MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Conti

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb
SHA3-384 hash:	f0f9a4fd20cc3d0576ff08b7bd644ae9947526926afb3cfb8d4c09fb4e6a112d0136f3f917c881e1897143a09c607405
SHA1 hash:	d8369cb0d8ccec95b2a49ba34aa7749b60998661
MD5 hash:	d8a44d2ed34b5fee7c8e24d998f805d9
humanhash:	blue-king-fillet-kitten
File name:	javaw.exe
Download:	download sample
Signature	Conti Create hunting rule
File size:	72'704 bytes
First seen:	2022-07-01 05:36:28 UTC
Last seen:	2025-04-03 01:08:36 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	1536:G+5geBR2Q+a8M124Zl2i5SADBDg8trv4t9MBY5y+v:GDeBgQ+a8M12Y2i59hrvWMBCv
Threatray	1 similar samples on MalwareBazaar
TLSH	T12D63D64AB749EB30F59694B996FC2A17688E8938835F85C3FBD0C05A7651CC6B834F13
TrID	42.7% (.EXE) Win32 Executable (generic) (4505/5/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter	1ZRR4H
Tags:	BlueSky conti exe kmsauto.us Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

640

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://kmsauto.us/someone/start.ps1

Verdict:

Malicious activity

Analysis date:

2022-06-27 22:27:44 UTC

Tags:

ransomware

Link:

https://app.any.run/tasks/4d633d99-eecd-4107-b82a-1d8089f60198

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Conti

Link:

https://www.capesandbox.com/analysis/284758/

Detection(s):

SecuriteInfo.com.Trojan.Encoder.35508.5605.30934.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Moving a recently created file

Searching for synchronization primitives

Changing a file

Reading critical registry keys

Creating a file in the mass storage device

Stealing user critical data

Encrypting user's files

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/23237/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

conti filecoder packed ransomware windows

Link:

https://www.filescan.io/uploads/62be883b931c17b842b8bcd1/reports/0b2e50e6-4f82-4410-ab00-2269dd1c0ad9/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Conti

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/64a9867d-7734-4793-a310-db4bec9d1ee4

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.expl.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1022983

Signature

Antivirus / Scanner detection for submitted sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Contains functionality to hide a thread from the debugger

Found Tor onion address

Hides threads from debuggers

Machine Learning detection for sample

May encrypt documents and pictures (Ransomware)

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb/

Threat name:

Win32.Ransomware.Conti

Status:

Malicious

First seen:

2022-06-27 13:48:00 UTC

File Type:

PE (Exe)

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hybv6ll5gcdjzzjrohxvud3wdp5zyfgzjwp6nwrylyqlrwlnyl5q._file

Verdict:

malicious

Conti

Result

Malware family:

n/a

Score:

10/10

Tags:

ransomware

Link:

https://tria.ge/reports/220701-ga5vhsfhh8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Modifies extensions of user files

Unpacked files

SH256 hash:

e54a08e46be41d82b57102d773938bab72a9999875482a71ad9c9526bf429fd1

MD5 hash:

b068a01785f79ac8acaeced9a2a8c74e

SHA1 hash:

eb85f6a73d3583359d66af328a82a084a5d7ce35

Link:

https://www.unpac.me/results/3be784ed-9577-4370-8ca7-a256966cf5e1/

SH256 hash:

a00f7feb9e680e9329d75c6f6fee45180430898ea115e5cd3e2f6eb901515f18

MD5 hash:

dbb3aa7ef8a3dc9e377ce43ca80a21ea

SHA1 hash:

cc48721a69b9c5197f494dff7d89cce07e1f8a19

Link:

https://www.unpac.me/results/3be784ed-9577-4370-8ca7-a256966cf5e1/

SH256 hash:

f0d87af16cf8b6a71b4c1091101f62d48db8501d93324cc43f9bdf71a64c56be

MD5 hash:

af967a81a30a60feeecadd0d0ecc57ea

SHA1 hash:

0f557d535000fcf3e084f2bedc55bb419e9c3af0

Link:

https://www.unpac.me/results/3be784ed-9577-4370-8ca7-a256966cf5e1/

SH256 hash:

24f86c17b84ed87a0d94f77e699c27cd6686ab617c70817f4c225b4325fde1cf

MD5 hash:

5f1d9512afd1c3876079b33fb5b68f8e

SHA1 hash:

05ff005f03ef2edacb34c4afbcbadb46fe1fd895

Link:

https://www.unpac.me/results/3be784ed-9577-4370-8ca7-a256966cf5e1/

SH256 hash:

0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4

MD5 hash:

13d3997b43c3d5cbafb0ff10b6f0dee1

SHA1 hash:

e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd

Link:

https://www.unpac.me/results/3be784ed-9577-4370-8ca7-a256966cf5e1/

SH256 hash:

e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76

MD5 hash:

5cac4fe734fc8454ccb847e030beee38

SHA1 hash:

34298fe220e35f614b2c837cf1dc2604ab0882d6

Link:

https://www.unpac.me/results/3be784ed-9577-4370-8ca7-a256966cf5e1/

SH256 hash:

3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb

MD5 hash:

d8a44d2ed34b5fee7c8e24d998f805d9

SHA1 hash:

d8369cb0d8ccec95b2a49ba34aa7749b60998661

Link:

https://www.unpac.me/results/3be784ed-9577-4370-8ca7-a256966cf5e1/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3e035f2d7d30/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Conti Create hunting rule
Author:	kevoreilly
Description:	Conti Ransomware

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/284758/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample