MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e9c1dcd61419f3a79a56624a40225cafee7778a8dc8a7e7c65abc003199a852. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e9c1dcd61419f3a79a56624a40225cafee7778a8dc8a7e7c65abc003199a852
SHA3-384 hash: 1db662fc649d0110a5a076c6ebdc97c61b052c74e0f361c9b13c594d17e7ae20e1e15db39d1c09d9853deb12ed5665c9
SHA1 hash: 95f660eaca328a648ff9e22ed89bf9c2365326b0
MD5 hash: 0d9b6cc32c7f5101695acb7ca2d0aaa4
humanhash: may-sweet-triple-king
File name:0d9b6cc32c7f5101695acb7ca2d0aaa4.exe
Download: download sample
File size:240'098 bytes
First seen:2021-05-25 06:17:20 UTC
Last seen:2021-05-25 07:08:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93901d7acc315269d76a882f137e78ec
ssdeep 3072:RKUbjcF/bcF1qSx19H18RQBDi9I0gRZA4L8kRGzROyR2CgqZ8EUKh3VcKScqF29U:RKUbjcF/be1VB2y9igtbyYFqZ8iSvj
Threatray 11 similar samples on MalwareBazaar
TLSH AF342A13AEA3D031D5A296B058F08671DB2EED3183A4A5DB23C12E756F604DBF235BD1
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/161625/
Detection(s):
PUA.Win.Packer.Freejoiner-7
Create hunting rule

PUA.Win.Packer.Freejoiner-19
Create hunting rule

Win.Ransomware.Globeimposter-6958760-0
Create hunting rule

Win.Ransomware.Globeimposter-7489024-0
Create hunting rule

Win.Dropper.Agent-37383
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Creating a file
Enabling the 'hidden' option for recently created files
Changing a file
Moving a recently created file
Changing an executable file
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for files in the %temp% directory
Moving a file to the %temp% directory
Deleting volume shadow copies
Blocking the Windows Defender launch
Setting a single autorun event
Moving of the original file
Creating a file in the mass storage device
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
4444Ransomware Maoloa
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/792090
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Spreads via windows shares (copies files to share folders)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected 4444Ransomware
Yara detected Maoloa
Yara detected RansomwareGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 424487 Sample: styjDLm1oT.exe Startdate: 25/05/2021 Architecture: WINDOWS Score: 100 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected RansomwareGeneric 2->57 59 7 other signatures 2->59 8 styjDLm1oT.exe 4 2->8         started        11 systems.exe 501 2->11         started        14 systems.exe 501 2->14         started        16 2 other processes 2->16 process3 file4 47 C:\Users\user\AppData\Local\...\systems.exe, PE32 8->47 dropped 49 C:\Users\user\AppData\Local\Temp\Killer.bat, ASCII 8->49 dropped 18 systems.exe 501 8->18         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        51 C:\$Recycle.Bin\.B580E5043E45A7E4D097, data 11->51 dropped 69 Creates files in the recycle bin to hide itself 11->69 71 Spreads via windows shares (copies files to share folders) 11->71 25 cmd.exe 1 11->25         started        27 cmd.exe 1 14->27         started        signatures5 process6 signatures7 61 Antivirus detection for dropped file 18->61 63 Multi AV Scanner detection for dropped file 18->63 65 Spreads via windows shares (copies files to share folders) 18->65 29 cmd.exe 1 18->29         started        67 Deletes shadow drive data (may be related to ransomware) 21->67 31 conhost.exe 21->31         started        33 reg.exe 1 21->33         started        35 takeown.exe 1 21->35         started        37 conhost.exe 23->37         started        39 vssadmin.exe 1 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        process8 process9 45 conhost.exe 29->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e9c1dcd61419f3a79a56624a40225cafee7778a8dc8a7e7c65abc003199a852/
Threat name:
Win32.Ransomware.GlobeImposter
Create hunting rule
Status:
Malicious
First seen:
2021-05-23 02:51:38 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
39 of 47 (82.98%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
052a57afa8493f1396d73ab451c6df0135cf674529a26f692110b6ddb91c2672
20f7fce0e0f522a1fe1c6b51967fc1236e428d8ce45dc2a10738d03db57beb44
228cb0b4f58f72e44a6325c45da54adf0892deedcece6b010659f354f863c260
30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513
750984dff0d13260e17e9bb1a3482f1bae834d6e0de1bcd199028748a9f998dc
80678f73b6527356c0abcce6730e0304e1697e8f81c566d659fdd997acd33543
8577f2b2527925efb4a0a024cecaf3b41ef3b7d9fd5da314c31b8e4fe665df03
9a55095bce5f28440aeed18e9997322e0b1786208f6029d42a189804dc19738b
acd3819ea42caf7fabc03c7e56b03e673f6a3b16ac3a131b57f7e4549de7b16d
e43f0cf8905305adbb28597ad256c8e0547fe3ce3c648095635c1ae94ab0dbb9
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210525-ssn34az9a2/
Behaviour
Discovers systems in the same network
Interacts with shadow copies
Kills process with taskkill
Runs net.exe
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Modifies service settings
Stops running service(s)
Deletes shadow copies
Modifies Windows Defender Real-time Protection settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e9c1dcd61419f3a79a56624a40225cafee7778a8dc8a7e7c65abc003199a852

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICOUS_EXE_References_VEEAM
Create hunting rule
Description:Detects executables containing many references to VEEAM. Observed in ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4e9c1dcd61419f3a79a56624a40225cafee7778a8dc8a7e7c65abc003199a852

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1279969/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/161625/

Comments