MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49a48d4ff1b7973e55d5838f20107620ed808851231256bb94c85f6c80b8ebfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Locky

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	49a48d4ff1b7973e55d5838f20107620ed808851231256bb94c85f6c80b8ebfc
SHA3-384 hash:	47db0241ed7f09c81739e26fa034523ca92741014a36febc0581893dbff9a9b6c864b23d232decc403885dbfba6564f0
SHA1 hash:	a2fcbf6e175afcee58344e6ee0f551fc2fff8d27
MD5 hash:	b66eb4bcb2860ef48afbc1378e1ae545
humanhash:	saturn-vegan-item-equal
File name:	49a48d4ff1b7973e55d5838f20107620ed808851231256bb94c85f6c80b8ebfc
Download:	download sample
Signature	Locky Create hunting rule
File size:	162'816 bytes
First seen:	2021-06-27 14:41:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	14f0cd9612d8e8836a786e6c13265809 (1 x Locky)
ssdeep	3072:j9UJ3gySjKLkEfwoZaNEP3N2QdW4BVa7NnnFRdqDGowa9:j61NSjVmaN63NiL4Di
Threatray	2'150 similar samples on MalwareBazaar
TLSH	91F35B03BF592E92D02E0E3100B90F5AA355E9153B164FAB2519BA79EDFF2C22F113D5
Reporter	struppigel
Tags:	exe Locky Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

1'565

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

malware.exe

Verdict:

No threats detected

Analysis date:

2021-06-05 17:14:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6931e5f7-e106-4ac3-8a59-01868156bb0b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Ransomware.Locky-30744

BC.Win.Packer.LizardNest-5588995-4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Locky

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9b03fd2d-5707-440b-b72d-465630565fd7

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/808561

Signature

Antivirus / Scanner detection for submitted sample

Deletes shadow drive data (may be related to ransomware)

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Found string related to ransomware

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May drop file containing decryption instructions (likely related to ransomware)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/49a48d4ff1b7973e55d5838f20107620ed808851231256bb94c85f6c80b8ebfc/

Threat name:

Win32.Ransomware.Locky

Status:

Malicious

First seen:

2016-03-30 17:33:06 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210627-pb2zbmc6f6/

Unpacked files

SH256 hash:

e1e9a4cc4dcbeb8d07bb1209f071acc88584e6b405b887a20b00dd7fa7561ce7

MD5 hash:

f9ba01e1d334b90cf452b123962d5b95

SHA1 hash:

02eaba21dd4aad8c34753b3a4dd93758f815888f

Detections:

win_locky_g1

win_locky_auto

Link:

https://www.unpac.me/results/4458a726-065d-44b0-b23b-1516f4eb0ba2/

SH256 hash:

4a2d29e67f8641611837992b5cd6f9016ab0139ad9d09d548f2ef08d2a6a3dc0

MD5 hash:

ce2ae2f7db121bebac701dd8185b97aa

SHA1 hash:

fcf58a0509885832fb8f989dea7b70654265c69e

Link:

https://www.unpac.me/results/4458a726-065d-44b0-b23b-1516f4eb0ba2/

SH256 hash:

49a48d4ff1b7973e55d5838f20107620ed808851231256bb94c85f6c80b8ebfc

MD5 hash:

b66eb4bcb2860ef48afbc1378e1ae545

SHA1 hash:

a2fcbf6e175afcee58344e6ee0f551fc2fff8d27

Link:

https://www.unpac.me/results/4458a726-065d-44b0-b23b-1516f4eb0ba2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Locky

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/49a48d4ff1b7973e55d5838f20107620ed808851231256bb94c85f6c80b8ebfc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	detects command variations typically used by ransomware

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	Locky Create hunting rule
Author:	kevoreilly
Description:	Locky Payload

Rule name:	win_locky_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_locky_g0 Create hunting rule
Author:	mak

Rule name:	win_locky_g1 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://www.youtube.com/watch?v=h9RiBJ06MAQ&lc=UgydPDkQRXpkeIlr4M94AaABAg

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample