MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47e9841c99f3e198a715263f76861e997d807a085ce69c6288bfe97227242ed9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Sage


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47e9841c99f3e198a715263f76861e997d807a085ce69c6288bfe97227242ed9
SHA3-384 hash: f5ffaf1e053da3ec66f54f3e6f4839bc99fc7e4516805794cdec2e8632568af54efb408170e85c833e3d901c2cffd401
SHA1 hash: 8d2e45397806e5b4e20bf9f0cf80eeffdbc9af1d
MD5 hash: 4b77629ce08bbc175faceb45abe68a45
humanhash: charlie-tennis-snake-hamper
File name:47e9841c99f3e198a715263f76861e997d807a085ce69c6288bfe97227242ed9
Download: download sample
Signature Sage
Create hunting rule
File size:471'040 bytes
First seen:2020-07-29 07:21:00 UTC
Last seen:2020-07-29 07:53:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1574f1140453d6c10fa119d69e5fee3e (1 x Sage)
ssdeep 12288:Y+ICVKQd/C67aiHRE/FgbfRVBHKmA/hsyL98/Z9cZ:z6g/fRE/FUxHKmwJa4
Threatray 39 similar samples on MalwareBazaar
TLSH E8A48C01F7D1C079F5B309B18AB29794A93D7E627B3890DF63E1294E52346D2E831B27
Reporter JAMESWT_WT
Tags:Sage

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34376/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Launching a process
Creating a process with a hidden window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Deleting a recently created file
Deleting volume shadow copies
Creating a file in the mass storage device
Brute forcing passwords of local accounts
Enabling autorun with Startup directory
Deleting of the original file
Result
Threat name:
Sage
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401572
Signature
Allocates memory in foreign processes
Changes the wallpaper picture
Deletes itself after installation
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Potential evasive VBS script found (sleep loop)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Sage
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 253038 Sample: FEk69sVIyf Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 62 mbfce24rgn65bx3g.xcvkjet.net 2->62 64 mbfce24rgn65bx3g.qlkrwn.com 2->64 82 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Yara detected Sage 2->86 88 4 other signatures 2->88 10 FEk69sVIyf.exe 4 7 2->10         started        15 Rj3fNWF3.exe 1 2->15         started        signatures3 process4 dnsIp5 66 211.114.116.17, 13655 KIXS-AS-KRKoreaTelecomKR Korea Republic of 10->66 68 mbfce24rgn65bx3g.xcvkjet.net 10->68 70 100 other IPs or domains 10->70 60 C:\Users\user\AppData\Roaming\Rj3fNWF3.exe, PE32 10->60 dropped 90 Writes to foreign memory regions 10->90 92 Allocates memory in foreign processes 10->92 17 Rj3fNWF3.exe 103 10->17         started        21 wscript.exe 10->21         started        23 schtasks.exe 1 10->23         started        25 FEk69sVIyf.exe 1 10->25         started        94 Potential evasive VBS script found (sleep loop) 15->94 96 Machine Learning detection for dropped file 15->96 27 Rj3fNWF3.exe 15->27         started        file6 signatures7 process8 file9 58 C:\Users\user\Downloads\VWDFPKGDUF.docx..., DOS 17->58 dropped 72 Deletes shadow drive data (may be related to ransomware) 17->72 74 Writes to foreign memory regions 17->74 76 Allocates memory in foreign processes 17->76 78 Modifies existing user documents (likely ransomware behavior) 17->78 29 Rj3fNWF3.exe 7 17 17->29         started        32 vssadmin.exe 1 17->32         started        34 vssadmin.exe 17->34         started        36 WerFault.exe 23 9 17->36         started        80 Deletes itself after installation 21->80 38 conhost.exe 23->38         started        signatures10 process11 signatures12 98 Deletes shadow drive data (may be related to ransomware) 29->98 100 Writes to foreign memory regions 29->100 102 Allocates memory in foreign processes 29->102 104 Changes the wallpaper picture 29->104 40 vssadmin.exe 29->40         started        42 vssadmin.exe 29->42         started        44 vssadmin.exe 29->44         started        50 3 other processes 29->50 46 conhost.exe 32->46         started        48 conhost.exe 34->48         started        process13 process14 52 conhost.exe 40->52         started        54 conhost.exe 42->54         started        56 conhost.exe 44->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47e9841c99f3e198a715263f76861e997d807a085ce69c6288bfe97227242ed9/
Threat name:
Win32.Ransomware.SageCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 20:53:37 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
30 of 48 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i7uyihez6pqzrjyvey7xnbq6tf6ya6qilttjyyuix7uxejzef3mq._file
Verdict:
malicious
Similar samples:
146fb5b594f6b9da202cd0d303548afb1f364ca93c27c44e2f442b1fe26ff77f
Sage
19a05417793c14ee11b2ca7c32f96cbf70f15cae8b26aec7c2e3fc3c0a0f94e7
Sage
359a83d05d6d30510f26f95146ddad7da943eb4e7014fa5c3a6caa41ac102681
Sage
37d51be7f6011c1acebd7ef1833f3403d87706095e74ee2568936bc0047d2374
Sage
3800d6c5cbe76acb00e60a5486f50a38dcbc5cbc16b0000572240ab97af31797
Sage
41ad22e98d897261ae57cd021c5dd9fbbc09f1fb39765e0d1b68a78625840555
Sage
594af48b4da21f654d0ceadede4257865f96d9ae3b1f2ef4a96298a9385c7b2c
Sage
8fecf056f3580282cdb101c01e354425f208656fb7e5c5dcad19c64a62197184
Sage
a5716cbebec21624db3a37b22dc8dc0c0ffe420dd928380057790a6c5516cb3c
Sage
d14863ede83e63102ae3484d2c51cd2cac622e89b89c09097902fa91f3edcd7a
Sage
+ 29 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware persistence
Link:
https://tria.ge/reports/200729-fqthyl8p8x/
Behaviour
Modifies registry class
Modifies data under HKEY_USERS
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Modifies registry class
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Modifies Control Panel
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Modifies service
Sets desktop wallpaper using registry
Modifies service
Sets desktop wallpaper using registry
JavaScript code in executable
JavaScript code in executable
Loads dropped DLL
Deletes itself
Executes dropped EXE
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
Deletes shadow copies
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47e9841c99f3e198a715263f76861e997d807a085ce69c6288bfe97227242ed9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Destructive_Ransomware_Gen1
Create hunting rule
Author:Florian Roth
Description:Detects destructive malware
Reference:http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34376/

Comments