MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45fae482574687582244d4310a6f4760477952443e0be052f9d7ef76640cdb3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45fae482574687582244d4310a6f4760477952443e0be052f9d7ef76640cdb3a
SHA3-384 hash: 71f190bf5d2479b7aabdc6c705e9af22233a3b649297b43291c9bf7ddda9fd6ddc9560c5d6e19b84dfb4b2d8c23083f0
SHA1 hash: b3d716828f7017699483a04e78c5fd040c17b877
MD5 hash: e1ed63d273de094f74d12a850305f156
humanhash: blossom-september-pip-emma
File name:e1ed63d2_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:1'725'952 bytes
First seen:2021-05-05 08:08:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea7bcfaf860b1d2ab4deeebd3d5a6196 (1 x VirLock)
ssdeep 24576:VoenBZNvA7jfYJH0J16g9rljmY7QKl380tg8Ann5Rsr4ONmWsf39n8f0gFlh:fOjeH0zR5Kda/tmnn5Rs8Ym5nG
Threatray 61 similar samples on MalwareBazaar
TLSH 6E85E00C6FA911ACC683E87CA5A7C97969F262B2D4EBB0114C07E728BD2F546F5044DF
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150065/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6803820-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a service
Searching for the window
Sending a UDP request
DNS request
Launching a service
Creating a file in the %temp% directory
Running batch commands
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.spre
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711653
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates an undocumented autostart registry key
Delayed program exit found
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404753 Sample: e1ed63d2_by_Libranalysis.exe Startdate: 05/05/2021 Architecture: WINDOWS Score: 100 66 Antivirus detection for dropped file 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 2 other signatures 2->72 7 e1ed63d2_by_Libranalysis.exe 3 15 2->7         started        11 nKIYQsco.exe 4 2->11         started        13 svchost.exe 2->13         started        16 7 other processes 2->16 process3 dnsIp4 56 C:\Users\user\MswwEocM\DiQcMgoc.exe, PE32 7->56 dropped 58 C:\ProgramData\JaQIAAIE\nKIYQsco.exe, PE32 7->58 dropped 60 C:\ProgramData\CqMsMIUk\KYggcEQw.exe, PE32 7->60 dropped 62 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 7->62 dropped 88 Creates an undocumented autostart registry key 7->88 90 Uses cmd line tools excessively to alter registry or file data 7->90 92 Tries to detect virtualization through RDTSC time measurements 7->92 18 KYggcEQw.exe 24 7->18         started        22 DiQcMgoc.exe 15 7->22         started        24 cmd.exe 1 7->24         started        26 3 other processes 7->26 94 Antivirus detection for dropped file 11->94 96 Machine Learning detection for dropped file 11->96 98 Delayed program exit found 11->98 64 127.0.0.1 unknown unknown 13->64 file5 signatures6 process7 file8 42 C:\Users\user\Desktop\skoM.exe, PE32 18->42 dropped 44 C:\Users\user\Desktop\mwkA.exe, PE32 18->44 dropped 46 C:\Users\user\Desktop\aYgI.exe, PE32 18->46 dropped 54 9 other malicious files 18->54 dropped 74 Antivirus detection for dropped file 18->74 76 Machine Learning detection for dropped file 18->76 78 Contains functionality to detect hardware virtualization (CPUID execution measurement) 18->78 86 2 other signatures 18->86 28 explorer.exe 18->28         started        48 C:\Users\user\Desktop\wwUY.exe, PE32 22->48 dropped 50 C:\RCXC36B.tmp, PE32 22->50 dropped 52 C:\ProgramData\Adobe\...\AdobeARMHelper.exe, PE32 22->52 dropped 80 Injects code into the Windows Explorer (explorer.exe) 22->80 82 Tries to detect virtualization through RDTSC time measurements 22->82 84 Drops executable to a common third party application directory 22->84 30 explorer.exe 1 4 22->30         started        32 setup.exe 1 24->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        38 conhost.exe 26->38         started        40 conhost.exe 26->40         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45fae482574687582244d4310a6f4760477952443e0be052f9d7ef76640cdb3a/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 00:42:17 UTC
AV detection:
46 of 47 (97.87%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1326c4b5f16b37e3474154b0497d09583257a88c050637749e5ee9e91f705b74
VirLock
5dcbbdb1d5a8b47a50a05b2cf13963139075616f4b6de2db2232aa73bde800c1
VirLock
728406539dbbb175ad0e0f346d6c9e563c7b95507e91c71af64f220a382525cf
VirLock
8a139fcd70cf23b397ef1bb31a6b8a5990bd2018bd7e42da6db865a52d49549d
VirLock
92f33d787077d6ebe2fb62adf935c32d86cc39424bb3ec5eb066224c3e9da5e4
VirLock
b69aa57f74809a88c35081e066a080f2235608838f5db899f4f888c6ae68da6f
VirLock
b9fb2adfa6f13b218e5fb9eca8a2d82c211a24f772abb27371b679f986752fd4
VirLock
d662eebe16b90f597adeb4a215b05fc65db54078ad55e1d2bd013fda84a64b96
VirLock
f3b8d88cf155e8649ab7a08800d17a63a18b92187f3af8db279e60da670059c8
VirLock
f7b7022afea2352c4c4874452f1505e9e4c344923b8b27b661e2b0ccc74f58f6
VirLock
+ 51 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/210505-bds9b3maws/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
674ee222f2b861c329ff0acac80f3e7f1a2c817ff791e27b3f78a5946f208904
MD5 hash:
4f176bfd330c1d84164e6abe6f7abbdf
SHA1 hash:
2b17feaf36589fc4b723254afe3051c0fe87ec5f
Link:
https://www.unpac.me/results/cdf8c3f7-4fc3-4e45-8df5-3a19d82204d0/
SH256 hash:
1ab0c30f9645d126f49a9da8e5d510edbac7bd6f1024d0e7b0bfcb7fcfd4273f
MD5 hash:
bd0b76a7c33a8ba57c39759b0ccc5c4e
SHA1 hash:
91c1b25cc484aeb0485d8e5c2f5d9416f773c62e
Link:
https://www.unpac.me/results/cdf8c3f7-4fc3-4e45-8df5-3a19d82204d0/
SH256 hash:
eaffc311720260942394e82ae219b0c65f0572f9df3689f522455f113cf9c3ed
MD5 hash:
32fea7e81e66e15c83005670a8c12c87
SHA1 hash:
99546d4e659e746b097a67358b2323226002a589
Link:
https://www.unpac.me/results/cdf8c3f7-4fc3-4e45-8df5-3a19d82204d0/
SH256 hash:
45fae482574687582244d4310a6f4760477952443e0be052f9d7ef76640cdb3a
MD5 hash:
e1ed63d273de094f74d12a850305f156
SHA1 hash:
b3d716828f7017699483a04e78c5fd040c17b877
Link:
https://www.unpac.me/results/cdf8c3f7-4fc3-4e45-8df5-3a19d82204d0/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150065/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 09:05:34 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash