MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TellYouThePass


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984
SHA3-384 hash: 2d5dd6e074c09079b3d60c80d9985794e871a1674fdab98b9085dded21a82ad87cddbe51dab7d842da700e8a5a3c32c6
SHA1 hash: 5cbec4c736541179b6394d8a56074fb5254e3fc7
MD5 hash: b99c4684f7eac1f2af37e6de609e936c
humanhash: mango-fix-magnesium-table
File name:ransomware.exe
Download: download sample
Signature TellYouThePass
Create hunting rule
File size:3'190'272 bytes
First seen:2021-12-18 13:03:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 49152:a2gvvg8IWjrb/ThvO90dL3BmAFd4A64nsfJ0uj5cTQmk9OigmQyScCgAUIOGwTqB:a212ujOTgAiffIRwe
Threatray 16 similar samples on MalwareBazaar
TLSH T169E53A03F89551E5C0AEE231C6A592537A7278A8173023D73B50EEBA2F73BD46E79314
Reporter _CyberHunt_
Tags:exe log4j Ransomware TellYouThePass

Intelligence

File Origin
# of uploads :
1
# of downloads :
392
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/214985/
Detection(s):
Win.Ransomware.Hive-9916034-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
DNS request
Running batch commands
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2473/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
filecoder tellyouthepass
Link:
https://www.filescan.io/uploads/61bddc46ec6c6c14a9dff372/reports/2158d669-1861-4c58-91e6-70cbc896ce3d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5381f8d0-2602-4843-b5e6-6de4255c0f98
Result
Threat name:
Gocoder
Create hunting rule
Detection:
malicious
Classification:
rans
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/909525
Signature
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Gocoder ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 542003 Sample: ransomware.exe Startdate: 18/12/2021 Architecture: WINDOWS Score: 64 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected Gocoder ransomware 2->56 8 ransomware.exe 65 2->8         started        process3 dnsIp4 52 45.76.99.222, 80 AS-CHOOPAUS United States 8->52 46 C:\Users\user\Desktop\...\OVWVVIANZH.jpg, ASCII 8->46 dropped 48 C:\Users\user\Desktop\...\DUKNXICOZT.png, ASCII 8->48 dropped 50 C:\Users\user\Desktop\...\ATJBEMHSSB.png, ASCII 8->50 dropped 58 Modifies existing user documents (likely ransomware behavior) 8->58 13 cmd.exe 1 8->13         started        16 cmd.exe 1 8->16         started        18 cmd.exe 1 8->18         started        20 39 other processes 8->20 file5 signatures6 process7 signatures8 60 Uses schtasks.exe or at.exe to add and modify task schedules 13->60 22 taskkill.exe 1 13->22         started        24 taskkill.exe 13->24         started        26 taskkill.exe 1 16->26         started        28 taskkill.exe 1 18->28         started        30 taskkill.exe 1 18->30         started        32 taskkill.exe 1 20->32         started        34 taskkill.exe 1 20->34         started        36 taskkill.exe 1 20->36         started        38 30 other processes 20->38 process9 process10 40 taskkill.exe 26->40         started        42 taskkill.exe 32->42         started        44 taskkill.exe 1 34->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984/
Threat name:
Win64.Ransomware.FileCoder
Create hunting rule
Status:
Malicious
First seen:
2021-12-16 19:18:23 UTC
File Type:
PE+ (Exe)
AV detection:
18 of 43 (41.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iyfqs2vpknnqxdycetna6bgh66mxyyv7ofmdtkabfqpbcvfdrgca._file
Verdict:
malicious
Similar samples:
1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad
TellYouThePass
3a7e260aec294903b08eb34f2b9a985bd38bd66a409bbb7e58bd8f4e5c3a7806
TellYouThePass
8b10986bf59cc6c50698fd9a3de7522cc0767da1655f4c5c51601187eebbdac8
TellYouThePass
98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63
TellYouThePass
a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850
TellYouThePass
cd9077bf07eb4183aa5d7093cd32c9fddc43e2ecba91a682d666b041c39a4cd2
TellYouThePass
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware
Link:
https://tria.ge/reports/211218-qax94sfag7/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies extensions of user files
Unpacked files
SH256 hash:
460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984
MD5 hash:
b99c4684f7eac1f2af37e6de609e936c
SHA1 hash:
5cbec4c736541179b6394d8a56074fb5254e3fc7
Link:
https://www.unpac.me/results/0fe2faa7-eed0-4d6e-8825-70c9a9c517e7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/214985/

Comments