:2020-11-24 12:47:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 11b8c4a854376767c722b8bf2f381c91
ssdeep 3072:ylLyEzE1d3j5Vj9UbB6QJK9D7AKf3+VyJz+HfsP88JJ/GjZ7GYu:ylLyEQ1dtVCboUK1AJVAzoEnejZQ
Threatray 2 similar samples on MalwareBazaar
TLSH 4A04AE38BBD1E1B7C4E71474AC54A53C2BBA862347661A11C8940DEE6D73FED472CA32
Reporter Jagdtiger88mm
Tags:Clop Ransomware S.korea

Code Signing Certificate

Organisation:Insta Software Solution Inc.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Aug 5 00:00:00 2020 GMT
Valid to:Aug 5 23:59:59 2021 GMT
Serial number: 1E74CFE7DE8C5F57840A61034414CA9F
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 2DFA711A12AED0ACE72E538C57136FA021412F95951C319DCB331A3E529CF86E
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'911
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/545466
Signature
Contains functionality to clear event logs
Detected unpacking (changes PE section rights)
Found Tor onion address
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321826 Sample: SysvolYSysZLogonQ.exe Startdate: 23/11/2020 Architecture: WINDOWS Score: 68 39 Multi AV Scanner detection for submitted file 2->39 41 Machine Learning detection for sample 2->41 43 Found Tor onion address 2->43 8 SysvolYSysZLogonQ.exe 42 2->8         started        11 cmd.exe 2 2->11         started        13 cmd.exe 2 2->13         started        15 svchost.exe 2->15         started        process3 signatures4 45 Detected unpacking (changes PE section rights) 8->45 47 Contains functionality to clear event logs 8->47 17 cmd.exe 8->17         started        19 SysvolYSysZLogonQ.exe 8->19         started        21 conhost.exe 11->21         started        23 sc.exe 1 11->23         started        25 conhost.exe 13->25         started        27 sc.exe 1 13->27         started        process5 process6 29 cmd.exe 17->29         started        31 conhost.exe 17->31         started        33 wevtutil.exe 17->33         started        35 25 other processes 17->35 process7 37 wevtutil.exe 29->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d94c4a92382c5c45062d8ea0517be4011be8ba42e9c9a614a99327d0ebdf05b/
Threat name:
Win32.Ransomware.HydraCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-11-23 02:06:19 UTC
File Type:
PE (Exe)
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
58fb11e7f6601b43803edff4369c27d9e26323f913ab76889df528c34f2dc525
b33b3beb75ffe4fda66b9b38e3121f1abb4b7896f99ba4f35b511c7ed63c305c
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201123-zy8v8yn2w2/
Unpacked files
SH256 hash:
db6fe27c9c193d210e9f4bac7a838ff5e34f2e233e64883ce363da9712c10f8e
MD5 hash:
00065341dda2a3a26df64aa870b4ff98
SHA1 hash:
3cb422d8f2b8d2ae5cd6a009865309ed8f1bb0a8
Link:
https://www.unpac.me/results/a9920b2a-4dce-40c3-ab97-04417319549c/
SH256 hash:
3d94c4a92382c5c45062d8ea0517be4011be8ba42e9c9a614a99327d0ebdf05b
MD5 hash:
8b6c413e2539823ef8f8b85900d19724
SHA1 hash:
2d92a9ec1091cb801ff86403374594c74210cd44
Link:
https://www.unpac.me/results/a9920b2a-4dce-40c3-ab97-04417319549c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Weelsof
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d94c4a92382c5c45062d8ea0517be4011be8ba42e9c9a614a99327d0ebdf05b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments