MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b1b5c9701099601062f1fadc81992eb6c61a6c864a29c6c68be8fd927ef32cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b1b5c9701099601062f1fadc81992eb6c61a6c864a29c6c68be8fd927ef32cb
SHA3-384 hash: 23a66a613505512c45f08655b107a69fee507748c7119d129d33d264c31fdc7fb2d75cc30b5ab402bd67ee85a974a581
SHA1 hash: c11e1d62e5e2e418f285fea5171a63fbe2e00e27
MD5 hash: 70aaccf24961e6002fdbe6de7a356ceb
humanhash: alpha-diet-golf-pluto
File name:70aaccf2_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:1'595'904 bytes
First seen:2021-05-05 09:04:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6626ce66d94d28a10d7cb425f091cacd (1 x VirLock)
ssdeep 49152:27diRu75oa2Qjyh4TxBzXeWcR86k1bjyZ:2IuoNQWF86k1bW
Threatray 95 similar samples on MalwareBazaar
TLSH 6B75026B4A507BBAD2E069F1B4C3A48E0628C16DF7F9C50511BD3A819BA3FF7119B0C5
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Zeus
Create hunting rule
Link:
https://www.capesandbox.com/analysis/150147/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6803820-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a service
Launching a service
Creating a file in the Windows subdirectories
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Sending a UDP request
Running batch commands
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b1b5c9701099601062f1fadc81992eb6c61a6c864a29c6c68be8fd927ef32cb/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 01:31:29 UTC
AV detection:
47 of 48 (97.92%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
02c295951551d06d573f8631d699d5ce0a1170591fe4e2700754c2bdf8556be7
VirLock
085a972774c849ad789ce702eed1c52156463bb630598e2e8b33a20913ba981a
VirLock
19c8d8a63ec85a1f77ae4a28bdc4cb149c84d7101883ee8db4a0769f93e2d288
VirLock
1e1f86e7ca7a69efabe84abe8641f04fcf2ae0a4eee870e7df6e2517bd1064ca
VirLock
5065428bc91f6a12f48944a8c7299d559faf3d53e2c7c47db05bb9103450ab8d
VirLock
970d2c3ac7d0d45ecfcd7b45d7ab42e0f169357a0c13f90853d8763649bb766a
VirLock
afad289c4180b56d4e597d4304f5928c4ceba337fe3ac08b524246fbb656e46e
VirLock
c4b04e6c7905b34bf6768fd32296246b89b2d3457c49b99c05b5e6068cbb99ff
VirLock
caf288c7727111312ba3c836928ff0c82de727d1a89bab05d31823bfddb756f5
VirLock
fa4196a9d31f8e0f2dd479ed23945858008edf9bb367b6ad3ef29b7dadeb3472
VirLock
+ 85 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210505-afxsbxbwl6/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
674ee222f2b861c329ff0acac80f3e7f1a2c817ff791e27b3f78a5946f208904
MD5 hash:
4f176bfd330c1d84164e6abe6f7abbdf
SHA1 hash:
2b17feaf36589fc4b723254afe3051c0fe87ec5f
Link:
https://www.unpac.me/results/50d0a7a1-5fab-452c-ac48-71217d79463f/
SH256 hash:
70fe6588b32b87768d84ea9056c1517407d7c3e298c943afbf796298885ea21d
MD5 hash:
13021a91637304e9e8b96792d3be4fd0
SHA1 hash:
7244b715bd6e55d84c978b523fca8ea6ab3e5cbe
Link:
https://www.unpac.me/results/50d0a7a1-5fab-452c-ac48-71217d79463f/
SH256 hash:
4b1b5c9701099601062f1fadc81992eb6c61a6c864a29c6c68be8fd927ef32cb
MD5 hash:
70aaccf24961e6002fdbe6de7a356ceb
SHA1 hash:
c11e1d62e5e2e418f285fea5171a63fbe2e00e27
Link:
https://www.unpac.me/results/50d0a7a1-5fab-452c-ac48-71217d79463f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b1b5c9701099601062f1fadc81992eb6c61a6c864a29c6c68be8fd927ef32cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150147/

Comments