MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Zeppelin


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933
SHA3-384 hash: b850e049ab4eea7d91dd5ef1aeb0fb27d0c46f5effe1b3a04cc864c827510bc4ee2a4b6661f5b74dafe2142359ddb914
SHA1 hash: e3fd29cbbefcae39190af5262852446533642daa
MD5 hash: ad62332b9fc5fb70fa1cc2913812154a
humanhash: nevada-lion-grey-cold
File name:ad62332b9fc5fb70fa1cc2913812154a
Download: download sample
Signature Zeppelin
Create hunting rule
File size:220'160 bytes
First seen:2022-07-26 07:28:07 UTC
Last seen:2022-07-26 10:35:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8acb34bed3caa60cae3f08f75d53f727 (15 x Zeppelin)
ssdeep 6144:QyJE1yd7WiJmcyfpHaShzh04DQFu/U3buRKlemZ9DnGAeIS+giR+:QU/d7WnvtLhza4DQFu/U3buRKlemZ9DG
TLSH T151248D36FA808433D1731E7C9E1A56AD916EBA302F2C14477DE45E8D9E3E3A2652D1C3
TrID 30.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
21.5% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
14.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.4% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
Reporter zbetcheckin
Tags:32 exe Zeppelin

Intelligence

File Origin
# of uploads :
3
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294187/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.35632.16570.12349.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27455/overview
Behaviour
MalwareBazaar
CheckScreenResolution
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
buhtrap buran coinminer filecoder greyware oct packed shell32.dll zeppelin
Link:
https://www.filescan.io/uploads/62df98367dd0cb902fffa103/reports/e594c373-49ba-4711-9108-d69b153939c7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Zeppelin Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d5147b6a-ebeb-48f9-8a56-d08004d2b470
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1040865
Signature
Bypasses PowerShell execution policy
Contains functionality to inject threads in other processes
Creates executable files without a name
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Drops a file containing file decryption instructions (likely related to ransomware)
Found evasive API chain (may stop execution after checking locale)
Found ransom note / readme
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
May encrypt documents and pictures (Ransomware)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Uses bcdedit to modify the Windows boot settings
Yara detected RansomwareGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 673360 Sample: rFRgieWgV9 Startdate: 26/07/2022 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Found ransom note / readme 2->55 57 3 other signatures 2->57 7 rFRgieWgV9.exe 4 17 2->7         started        process3 dnsIp4 45 www.geodatatool.com 158.69.65.151, 443, 49737, 49742 OVHFR Canada 7->45 47 iplogger.org 148.251.234.83, 443, 49759, 49762 HETZNER-ASDE Germany 7->47 49 geoiptool.com 7->49 59 May check the online IP address of the machine 7->59 61 Deletes shadow drive data (may be related to ransomware) 7->61 63 Contains functionality to inject threads in other processes 7->63 65 2 other signatures 7->65 11 rFRgieWgV9.exe 1 96 7->11         started        15 cmd.exe 1 7->15         started        17 cmd.exe 1 7->17         started        19 4 other processes 7->19 signatures5 process6 file7 37 !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT, ASCII 11->37 dropped 39 C:\Users\user\Desktop\...\ZQIXMVQGAH.jpg, data 11->39 dropped 41 C:\Users\user\Desktop41EBFQQYWPS.mp3, data 11->41 dropped 43 7 other malicious files 11->43 dropped 67 Creates files in the recycle bin to hide itself 11->67 69 Drops a file containing file decryption instructions (likely related to ransomware) 11->69 71 May encrypt documents and pictures (Ransomware) 11->71 77 3 other signatures 11->77 73 Deletes shadow drive data (may be related to ransomware) 15->73 75 Bypasses PowerShell execution policy 15->75 21 WMIC.exe 1 15->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 vssadmin.exe 1 17->27         started        29 powershell.exe 15 19->29         started        31 conhost.exe 19->31         started        33 conhost.exe 19->33         started        35 2 other processes 19->35 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933/
Threat name:
Win32.Ransomware.Zeppelin
Create hunting rule
Status:
Malicious
First seen:
2022-07-25 22:45:29 UTC
File Type:
PE (Exe)
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i4ukh6spstl2bhrnxyq5ckxiivbqilhirosouept7m7sosikjezq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware
Link:
https://tria.ge/reports/220726-ja8mhsfbaq/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Modifies extensions of user files
Deletes shadow copies
Unpacked files
SH256 hash:
4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933
MD5 hash:
ad62332b9fc5fb70fa1cc2913812154a
SHA1 hash:
e3fd29cbbefcae39190af5262852446533642daa
Detections:
win_zeppelin_auto
Create hunting rule
Link:
https://www.unpac.me/results/1bbd028f-d9e2-497a-90d3-15a37aa117b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Zeppelin
Create hunting rule
Author:ditekSHen
Description:Detects Zeppelin (Delphi) ransomware
Rule name:Ran_Buran_Oct_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect Buran ransomware
Reference:https://twitter.com/JAMESWT_MHT/status/1323956405976600579
Rule name:Win32_Ransomware_Zeppelin
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects Zeppelin ransomware.
Rule name:win_zeppelin_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_zeppelin_ransomware_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:Zeppelin
Create hunting rule
Author:@bartblaze
Description:Identifies Zeppelin ransomware and variants (Buran, Vega etc.)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Zeppelin

Executable exe 4728a3fa4f94d7a09e2dbe21d12ae84543042ce88ba4ea11f3fb3f27490a4933

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2261227/
Cape
Cape
https://www.capesandbox.com/analysis/294187/

Comments


Avatar
zbet commented on 2022-07-26 07:28:12 UTC

url : hxxps://dl.uploadgram.me/62dd5f63d89deg?raw/