MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Zeppelin


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
SHA3-384 hash: 6e7542f31fdd01aaaa98c2f8e4aeaa7cff28801420454bca4ddf88b6ee8fb5114dec1edda7c0b42a1095346a19b819a5
SHA1 hash: 1d6dcade355b4867e9435961655a9b9caa373528
MD5 hash: d18bf81dbc8acce488abd633d8058cf5
humanhash: carpet-vermont-foxtrot-river
File name:hci0xn0zip
Download: download sample
Signature Zeppelin
Create hunting rule
File size:3'500'897 bytes
First seen:2020-11-04 10:53:35 UTC
Last seen:2020-11-04 13:02:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1f273e55d954a3cd6ab7388915a0485 (3 x Neurevt, 3 x RedLineStealer, 2 x ArkeiStealer)
ssdeep 49152:OzOJB5ZJBK7/stk6SY6stAHzUfj7a3MTP4ivpkH:OKBtKzatHa4JY
Threatray 5 similar samples on MalwareBazaar
TLSH DFF56D237389603EC06639B6852796649C3F7F627912CC4A6BF4794C8F35542EE3A60F
Reporter JAMESWT_WT
Tags:buran Ransomware Zeppelin zip

Intelligence

File Origin
# of uploads :
3
# of downloads :
2'016
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/82868/
Detection(s):
PUA.Win.Adware.Dealply-6840263-0
Create hunting rule

PUA.Win.Adware.Dealply-6888374-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Program Files subdirectories
Delayed writing of the file
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Sending a UDP request
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Moving a recently created file
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Searching for the window
Changing a file
Modifying an executable file
Moving a file to the Program Files subdirectory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Moving of the original file
Creating a file in the mass storage device
Deleting volume shadow copies
Unauthorized injection to a system process
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Zeppelin
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/520024
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Drops batch files with force delete cmd (self deletion)
Drops PE files with benign system names
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
Writes to foreign memory regions
Yara detected Zeppelin Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309108 Sample: hci0xn0zip Startdate: 04/11/2020 Architecture: WINDOWS Score: 100 86 Malicious sample detected (through community Yara rule) 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 Yara detected Zeppelin Ransomware 2->90 92 2 other signatures 2->92 12 hci0xn0zip.exe 3 13 2->12         started        16 services.exe 2->16         started        19 services.exe 2->19         started        process3 dnsIp4 60 C:\ssd\onset\81ldp.bat, DOS 12->60 dropped 62 C:\ssd\onset\15sp.exe, PE32 12->62 dropped 110 Drops batch files with force delete cmd (self deletion) 12->110 21 wscript.exe 1 12->21         started        66 www.geodatatool.com 16->66 68 geoiptool.com 16->68 23 WerFault.exe 16->23         started        70 www.geodatatool.com 19->70 72 geoiptool.com 19->72 file5 signatures6 process7 dnsIp8 26 cmd.exe 2 21->26         started        80 192.168.2.1 unknown unknown 23->80 process9 process10 28 wscript.exe 1 26->28         started        30 15sp.exe 5 26->30         started        33 conhost.exe 26->33         started        35 2 other processes 26->35 file11 37 cmd.exe 1 28->37         started        64 C:\ssd\onset\mesager43.exe, PE32 30->64 dropped process12 process13 39 mesager43.exe 2 19 37->39         started        44 conhost.exe 37->44         started        46 timeout.exe 1 37->46         started        48 5 other processes 37->48 dnsIp14 82 www.geodatatool.com 158.69.65.151, 443, 49721, 49722 OVHFR Canada 39->82 84 geoiptool.com 39->84 58 C:\Users\user\AppData\...\services.exe, PE32 39->58 dropped 102 Antivirus detection for dropped file 39->102 104 Multi AV Scanner detection for dropped file 39->104 106 Machine Learning detection for dropped file 39->106 108 5 other signatures 39->108 50 services.exe 3 16 39->50         started        54 notepad.exe 39->54         started        file15 signatures16 process17 dnsIp18 74 iplogger.org 88.99.66.31, 443, 49732, 49733 HETZNER-ASDE Germany 50->74 76 www.geodatatool.com 50->76 78 geoiptool.com 50->78 94 Antivirus detection for dropped file 50->94 96 Multi AV Scanner detection for dropped file 50->96 98 Machine Learning detection for dropped file 50->98 100 Contains functionality to inject threads in other processes 50->100 56 WerFault.exe 50->56         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a/
Threat name:
Win32.Ransomware.Buhtrap
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 10:51:18 UTC
File Type:
PE (Exe)
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0f81f4eb37083c821598ffd57cff12a082f19ca2de57c86faff65755ef332686
Zeppelin
15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50
Zeppelin
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e
Zeppelin
8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6
Zeppelin
dac7b64601ffa3176296bc0647aa7cd30c50b95ea5002410000439ce506b5b9e
Zeppelin
Result
Malware family:
buran
Create hunting rule
Score:
  10/10
Tags:
family:buran evasion persistence ransomware upx
Link:
https://tria.ge/reports/201104-cebgax7bdx/
Behaviour
Delays execution with timeout.exe
Interacts with shadow copies
Kills process with taskkill
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Modifies registry class
Drops file in Program Files directory
Modifies service
Adds Run key to start application
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Sets file to hidden
UPX packed file
Modifies extensions of user files
Deletes shadow copies
Buran
Unpacked files
SH256 hash:
7f10b907775365d6754403cdd34bda8ecb480357f4d555ce3c49f6b09733a6aa
MD5 hash:
a4e54309bd479b2b70b88011d93a8678
SHA1 hash:
2ee8ac8d25b24cfa3398cbe4c737109c0388c201
Link:
https://www.unpac.me/results/fee53fd3-6147-4df3-8101-5b49788db074/
SH256 hash:
4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
MD5 hash:
d18bf81dbc8acce488abd633d8058cf5
SHA1 hash:
1d6dcade355b4867e9435961655a9b9caa373528
Link:
https://www.unpac.me/results/fee53fd3-6147-4df3-8101-5b49788db074/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Zeppelin

Executable exe 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/82868/
  
URLhaus
https://urlhaus.abuse.ch/url/786030/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/786031/
  
URLhaus
https://urlhaus.abuse.ch/url/786032/
  
URLhaus
https://urlhaus.abuse.ch/url/786034/
  
URLhaus
https://urlhaus.abuse.ch/url/786033/
  
URLhaus
https://urlhaus.abuse.ch/url/786035/
  
URLhaus
https://urlhaus.abuse.ch/url/786036/

Comments