MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Qilin

Vendor detections: 13

Intelligence 13 IOCs YARA 14 File information Comments

SHA256 hash:	56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7
SHA3-384 hash:	052bb752ebb6e45e22e66c70b45b96986e62233eab0bd9baa0464bc1b7398c7173fd05c2c20de024b0c750c784630631
SHA1 hash:	a9da26cba0230c60880b1bec3f391ab43095de01
MD5 hash:	59d756280b06cf113ca43abc0050edd5
humanhash:	rugby-seven-washington-rugby
File name:	SecuriteInfo.com.Trojan-Ransom.Qilin.14732.26799
Download:	download sample
Signature	Qilin Create hunting rule
File size:	7'363'640 bytes
First seen:	2024-08-04 16:16:17 UTC
Last seen:	2025-03-10 16:34:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d5bbe0ab32fe5cd8bfc57bbea724fe95 (1 x Qilin, 1 x RustyStealer)
ssdeep	49152:jD1u4BFqRqebAVLmcEjha87z1yMUf0iMSl1dz3dRneQlIc8GATN84qmFaAVFwsOg:3cArsi51OiIuATl7VWsO7I0AsObnQi
TLSH	T106767C21F99944ACE9ABD13410DD3736733A744A43E1AFF70365E2B10EE67A29F28354
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	exe QiLin Ransomware.Qilin RustyStealer

Intelligence

File Origin

# of uploads :

# of downloads :

655

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

system32.exe

Verdict:

No threats detected

Analysis date:

2024-08-04 13:11:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/caa4774b-8876-4ebd-9284-e779805475d1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66afa983037b02d0daed9222

Tags:

Encryption Heur

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

89%

Tags:

anti-debug anti-vm expand findstr lolbin overlay ransomware veeam

Link:

https://www.filescan.io/uploads/66afa97f5743b16748e7dd57/reports/44b4720e-5435-416d-86a1-ff5b829df641/overview

Verdict:

Suspicious

Labled as:

Ransom_Win32_Babuk_SIB_MTB

Link:

https://www.hybrid-analysis.com/sample/56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/429674b0-58bb-4e4d-934e-28d2c5c08fb5

Result

Threat name:

n/a

Detection:

malicious

Classification:

rans

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1487598

Signature

Deletes shadow drive data (may be related to ransomware)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7/

Threat name:

Win64.Ransomware.Qilin

Status:

Malicious

First seen:

2024-07-31 13:13:05 UTC

File Type:

PE+ (Exe)

AV detection:

6 of 38 (15.79%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k3q5bewaomrntwwx3boxooktk46mgkkltzbiwo53v6jvzjgs67tq._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240804-trclhszakp/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/1e81dd57-4335-405f-a81f-54c9ec22c075

Unpacked files

SH256 hash:

56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7

MD5 hash:

59d756280b06cf113ca43abc0050edd5

SHA1 hash:

a9da26cba0230c60880b1bec3f391ab43095de01

Detections:

cn_utf8_windows_terminal

Link:

https://www.unpac.me/results/b009ca5e-130b-4a5a-b634-366968219e0b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_PatchWork_BADNEWS_20211105 Create hunting rule
Description:	Detects PatchWork Group RTF or BADNEWS

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_SUSPICIOUS_ClearWinLogs Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing commands for clearing Windows Event Logs

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	Detects command variations typically used by ransomware

Rule name:	INDICATOR_SUSPICOUS_EXE_References_VEEAM Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing many references to VEEAM. Observed in ransomware

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Rustyloader_mem_loose Create hunting rule
Author:	James_inthe_box
Description:	Corroded buerloader
Reference:	https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Qilin

exe 56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3088294/

Delivery method

Distributed via web download

Reviews

ID	Capabilities	Evidence
FFI_METHODS	Can perform system-level operations via FFI	_ZN4core3ptr263drop_in_place$LT$$LT$alloc::collections::btree::map::IntoIter$LT$K$C$V$C$A$GT$$u20$as$u20$core::ops::drop::Drop$GT$::drop::DropGuard$LT$std::sys::pal::windows::process::EnvKey$C$core::option::Option$LT$std::ffi::os_str::OsString$GT$$C$alloc::alloc::Global$GT$$GT$17h23e06ba1da1f2f4dE.llvm.8995532739843392609 _ZN4core3ptr47drop_in_place$LT$std::ffi::os_str::OsString$GT$17hde728fe41fa8c6bdE.llvm.8995532739843392609 _ZN4core3ptr70drop_in_place$LT$alloc::vec::Vec$LT$std::ffi::os_str::OsString$GT$$GT$17h634cd371339dcc0aE _ZN4core3ptr70drop_in_place$LT$alloc::vec::Vec$LT$std::ffi::os_str::OsString$GT$$GT$17h634cd371339dcc0aE.llvm.8507798603955212923 _ZN4core3ptr70drop_in_place$LT$alloc::vec::Vec$LT$std::ffi::os_str::OsString$GT$$GT$17h634cd371339dcc0aE.llvm.6170400122876590942 _ZN72_$LT$std::ffi::os_str::OsStr$u20$as$u20$clap::osstringext::OsStrExt3$GT$8as_bytes17hd5c5882fa98a2dd6E _ZN72_$LT$std::ffi::os_str::OsStr$u20$as$u20$clap::osstringext::OsStrExt2$GT$11starts_with17h6abee7d05d5e809eE _ZN72_$LT$std::ffi::os_str::OsStr$u20$as$u20$clap::osstringext::OsStrExt2$GT$13contains_byte17h59d80c43d8591595E _ZN72_$LT$std::ffi::os_str::OsStr$u20$as$u20$clap::osstringext::OsStrExt2$GT$13split_at_byte17hf229a4b8c944da10E _ZN72_$LT$std::ffi::os_str::OsStr$u20$as$u20$clap::osstringext::OsStrExt2$GT$17trim_left_matches17hd47ca363fb5fc119E _ZN72_$LT$std::ffi::os_str::OsStr$u20$as$u20$clap::osstringext::OsStrExt2$GT$8split_at17h5d262a844d442c1cE _ZN72_$LT$std::ffi::os_str::OsStr$u20$as$u20$clap::osstringext::OsStrExt2$GT$5split17h4c3008237281fb7bE _ZN4core3ptr70drop_in_place$LT$alloc::vec::Vec$LT$std::ffi::os_str::OsString$GT$$GT$17h634cd371339dcc0aE.llvm.5110807419968470733 _ZN4core3ptr125drop_in_place$LT$$LP$std::sys::pal::windows::process::EnvKey$C$core::option::Option$LT$std::ffi::os_str::OsString$GT$$RP$$GT$17h7f050b9f6a343e4eE _ZN4core3ptr137drop_in_place$LT$alloc::collections::btree::map::BTreeMap$LT$std::sys::pal::windows::process::EnvKey$C$std::ffi::os_str::OsString$GT$$GT$17h223e8fea78610bd3E _ZN4core3ptr137drop_in_place$LT$alloc::collections::btree::map::IntoIter$LT$std::sys::pal::windows::process::EnvKey$C$std::ffi::os_str::OsString$GT$$GT$17he1853977abbb0681E _ZN4core3ptr165drop_in_place$LT$alloc::collections::btree::map::BTreeMap$LT$std::sys::pal::windows::process::EnvKey$C$core::option::Option$LT$std::ffi::os_str::OsString$GT$$GT$$GT$17h42428d8c8603a0c0E _ZN4core3ptr165drop_in_place$LT$core::option::Option$LT$alloc::collections::btree::map::BTreeMap$LT$std::sys::pal::windows::process::EnvKey$C$std::ffi::os_str::OsString$GT$$GT$$GT$17hb448e9e90da3f1e2E _ZN4core3ptr47drop_in_place$LT$std::ffi::os_str::OsString$GT$17h875eb90587592377E _ZN4core3ptr70drop_in_place$LT$alloc::vec::Vec$LT$std::ffi::os_str::OsString$GT$$GT$17h67d755428859d6d4E _ZN4core3ptr84drop_in_place$LT$$LP$std::ffi::os_str::OsString$C$std::ffi::os_str::OsString$RP$$GT$17h9c313733b01b23fcE _ZN4core3ptr97drop_in_place$LT$$LP$std::sys::pal::windows::process::EnvKey$C$std::ffi::os_str::OsString$RP$$GT$17h617c5bb783d63bf3E _ZN81_$LT$std::ffi::os_str::OsString$u20$as$u20$std::os::windows::ffi::OsStringExt$GT$9from_wide17h624a621d3f86a298E _ZN62_$LT$std::ffi::os_str::Display$u20$as$u20$core::fmt::Debug$GT$3fmt17h8b9005e29eff02b0E _ZN63_$LT$std::ffi::os_str::OsString$u20$as$u20$core::fmt::Write$GT$9write_str17h62e191498c6b6094E _ZN3std3ffi6os_str95_$LT$impl$u20$core::convert::TryFrom$LT$$RF$std::ffi::os_str::OsStr$GT$$u20$for$u20$$RF$str$GT$8try_from17he8a549d17459c9d8E _ZN64_$LT$std::ffi::os_str::Display$u20$as$u20$core::fmt::Display$GT$3fmt17ha6edef50f6eb998aE _ZN113_$LT$std::sys::pal::windows::process::EnvKey$u20$as$u20$core::convert::From$LT$std::ffi::os_str::OsString$GT$$GT$4from17h659ea04ea4abb943E _ZN3std3sys3pal7windows7process123_$LT$impl$u20$core::convert::From$LT$std::sys::pal::windows::process::EnvKey$GT$$u20$for$u20$std::ffi::os_str::OsString$GT$4from17h78390048344322f9E _ZN114_$LT$std::sys::pal::windows::process::EnvKey$u20$as$u20$core::convert::From$LT$$RF$std::ffi::os_str::OsStr$GT$$GT$4from17h3b1c5b82aa0b9952E _ZN111_$LT$std::sys::pal::windows::process::EnvKey$u20$as$u20$core::convert::AsRef$LT$std::ffi::os_str::OsStr$GT$$GT$6as_ref17h5eedec5b5667a226E _ZN60_$LT$std::ffi::os_str::OsStr$u20$as$u20$core::fmt::Debug$GT$3fmt17h045e2ee660b95ba8E _ZN63_$LT$std::ffi::os_str::OsString$u20$as$u20$core::fmt::Debug$GT$3fmt17h2fb252b54367d6c2E
FILE_IO_READ	Can Read Files	_ZN54_$LT$std::fs::Metadata$u20$as$u20$core::fmt::Debug$GT$3fmt17h696ec7b6ba2db3fdE _ZN4core3ptr83drop_in_place$LT$core::iter::adapters::flatten::Flatten$LT$std::fs::ReadDir$GT$$GT$17h475e4d497ed7ae85E _ZN4core3ptr89drop_in_place$LT$core::result::Result$LT$std::fs::ReadDir$C$std::io::error::Error$GT$$GT$17h7ce09be5adb448ebE _ZN4core3ptr273drop_in_place$LT$core::iter::adapters::GenericShunt$LT$core::iter::adapters::map::Map$LT$std::fs::ReadDir$C$glob::fill_todo::$u7b$$u7b$closure$u7d$$u7d$::$u7b$$u7b$closure$u7d$$u7d$$GT$$C$core::result::Result$LT$core::convert::Infallible$C$std::io::error::Error$GT$$GT$$GT$17ha07d91e107dfe55fE _ZN75_$LT$std::fs::ReadDir$u20$as$u20$core::iter::traits::iterator::Iterator$GT$4next17hbc02dfdadb94c4c8E
FILE_IO_WRITE	Can Create and Remove Files	_ZN79_$LT$alloc::vec::Vec$LT$u8$GT$$u20$as$u20$std::io::copy::BufferedWriterSpec$GT$11buffer_size17he67d009a61c59e40E _ZN4core3ptr118drop_in_place$LT$core::option::Option$LT$core::result::Result$LT$std::fs::DirEntry$C$std::io::error::Error$GT$$GT$$GT$17h398e29fabb69bd6fE _ZN4core3ptr96drop_in_place$LT$core::option::Option$LT$core::result::IntoIter$LT$std::fs::DirEntry$GT$$GT$$GT$17ha5840f4c11827ebdE _ZN54_$LT$std::fs::DirEntry$u20$as$u20$core::fmt::Debug$GT$3fmt17h8950519baeddf0c8E _ZN54_$LT$std::fs::FileType$u20$as$u20$core::fmt::Debug$GT$3fmt17h0473b111fc7e71efE _ZN57_$LT$std::fs::Permissions$u20$as$u20$core::fmt::Debug$GT$3fmt17h96d550a5f49a95dbE
NET_METHODS	Uses Network to send and receive data	_ZN91_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::iter::traits::iterator::Iterator$GT$4next17h0edde67b98934ed3E _ZN104_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::convert::TryFrom$LT$$LP$$RF$str$C$u16$RP$$GT$$GT$8try_from17heeb85f1c5cc2d300E _ZN68_$LT$std::sys_common::net::TcpStream$u20$as$u20$core::fmt::Debug$GT$3fmt17h4990926ce0d7c09bE _ZN70_$LT$std::sys_common::net::TcpListener$u20$as$u20$core::fmt::Debug$GT$3fmt17h6ef230dd7007f5e2E _ZN68_$LT$std::sys_common::net::UdpSocket$u20$as$u20$core::fmt::Debug$GT$3fmt17hc6d32f11046272afE _ZN74_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::ops::drop::Drop$GT$4drop17hd4389c4b8adb3116E _ZN90_$LT$std::sys_common::net::LookupHost$u20$as$u20$core::convert::TryFrom$LT$$RF$str$GT$$GT$8try_from17hbdef01f6bf934d98E _ZN3std10sys_common3net154_$LT$impl$u20$std::sys_common::IntoInner$LT$$LP$std::sys_common::net::SocketAddrCRepr$C$i32$RP$$GT$$u20$for$u20$$RF$core::net::socket_addr::SocketAddr$GT$10into_inner17hc59c1ded73558024E

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample