MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ec24235db92db96f37d5afed64ae370a92fe0d96ddcf396f907b4a48ffc96b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhino


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ec24235db92db96f37d5afed64ae370a92fe0d96ddcf396f907b4a48ffc96b9
SHA3-384 hash: 0f9bf99e0b81cebb1f3954ecd97fba91d0901a75932403a4777bb839f91bbeea6be51da501438319faf88bdc20bdcf0e
SHA1 hash: b8d1de6741470524ecdf1120824fa0648e36c0cc
MD5 hash: 8cee8754469b85a5f4d3fd38f5c4ba94
humanhash: mobile-charlie-johnny-potato
File name:3ec24235db92db96f37d5afed64ae370a92fe0d96ddcf396f907b4a48ffc96b9
Download: download sample
Signature Rhino
Create hunting rule
File size:205'465 bytes
First seen:2022-12-23 14:26:13 UTC
Last seen:2022-12-23 16:31:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e809b97433899d68750928d7714d31e (1 x Rhino)
ssdeep 6144:1gEzDxdslhd64teyCZ+1sBNbFE8u/7KPk3bimFCfdJOS:1gqxdyhTteWIznu2PMVIvOS
TLSH T18A1422EB8E49482CD42544726369CEC6305FB6248D4C964C7D8E99E06BBDF43FFE2462
TrID 63.4% (.EXE) UPX compressed Win32 Executable (27066/9/6)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
4.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter petikvx
Tags:exe Ransmware Rhino

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3ec24235db92db96f37d5afed64ae370a92fe0d96ddcf396f907b4a48ffc96b9
Verdict:
Malicious activity
Analysis date:
2022-12-23 14:26:21 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/6c888bb8-cf69-4b36-b368-e29372ed1cb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.DeepScan.Generic.Ransom.Mole.58A132A6.13329.4161.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63a5bab7cd05a9f1899d9572/reports/6b60cf7b-8835-4d2c-9335-994e3b77cc98/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Rhino Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18d3228d-c8cb-4315-bc90-bb09699eb6ac
Result
Threat name:
FlashCrypt
Create hunting rule
Detection:
malicious
Classification:
rans.spre
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140041
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
May encrypt documents and pictures (Ransomware)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Yara detected FlashCrypt Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 772771 Sample: eAB4M1aR42.exe Startdate: 23/12/2022 Architecture: WINDOWS Score: 100 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected FlashCrypt Ransomware 2->53 7 eAB4M1aR42.exe 2 7 2->7         started        11 flash_fm.exe 35 2->11         started        13 flash_fm.exe 2 2->13         started        15 flash_fm.exe 3 2 2->15         started        process3 file4 43 C:\Users\user\Desktop\PALRGUCVEH.mp3, data 7->43 dropped 45 C:\Users\user\Desktop45VWZAPQSQL.jpg, data 7->45 dropped 47 C:\Users\user\DesktopbehaviorgraphRXZDKKVDB.png, data 7->47 dropped 63 May encrypt documents and pictures (Ransomware) 7->63 65 Modifies existing user documents (likely ransomware behavior) 7->65 17 flash_fm.exe 74 7->17         started        21 cmd.exe 3 7->21         started        23 mshta.exe 11->23         started        25 mshta.exe 13->25         started        27 mshta.exe 15->27         started        signatures5 process6 file7 31 eAB4M1aR42.exe.[as...o.net].flash (copy), data 17->31 dropped 33 C:\Users\user\Desktop\eAB4M1aR42.exe, data 17->33 dropped 35 TranscodedWallpape...o.net].flash (copy), data 17->35 dropped 41 38 other malicious files 17->41 dropped 55 Antivirus detection for dropped file 17->55 57 Multi AV Scanner detection for dropped file 17->57 59 May encrypt documents and pictures (Ransomware) 17->59 61 3 other signatures 17->61 37 C:\Users\user\AppData\Roaming\flash_fm.exe, PE32 21->37 dropped 39 C:\Users\...\flash_fm.exe:Zone.Identifier, ASCII 21->39 dropped 29 conhost.exe 21->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ec24235db92db96f37d5afed64ae370a92fe0d96ddcf396f907b4a48ffc96b9/
Threat name:
Win32.Ransomware.Rhino
Create hunting rule
Status:
Malicious
First seen:
2022-12-22 15:34:10 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
26 of 40 (65.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3beeno3slnzn435ll7nmsxdocus7ygznxophfxza62kjd74s24q._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence ransomware spyware stealer upx
Link:
https://tria.ge/reports/221223-rse2xsge65/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Installed Components in the registry
Modifies extensions of user files
UPX packed file
Unpacked files
SH256 hash:
faaffc40249c185c83de864ae1a311d6c381464f90deca9d8cd8545ee6c89ffe
MD5 hash:
7397c0d59c64bc0496969daf47d9b729
SHA1 hash:
bc08a45610cb8167bffe03363712138fd78940f6
Detections:
win_rhino_auto
Create hunting rule
Link:
https://www.unpac.me/results/823a179f-b397-48bf-8f44-88ab5079c6db/
SH256 hash:
3ec24235db92db96f37d5afed64ae370a92fe0d96ddcf396f907b4a48ffc96b9
MD5 hash:
8cee8754469b85a5f4d3fd38f5c4ba94
SHA1 hash:
b8d1de6741470524ecdf1120824fa0648e36c0cc
Link:
https://www.unpac.me/results/823a179f-b397-48bf-8f44-88ab5079c6db/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ec24235db92/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/3ec24235db92db96f37d5afed64ae370a92fe0d96ddcf396f907b4a48ffc96b9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments