MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


KiraLock


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024
SHA3-384 hash: da6e006286f89e398efacf9dc2fe1b6340fd51c9b2afef647d4940455b6884481027a925443ec6f2fed3986dee6f4778
SHA1 hash: be71b94e30d5465d8b72e1fc7c0137024f97baee
MD5 hash: 055c2fba242d03ae153be4a796c55ae2
humanhash: berlin-two-table-jersey
File name:4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024
Download: download sample
Signature KiraLock
Create hunting rule
File size:433'152 bytes
First seen:2020-05-14 14:47:22 UTC
Last seen:2020-05-14 15:50:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:AuY/YunIL8Erv6r2btK6jmmUqEaEq5ipsvl7asLVGaSH:JsYHCr2bgSmMipsvVV
Threatray 19 similar samples on MalwareBazaar
TLSH 429412F6DD458542D2303673EFA1B7328F298FD8B1A22005E61ABA567035F9EC92DC53
Reporter Anonymous
Tags:KiraLock


Avatar
Anonymous
KiraLock "large" variant

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Ursu.821676.25275.2572.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Hakbit
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 16:07:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jgciex5scidkf4w7luwii6kpblco32r4jdjs5euegogxbawvkasa._file
Verdict:
suspicious
Similar samples:
52f137c22685d15df043daabdb9c823e07ecec4df42bcc2fa2c5bd45913d32ea
KiraLock
81e81f0bbbdb831eda215033b7a7dbf2eed3812f4e58118f181a8e99e613179e
KiraLock
abe3b715d6cdbdee68f7fa07dcc3adec8d247a7729af88c782d0282e9cf4d7ac
KiraLock
b91314f2f7be897fd04e8bc68e390ed909cde15d00f02e7c9ccacac96753315a
KiraLock
b99e0b750b3815fec3b292ede3f94524c8bede7d158334295e096518e9cde0ad
KiraLock
bcf951a2c7bc31a37486577ae1fc83f97bc1daf987d5a35e9302eb31f5a5ebf0
KiraLock
d7b59d350dd16d5c6a39706ba5dade34574798379ac54f0fa0cbea42158435ac
KiraLock
edfcf01c73ca6335d2040ac54b4d1513a4bb1ae7756e2ead34ddb6b03fb044f7
KiraLock
f6c756d3b2667ac43f733489fffd65d440ea62da586eb792877dcaab2074873d
KiraLock
fd8c3259b8e80b8220c6053aa9b045676d1e3fe09356ed94b5e47fb5b895ff92
KiraLock
+ 9 additional samples on MalwareBazaar
Result
Malware family:
hakbit
Create hunting rule
Score:
  10/10
Tags:
family:hakbit evasion persistence ransomware spyware
Link:
https://tria.ge/reports/201109-jzbbrsex6s/
Behaviour
Interacts with shadow copies
Kills process with taskkill
Opens file in notepad (likely ransom note)
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Launches sc.exe
Modifies service
Enumerates connected drives
Modifies WinLogon
Deletes itself
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Modifies extensions of user files
Deletes shadow copies
Hakbit
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/abuse_ch/status/1260802972218470400

Comments