MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ryuk


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4
SHA3-384 hash: a0cd51855d8825252e56c79ae83fd00a8288d728e9db0c69b9a0e4eeaf00ad59b12180b0000a8ff0b7b0c2650a406d40
SHA1 hash: b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3
MD5 hash: 5af409fe584bed2f8b847bb9d2eca34f
humanhash: berlin-freddie-utah-happy
File name:3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4
Download: download sample
Signature Ryuk
Create hunting rule
File size:407'504 bytes
First seen:2020-10-05 06:49:27 UTC
Last seen:2020-10-05 07:40:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d826b15c5030046a95578a7afce08abb (4 x BuerLoader, 1 x Ryuk)
ssdeep 6144:g4LwKpY6JE5pdSv2RNUJsTGiQNZD0I7oIrrhynRiw1amXQ0YKG0RIb890BEaGTd:gEbEy2RKiQNJ0CrARRg0Y4RK89v1p
Threatray 4 similar samples on MalwareBazaar
TLSH FE84BF84FF8374F7FC23097155C6F3AA8332E8588632CE8BDA48DA57D5A7643A5148C9
Reporter JAMESWT_WT
Tags:ARMAUER SP Z O O Ryuk signed

Code Signing Certificate

Organisation:DigiCert High Assurance EV Root CA
Issuer:DigiCert High Assurance EV Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Nov 10 00:00:00 2006 GMT
Valid to:Nov 10 00:00:00 2031 GMT
Serial number: 02AC5C266A0B409B8F0B79F2AE462577
Intelligence: 204 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'818
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68053/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
Ryuk
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/481036
Signature
Antivirus / Scanner detection for submitted sample
Creates files in the recycle bin to hide itself
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WannaCry Ransomware
Writes many files with high entropy
Yara detected Ryuk ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 292958 Sample: C2ejoVjQwp Startdate: 05/10/2020 Architecture: WINDOWS Score: 66 36 Sigma detected: WannaCry Ransomware 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Ryuk ransomware 2->42 7 C2ejoVjQwp.exe 113 2->7         started        process3 file4 28 C:\Users\user\Desktop\tSZHTHmEblan.exe, PE32 7->28 dropped 30 C:\Users\user\Desktop\bWYmOjsDblan.exe, PE32 7->30 dropped 32 C:\Users\user\Desktop\OFFnJCBMglan.exe, PE32 7->32 dropped 34 25 other files (24 malicious) 7->34 dropped 44 Creates files in the recycle bin to hide itself 7->44 46 Writes many files with high entropy 7->46 11 tSZHTHmEblan.exe 7->11         started        14 OFFnJCBMglan.exe 7->14         started        16 bWYmOjsDblan.exe 7->16         started        18 6 other processes 7->18 signatures5 process6 signatures7 48 Multi AV Scanner detection for dropped file 11->48 20 conhost.exe 18->20         started        22 conhost.exe 18->22         started        24 conhost.exe 18->24         started        26 7 other processes 18->26 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4/
Threat name:
Win32.Downloader.Buerak
Create hunting rule
Status:
Malicious
First seen:
2020-10-04 21:42:00 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
24 of 29 (82.76%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3tqn4d5cpfz4yl6vqvuiqshsy2kwshrcacvnddttrw4vn2qkksa._file
Verdict:
malicious
Similar samples:
28191a5a373b284f577aa1ac1c5895784fc2c274e46b448ab0cd5b9b22e33f30
Ryuk
4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d
Ryuk
611ebfdce09ab9d4966796e03fbe0a6e9bc4f6e4a8f81d941d0a5b39c0bab6ff
Ryuk
a65e1e7ff8c9c03d3fa3abf621bbf69db210c1a437aebbe98a0da3b41518b698
Ryuk
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201005-c5j5es9lxs/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4
MD5 hash:
5af409fe584bed2f8b847bb9d2eca34f
SHA1 hash:
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3
Link:
https://www.unpac.me/results/5dd8faae-2adf-4571-89dd-0ed7b1972b41/
SH256 hash:
9a2314197b00026dc6340c3d403d0ae7c47cfadc6e24d5af67b0f6c61ff296af
MD5 hash:
d4c36bbc52b9809426707fcf31ebc7aa
SHA1 hash:
913642abc543b048ef8f84916ebaf2010eeabe9b
Link:
https://www.unpac.me/results/5dd8faae-2adf-4571-89dd-0ed7b1972b41/
SH256 hash:
105c3501fe6abb40a0041de875a4f68f05d69a42e74af13871cbeef89060dcaa
MD5 hash:
60c39ebde85498a5553f1d34a6ed51e0
SHA1 hash:
ce1b420d1644cb6dc06e4d02779017a90a58b8b7
Link:
https://www.unpac.me/results/5dd8faae-2adf-4571-89dd-0ed7b1972b41/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68053/

Comments