MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VAGGEN


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
SHA3-384 hash: 2f440f33e4cec3994e8694a549437f0d3725dc980ce0c6d59d7e9b284fe520cef53275cc95175eeaaa2ae316f4574c45
SHA1 hash: 4ecb87b412a79220ea8e58a2f3f8fa46997d7e5d
MD5 hash: 5665127e5ab8c49462eff551c2b75f7c
humanhash: november-montana-eighteen-low
File name:killar.bin
Download: download sample
Signature VAGGEN
Create hunting rule
File size:9'585'664 bytes
First seen:2020-10-20 06:44:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 93a138801d9601e4c36e6274c8b9d111 (11 x CobaltStrike, 9 x Snatch, 8 x LaplasClipper)
ssdeep 98304:TdGxaeha3XCD+IGX7Cisdlmxcc2zaxNUPkQIfehVX5snNfMl87r3:TQxawebIG3almj2zaxKPphVofMl87r
Threatray 1 similar samples on MalwareBazaar
TLSH F7A67EA1FDEB04F5EA03453258AB637FA33462054339CAC7D6444F97F827AD2197326A
Reporter JAMESWT_WT
Tags:Ransomware VAGGEN

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73260/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Changing a file
Delayed writing of the file
Reading critical registry keys
Launching a process
Stealing user critical data
Encrypting user's files
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/497119
Signature
Antivirus / Scanner detection for submitted sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f/
Threat name:
Win32.Ransomware.Encoder
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 19:39:43 UTC
File Type:
PE (Exe)
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ipbcf3vh6hrwo5l6lb5rhpyxagpstplbyb6sbs7octcnm3kdu4pq._file
Verdict:
unknown
Similar samples:
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
VAGGEN
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware
Link:
https://tria.ge/reports/201020-6mhhwl4366/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Drops desktop.ini file(s)
Modifies extensions of user files
Unpacked files
SH256 hash:
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
MD5 hash:
5665127e5ab8c49462eff551c2b75f7c
SHA1 hash:
4ecb87b412a79220ea8e58a2f3f8fa46997d7e5d
Link:
https://www.unpac.me/results/4b4a0421-7c3d-4049-a43c-fc1aedd91e7b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/73260/

Comments