MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 565ff723884f77bf7e744527b0eb736373183ce1cc6c6df0fdee4b2929f685c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Conti

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	565ff723884f77bf7e744527b0eb736373183ce1cc6c6df0fdee4b2929f685c2
SHA3-384 hash:	fcff1b471ca280fbd32d157dd548d8b3565f5e87353c5fc0ab44fafc4a49a7addf78cf7bbe9ffbb9b365fb8cf4f02deb
SHA1 hash:	12fd06e820085e34bc58d2c6ad4110fb06ccee2f
MD5 hash:	810ce3c27a736f08d3a57fff9106de6f
humanhash:	spring-cat-minnesota-utah
File name:	SecuriteInfo.com.Trojan.Encoder.37846.19102.23510
Download:	download sample
Signature	Conti Create hunting rule
File size:	238'592 bytes
First seen:	2023-12-10 01:19:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6a50fba0b2beed26e23e37e0922bd3df (1 x Conti)
ssdeep	3072:mvi2tU9gr2NDYpKFi85n/dijWmkfAsjxWcyq7PEFOIURkH:gi2YgrQDY4485n1ijhkfAsgxlU+H
TLSH	T133342920F7494635F16518B21DFC7EE250A89A38231FC8F7B3DD86AE5A296C27520F47
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	conti exe

Intelligence

File Origin

# of uploads :

# of downloads :

525

Origin country :

Vendor Threat Intelligence

Detection:

Conti

Link:

https://www.capesandbox.com/analysis/464108/

Detection(s):

SecuriteInfo.com.Trojan.Encoder.37846.19102.23510.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

Launching a service

Changing a file

Modifying an executable file

Modifies multiple files

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Encrypting user's files

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

conti conti expand filecoder filecoder lockbit lockbit lockfile lockfile lolbin ransomware ransomware virus zusy

Link:

https://www.filescan.io/uploads/657512443636548f3746cdbb/reports/945b7487-7ed6-46d2-96cc-9df0252616c0/overview

Verdict:

Malicious

Labled as:

Ser.Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/565ff723884f77bf7e744527b0eb736373183ce1cc6c6df0fdee4b2929f685c2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Conti

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7c337ec3-e729-4ef3-8adb-de823531e5e0

Result

Threat name:

BlueSky, LockBit ransomware

Detection:

malicious

Classification:

rans.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1357114

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Found potential ransomware demand text

Found ransom note / readme

Found Tor onion address

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Writes many files with high entropy

Yara detected BlueSky Ransomware

Yara detected LockBit ransomware

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/565ff723884f77bf7e744527b0eb736373183ce1cc6c6df0fdee4b2929f685c2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/565ff723884f77bf7e744527b0eb736373183ce1cc6c6df0fdee4b2929f685c2/

Threat name:

Win32.Ransomware.Conti

Status:

Malicious

First seen:

2023-08-15 16:17:06 UTC

File Type:

PE (Exe)

AV detection:

27 of 37 (72.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kzp7oi4ij53367tuiut3b23tmnzrqphbzrwg34h55zfsskpwqxba._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/231210-bp32ksbbhp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Drops file in Program Files directory

Drops desktop.ini file(s)

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

565ff723884f77bf7e744527b0eb736373183ce1cc6c6df0fdee4b2929f685c2

MD5 hash:

810ce3c27a736f08d3a57fff9106de6f

SHA1 hash:

12fd06e820085e34bc58d2c6ad4110fb06ccee2f

Detections:

ContiRansomware

Link:

https://www.unpac.me/results/3d7656f5-ca62-4e65-a6d1-225e60b4f8df/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/565ff723884f77bf7e744527b0eb736373183ce1cc6c6df0fdee4b2929f685c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Conti Create hunting rule
Author:	kevoreilly
Description:	Conti Ransomware

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	RAN_Lockbit_Green_Jan_2023_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect the green variant used by lockbit group (x86)
Reference:	https://github.com/prodaft/malware-ioc/blob/master/LockBit/green.md

Rule name:	Windows_Ransomware_Conti_89f3f6fa Create hunting rule
Author:	Elastic Security

Rule name:	win_conti_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.conti.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/464108/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample