MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45c7c5d62ca2525ac1da111fb3388cb381c24c974eba1ca3681ef07b10ef7b77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Zeppelin


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45c7c5d62ca2525ac1da111fb3388cb381c24c974eba1ca3681ef07b10ef7b77
SHA3-384 hash: 3a8aeb2f974586a364c86318a636ffd10a2d98f176f006aeaaecec7f37946f5a626d9d0c125950df3879eebf65152956
SHA1 hash: b30085e5b6e7aa998582fd94e56c924d7b4497dd
MD5 hash: c8823b84999ecf29f0c18c500a4e5c75
humanhash: blossom-october-stairway-autumn
File name:45c7c5d62ca2525ac1da111fb3388cb381c24c974eba1ca3681ef07b10ef7b77
Download: download sample
Signature Zeppelin
Create hunting rule
File size:345'600 bytes
First seen:2021-02-28 07:06:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 89815d790a9019f8e8efc9b177dff259 (1 x Zeppelin)
ssdeep 6144:EaIdJR1f8WhuLRPfhznXKSlL2vaB4aJW5slGQU3VLQSEyvCUPjJ02:EaIdJRp8Wh+PpflVBW5slFU3VLlO2
Threatray 21 similar samples on MalwareBazaar
TLSH 0B749D20A7A1C039F6B356B4497593BBA93F79B26B3591CF52D426E936342E09C30F13
Reporter JAMESWT_WT
Tags:Zeppelin

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
45c7c5d62ca2525ac1da111fb3388cb381c24c974eba1ca3681ef07b10ef7b77
Verdict:
Malicious activity
Analysis date:
2021-02-28 09:33:18 UTC
Tags:
ransomware zeppelin evasion trojan buran
Link:
https://app.any.run/tasks/4c470aa7-8c84-488b-a8e0-fe61eff94b9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Zeppelin
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119767/
Detection(s):
Win.Malware.Mokes-9836212-0
Create hunting rule

Win.Malware.Generickdz-9836221-0
Create hunting rule

Win.Malware.Zenpak-9836235-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Sending a UDP request
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Creating a file
Running batch commands
Creating a process with a hidden window
Changing a file
Moving a file to the Program Files subdirectory
Creating a file in the Program Files subdirectories
Modifying an executable file
Launching a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Deleting volume shadow copies
Unauthorized injection to a system process
Deleting of the original file
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Zeppelin
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621211
Signature
Allocates memory in foreign processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Zeppelin Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359596 Sample: 4yHtP1Y2bu Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected Zeppelin Ransomware 2->58 60 2 other signatures 2->60 7 4yHtP1Y2bu.exe 2 20 2->7         started        12 taskeng.exe 15 2->12         started        14 taskeng.exe 15 2->14         started        process3 dnsIp4 34 www.geodatatool.com 158.69.65.151, 443, 49717, 49718 OVHFR Canada 7->34 36 geoiptool.com 7->36 24 C:\Users\user\AppData\Roaming\...\taskeng.exe, PE32 7->24 dropped 26 C:\Users\user\...\taskeng.exe:Zone.Identifier, ASCII 7->26 dropped 62 Detected unpacking (changes PE section rights) 7->62 64 Detected unpacking (overwrites its own PE header) 7->64 66 Contains functionality to inject threads in other processes 7->66 68 3 other signatures 7->68 16 taskeng.exe 3 16 7->16         started        20 notepad.exe 7->20         started        38 geoiptool.com 12->38 40 geoiptool.com 14->40 file5 signatures6 process7 dnsIp8 28 geoiptool.com 16->28 30 iplogger.org 88.99.66.31, 443, 49735, 49736 HETZNER-ASDE Germany 16->30 32 www.geodatatool.com 16->32 42 Multi AV Scanner detection for dropped file 16->42 44 Detected unpacking (changes PE section rights) 16->44 46 Detected unpacking (overwrites its own PE header) 16->46 52 2 other signatures 16->52 22 WerFault.exe 23 9 16->22         started        48 Deletes itself after installation 20->48 signatures9 50 May check the online IP address of the machine 28->50 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45c7c5d62ca2525ac1da111fb3388cb381c24c974eba1ca3681ef07b10ef7b77/
Threat name:
Win32.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 12:19:44 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ixd4lvrmujjfvqo2cep3goemwoa4etexj25bzi3id3yhwehppn3q._file
Verdict:
malicious
Similar samples:
15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50
Zeppelin
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
Zeppelin
442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024
Zeppelin
66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af
Zeppelin
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
Zeppelin
7d809e8c9b98c16647bbfac49854c28ecc3fe6d4345410deeaa79445cc50cf51
Zeppelin
93fe277d54f4baac5762412dda6f831bf6a612f166daade7c23f6b38feac94fb
Zeppelin
b3302c4a9fd06d9fde96c9004141f80e0a9107a9dead1659e77351f1b1c87cf6
Zeppelin
dac7b64601ffa3176296bc0647aa7cd30c50b95ea5002410000439ce506b5b9e
Zeppelin
eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5
Zeppelin
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210228-9wyd6zas6a/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a1083b9bb52b5f8976b694e29d1c3b6fe668df709f44a1a2bbab891895843e76
MD5 hash:
9e54b9f8de438367d68389610070c4b5
SHA1 hash:
e69c50c6c82f5ad6fdc88334b31d4fe7a77f63ee
Detections:
win_zeppelin_ransomware_auto
Create hunting rule
Link:
https://www.unpac.me/results/df7f2c08-be7b-4011-b2ec-ad1e8388f604/
Parent samples :
4f87fefc9bf667f1d60e9ac07bdcf91013d609b8222b6d1b2995706f7ece1b07
45c7c5d62ca2525ac1da111fb3388cb381c24c974eba1ca3681ef07b10ef7b77
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
SH256 hash:
45c7c5d62ca2525ac1da111fb3388cb381c24c974eba1ca3681ef07b10ef7b77
MD5 hash:
c8823b84999ecf29f0c18c500a4e5c75
SHA1 hash:
b30085e5b6e7aa998582fd94e56c924d7b4497dd
Link:
https://www.unpac.me/results/df7f2c08-be7b-4011-b2ec-ad1e8388f604/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45c7c5d62ca2525ac1da111fb3388cb381c24c974eba1ca3681ef07b10ef7b77

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119767/

Comments