MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4729c95c7b1da0c7176d100bb5fccea3b1c467f295e37677fab3b50d41ff1ff0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackCat


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4729c95c7b1da0c7176d100bb5fccea3b1c467f295e37677fab3b50d41ff1ff0
SHA3-384 hash: 5fc16e1ac16c4812ae04b78764696606ce1dd04f224a6426d2d426f88595daef10f1aa2637404ab1d24b628b7b3da7d3
SHA1 hash: 83ddb0e215863a669f3d52001ecc022e96647b6a
MD5 hash: 9adec3dda8427bf36fb83f6c384da2c5
humanhash: wyoming-finch-nebraska-nuts
File name:logoff.exe
Download: download sample
Signature BlackCat
Create hunting rule
File size:91'136 bytes
First seen:2023-03-14 11:38:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 92726b1f55f5ecd5b5fcbde6cf170336 (1 x BlackCat)
ssdeep 1536:HI7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfGM:HGFfHgTWmCRkGbKGLeNTBfGM
Threatray 1'346 similar samples on MalwareBazaar
TLSH T14F937C45F2E142F7EAF2053201A6712FEB35A6388724D8DBC74C2D429953AD1A73D3E9
TrID 36.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.4% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter n3x77
Tags:blackcat exe Ransomware


Avatar
n3x771
Unpacked sample of e9cef52bf082c87766bbac0b3324c3d76e66e9d5b943e751a04583dc041a0273

Intelligence

File Origin
# of uploads :
1
# of downloads :
854
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
logoff.exe
Verdict:
Malicious activity
Analysis date:
2023-03-14 11:39:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1cbea870-992d-4476-932d-569ecf762495

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374226/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.41903412.23037.4057.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/73088/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/64105c9b3120829676f98440/reports/8eb568d8-d8cf-4701-b2f6-f0530cf6af77/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/4729c95c7b1da0c7176d100bb5fccea3b1c467f295e37677fab3b50d41ff1ff0
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d125be0c-1b36-424b-a96d-0128640a247a
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1193243
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses logoff.exe to logoff the current user
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 826144 Sample: logoff.exe Startdate: 14/03/2023 Architecture: WINDOWS Score: 72 27 Malicious sample detected (through community Yara rule) 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected Babadeda 2->31 33 2 other signatures 2->33 8 logoff.exe 8 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        13 conhost.exe 8->13         started        dnsIp5 25 192.168.2.1 unknown unknown 10->25 15 cmd.exe 1 10->15         started        17 wevtutil.exe 1 10->17         started        19 wevtutil.exe 1 10->19         started        21 35 other processes 10->21 process6 process7 23 wevtutil.exe 1 15->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4729c95c7b1da0c7176d100bb5fccea3b1c467f295e37677fab3b50d41ff1ff0/
Threat name:
Win32.Trojan.Olydestroy
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 11:39:05 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i4u4sxd3dwqmof3ncaf3l7gouoy4iz7ssxrxm572wo2q2qp7d7ya._file
Verdict:
unknown
Similar samples:
05d38ac5460418b0aa813fc8c582ee5be42be192de10d188332901157c54287c
BlackCat
2278d1bca473d91247e01794a1202297bda4bce23c3a1e74c43abc67d8d7b371
BlackCat
362b245742cfe47a741c851c67b872aa21db3f32b2bff78640e578b7e2cbeb11
BlackCat
4da864854d368ab640245f8174d247e0b9947045712d2d7449e25e7074b8587c
BlackCat
786bd0f69b66c376235bcdb464e8b725848d7dc35bd2a76f863c5bd043a12063
BlackCat
cdd4ab01797a178b70303381028cb419a8550a15fa75bdb40f6d56bc289b7dcf
BlackCat
cebf1665279b1ce695f105bfe9710012793c5dce9e06b53b778d66eeb553c5ab
BlackCat
f3622af9e9478d97008e6a7d3f97449148f2cc6fc03420d47020f7b33dbd47cb
BlackCat
f816ea850eca0a23b99541054eddc2ac01971bb502dcf1231dc02ed58282365f
BlackCat
+ 1'336 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion ransomware
Link:
https://tria.ge/reports/230314-nrpyyshb4s/
Behaviour
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Clears Windows event logs
Unpacked files
SH256 hash:
f6ef75638e555e4280783141d21424ab8b33c4f7d9b4051e1c7e611b1e3d857d
MD5 hash:
cbd238b2d33dcefe375308d99f2db2d7
SHA1 hash:
30d42edc7a20adb4d3f56ccaeb81104f71e55ce0
Link:
https://www.unpac.me/results/31373cfa-6be8-4e4a-be16-ebd3641bdd10/
SH256 hash:
4729c95c7b1da0c7176d100bb5fccea3b1c467f295e37677fab3b50d41ff1ff0
MD5 hash:
9adec3dda8427bf36fb83f6c384da2c5
SHA1 hash:
83ddb0e215863a669f3d52001ecc022e96647b6a
Link:
https://www.unpac.me/results/31373cfa-6be8-4e4a-be16-ebd3641bdd10/
Malware family:
CopyKittens
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4729c95c7b1d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4729c95c7b1da0c7176d100bb5fccea3b1c467f295e37677fab3b50d41ff1ff0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/374226/

Comments