MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6
SHA3-384 hash: 51a8ab1794eb8f9a81ca2e977fcf96151288dd11d00007f036823991a1996b242cc0cc09f261d0cb6ce6a6e31597077d
SHA1 hash: 7b88e1eaa07151fc0d7639574fc7f40fa5be8aa3
MD5 hash: d427390e9fad598ec3288c9275c84628
humanhash: comet-low-uncle-lemon
File name:4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6
Download: download sample
File size:13'262'684 bytes
First seen:2020-08-26 12:20:15 UTC
Last seen:2020-08-26 12:51:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 58053a2a3020fdc7713b576ad93bf7bd (1 x ModiLoader)
ssdeep 393216:prVo+wu2gmnX9c5hlEK/PNMtN3ZW43Q4Eei:prVo+wu2gmNEhxtMtN3r3Q4Ee
Threatray 5 similar samples on MalwareBazaar
TLSH C9D63381B33040A9DA5793337899CA348562B8211754D66B1F753BB037DF3EABE36A31
Reporter JAMESWT_WT
Tags:Python Ransomware

Intelligence

File Origin
# of uploads :
3
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PE_File_pyinstaller.5469.13453.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Deleting a recently created file
Sending a UDP request
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
rans
Score:
27 / 100
Link:
https://www.joesandbox.com/analysis/451511
Signature
(
)
a
b
D
e
h
i
l
m
n
o
r
s
t
v
w
y
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 278264 Sample: PvGEX1nmVl Startdate: 27/08/2020 Architecture: WINDOWS Score: 27 12 Deletes shadow drive data (may be related to ransomware) 2->12 6 PvGEX1nmVl.exe 502 2->6         started        process3 process4 8 PvGEX1nmVl.exe 1 6->8         started        10 conhost.exe 6->10         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6/
Threat name:
Win64.Ransomware.FileCryptor
Create hunting rule
Status:
Malicious
First seen:
2020-08-26 04:15:59 UTC
File Type:
PE+ (Exe)
Extracted files:
2202
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
290452bb8eb4dfcc3cfb1590c8fb1b44427a3c9f0439ad5855e35bc39537a3a3
50b73c4132c9240c404a85b5d2843436fe8d5022a7104b5faeab827f558c52e4
5f7edbfee38f8e9a93df459405b952189d48b4a7f2ddc7a81d25bdfd59b31c80
8d3c6da3f4d6513a1d38058a6cf6028e0c07210a5c0509f47150152362093636
e8c00468964966dfdbae2de1d15a8a24b5ba4dbe7dddd482888568f4430d4db1
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/200826-sx712tkkjx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
JavaScript code in executable
JavaScript code in executable
Loads dropped DLL
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments