MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hive


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35
SHA3-384 hash: a554bc3325f8c341aa0f45cad685f857e2b6961b6e7fe99e4fdfea8bac4f9d2ae578648e028d85072b59d54c21414a08
SHA1 hash: 9c8b988e66e0fe6f9dab69b1055e4ee200531094
MD5 hash: 177417be748814f6168171a42545f9dd
humanhash: lake-sweet-alaska-delaware
File name:serenb.exe
Download: download sample
Signature Hive
Create hunting rule
File size:3'576'216 bytes
First seen:2021-11-24 14:29:07 UTC
Last seen:2021-11-24 16:48:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 49152:EynbnX4Rsrb/TFvO90dL3BmAFd4A64nsfJUvelzON7j93aqSCD0BUCoQPr8bg11t:EyrAe2lS75Hw+i4JROD5R
Threatray 7 similar samples on MalwareBazaar
TLSH T1FEF53943F8A1A5E4C8AB92344D6156A4AE30349D2734B3F7176097BD2F32BE45FB6360
Reporter Rony
Tags:exe Hive Ransomware signed v3

Code Signing Certificate

Organisation:SpiffyTech Inc.
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2021-10-18T00:00:00Z
Valid to:2022-10-05T23:59:59Z
Serial number: 06df5c318759d6ea9d090bfb2faf1d94
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 301a4335992e383c9ddba38af9645f72f6d3c0c1de56b92451dbf14ad70c77e6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
443
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Encoder.34525.32049.18048.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Sending a custom TCP request
DNS request
Running batch commands
Creating a file in the mass storage device
Launching the process to interact with network services
Blocking the Windows Defender launch
Deleting volume shadow copies
Preventing system recovery
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
cobalt filecoder overlay packed
Link:
https://www.filescan.io/uploads/619e4c6f02c80febc2a83171/reports/0b20522c-7248-44d9-8272-a7cdefcd755d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Hive Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d9edf370-504a-4fd1-987c-eec7fea2968c
Result
Threat name:
Hive
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/895500
Signature
Disables Windows Defender (deletes autostart)
Found Tor onion address
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Uses cmd line tools excessively to alter registry or file data
Yara detected Hive Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 527973 Sample: serenb.exe Startdate: 24/11/2021 Architecture: WINDOWS Score: 72 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Hive Ransomware 2->42 44 Found Tor onion address 2->44 46 Sigma detected: Copying Sensitive Files with Credential Data 2->46 7 serenb.exe 1 2->7         started        process3 file4 36 main-high-contrast..._LtaL19MRfhk0.snwkz, COM 7->36 dropped 38 server_lg.gif.BIwk..._2o0fBT7RwJI0.snwkz, COM 7->38 dropped 48 Uses cmd line tools excessively to alter registry or file data 7->48 11 reg.exe 1 1 7->11         started        14 net.exe 1 7->14         started        16 net.exe 1 7->16         started        18 16 other processes 7->18 signatures5 process6 signatures7 50 Disables Windows Defender (deletes autostart) 11->50 20 conhost.exe 14->20         started        22 net1.exe 1 14->22         started        24 conhost.exe 16->24         started        26 net1.exe 1 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 18->32         started        34 19 other processes 18->34 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35/
Threat name:
Win64.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 21:52:25 UTC
File Type:
PE+ (Exe)
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i7n3ewkm2xvxafppbc37xab42ww4dip34scj3schycka6hgkzy2q._file
Verdict:
malicious
Similar samples:
3a7e260aec294903b08eb34f2b9a985bd38bd66a409bbb7e58bd8f4e5c3a7806
Hive
3e6ecd9dc9ec4d42be5fdca7c55931fa9f835f3f634ee9f707ed7b1a102e9f7d
Hive
8b10986bf59cc6c50698fd9a3de7522cc0767da1655f4c5c51601187eebbdac8
Hive
98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63
Hive
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion ransomware spyware stealer trojan
Link:
https://tria.ge/reports/211124-rt6ahachej/
Behaviour
Interacts with shadow copies
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Launches sc.exe
Reads user/profile data of web browsers
Modifies extensions of user files
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
Deletes Windows Defender Definitions
Modifies Windows Defender Real-time Protection settings
Modifies security service
Unpacked files
SH256 hash:
47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35
MD5 hash:
177417be748814f6168171a42545f9dd
SHA1 hash:
9c8b988e66e0fe6f9dab69b1055e4ee200531094
Link:
https://www.unpac.me/results/7ea547cc-8385-421d-b7e8-eb87a0789834/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:RAN_Decaf_Nov_2021_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect Decaf ransomware (unpacked UPX)
Reference:https://blog.morphisec.com/decaf-ransomware-a-new-golang-threat-makes-its-appearance

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208994/

Comments