MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Sugar


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058
SHA3-384 hash: b12f992238ee7b5e572c4cd4c616a9a6441bc8783d96bcefb44fbe0f4a347f95571ec1c23f9a6cac6c98db24bf4048d1
SHA1 hash: a4854ce87081095ab1f1b26ff16817e446d786af
MD5 hash: 17c7b47b68f75df9eec21698decad5b4
humanhash: bacon-lion-ack-uniform
File name:4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058
Download: download sample
Signature Sugar
Create hunting rule
File size:143'360 bytes
First seen:2022-02-03 01:05:17 UTC
Last seen:2022-02-03 02:55:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5d2d74e0bbb1bdaffd94b2514a46e47e (2 x Sugar)
ssdeep 1536:WJ6miN/d+ucYLJrpTR/ky1lcSBdeKWFKVsu5jmZIFncKDCzHQvU/NjwGg64+:TmecYLN/ky1l1iClmZYfezHQvYdZ4+
Threatray 8'489 similar samples on MalwareBazaar
TLSH T193E37C37B982C13BC0754D79DE16D2DAB629BA303E38189F75D85F0D9C392825A7D382
Reporter Arkbird_SOLG
Tags:exe Ransomware Sugar unpacked

Intelligence

File Origin
# of uploads :
2
# of downloads :
397
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4a97bc8111631.exe
Verdict:
Malicious activity
Analysis date:
2022-02-02 18:33:05 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/df6cb6f8-1cf7-47b4-af58-ae0a2ecd8fb8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/231403/
Detection(s):
PUA.Win.Packer.PrivateExeProte-11
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %temp% directory
Sending an HTTP POST request
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5818/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
83%
Tags:
expand.exe filecoder greyware overlay shell32.dll
Link:
https://www.filescan.io/uploads/61fb2a7d6d25ac9e79ff793d/reports/5c8c0984-b3ef-463e-9ddc-80d5da855879/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Encoded01 Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/62d6c8da-8ac5-4463-9da7-0beb18c44abf
Result
Threat name:
Encoded01
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/932928
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Creates files in the recycle bin to hide itself
Found string related to ransomware
Found Tor onion address
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Yara detected Encoded01 Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058/
Threat name:
Win32.Ransomware.Cryptor
Create hunting rule
Status:
Malicious
First seen:
2021-11-29 09:03:43 UTC
File Type:
PE (Exe)
AV detection:
31 of 43 (72.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jkl3zairmmlzls3tbx7hqnwqv6wdcmpnrki5xao54udcxoaccbma._file
Verdict:
malicious
Similar samples:
2d5407433a0d0a90d5ea37643701e5526a6d1e5cc1d1a35bd290a55913302901
Sugar
43e4a6830f54f3bd039b90f0a27ad19a9f2bb673ab990f34dc201c3b102e056a
Sugar
44caf98e5ae6e4c45d0c49f0ec2ba8e833e806e74c5b3cde1b48d440f873d97a
Sugar
55ded456339aef89e7d891f0c7f494c11d8983233106d64069bc767ab06ceb71
Sugar
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
Sugar
888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529
Sugar
cfa1ef201a4dec456d4d6ffddc96267fcbf212f45616223fc8b3c675639f055b
Sugar
e3c2d04c155b63a71d10e42a3c81199a6627a60363e3c978228ab14a8897bf9d
Sugar
e80b6b17c71fbba13316f2c9fbda01c59abeff6da89d70c79396e82f6dc51dc9
Sugar
+ 8'479 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence ransomware spyware stealer
Link:
https://tria.ge/reports/220203-bf4xhscfc8/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Drops file in Windows directory
Drops desktop.ini file(s)
Looks up external IP address via web service
Reads user/profile data of web browsers
Modifies extensions of user files
Sets service image path in registry
Unpacked files
SH256 hash:
4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058
MD5 hash:
17c7b47b68f75df9eec21698decad5b4
SHA1 hash:
a4854ce87081095ab1f1b26ff16817e446d786af
Link:
https://www.unpac.me/results/040e8673-a83e-4f01-a95d-68bbbaab32fe/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4a97bc811163/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a97bc8111631795cb730dfe7836d0afac3131ed8a91db81dde5062bb8021058

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb
Cape
Cape
https://www.capesandbox.com/analysis/231403/

Comments