MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53fd929034ec71904be8ef06d4c42f2467997f16364431cb3e46a24d82bdaf6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HiddenTear

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	53fd929034ec71904be8ef06d4c42f2467997f16364431cb3e46a24d82bdaf6f
SHA3-384 hash:	9dd0b6bd551b5b61d180971c7518261e0a5a849c4ca8daff8a4590c27f5e6e7c549c861160894527e834981d41344580
SHA1 hash:	315dfcb400f3fb36220a91fd9f8b9200366eca56
MD5 hash:	26cae6fdb074d2e30002351c40aa2b58
humanhash:	muppet-fruit-carbon-item
File name:	software-launcher8.bin
Download:	download sample
Signature	HiddenTear Create hunting rule
File size:	347'040 bytes
First seen:	2020-09-02 09:34:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56d4c27e0b8fc226e87edcc76f07afb2 (1 x HiddenTear)
ssdeep	6144:87BzUxW0pA+yT7c4i4VKtxTRAJqDgBP/BLGT6AG+l2QSQ7:VW0Ly3RiX9RjgFpLGT6El2Qp
TLSH	337412D23A08D3F0EDF8DEF17E91DC9219CA6C6E8D95644771E2731A46F6022162EE07
Reporter	JAMESWT_WT
Tags:	HiddenTear

Intelligence

File Origin

# of uploads :

# of downloads :

2'016

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ispy

Link:

https://www.capesandbox.com/analysis/54284/

Detection(s):

SecuriteInfo.com.Trojan.Packed.22393.30919.28654.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for analyzing tools

Searching for the window

Sending a UDP request

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/457312

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Tries to detect sandboxes and other dynamic analysis tools (window names)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/53fd929034ec71904be8ef06d4c42f2467997f16364431cb3e46a24d82bdaf6f/

Threat name:

Win32.Ransomware.Ryzerlo

Status:

Malicious

First seen:

2020-09-02 08:38:31 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kp6zfebu5ryzas7i54dnjrbpertzs7ywgzcddsz6i2re3av5v5xq._file

Verdict:

suspicious

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/200902-jbm1frdm4x/

Behaviour

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Cryptor

Score:

0.70

Link:

https://yomi.yoroi.company/submissions/53fd929034ec71904be8ef06d4c42f2467997f16364431cb3e46a24d82bdaf6f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/54284/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample