MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5715421db87e90b962c061ed1a9e6af443f012ddd61d0a0a3450212063416c4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nabucur


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5715421db87e90b962c061ed1a9e6af443f012ddd61d0a0a3450212063416c4d
SHA3-384 hash: 9b298a35f738dcfafb077413974083fcf0962a6599119e06d8c9602be82cc0862766c1d0a130e97a0464eb5de281b4e3
SHA1 hash: 564514e182d9789c5ddb2b687c133e0d89df717a
MD5 hash: 179e9c53d04c3b66d135bc6bd4480b75
humanhash: west-don-quiet-iowa
File name:Trojan-Ransom.Win32.PolyRansom.bvlp-5715421db87e90b962c061ed1a9e6af443f012ddd61d0a0a3450212063416c4d.exe
Download: download sample
Signature Nabucur
Create hunting rule
File size:151'040 bytes
First seen:2022-09-29 12:37:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:P20wD0UjvezRbaPBlN6jGT1HLBtsIyqS/Jo7H7cggi:P20wQUreFu74jGR7rS/Jo7H7cg
TLSH T13AE31288F55CC9C7F9A9D2F78895E2055BAC79464163F3C5EE34A68234863EB09032F7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter petikvx
Tags:exe Nabucur Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
545
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
cerber
Create hunting rule
ID:
1
File name:
d.exe
Verdict:
Malicious activity
Analysis date:
2021-02-06 21:58:45 UTC
Tags:
trojan ransomware cerber troldesh shade
Link:
https://app.any.run/tasks/0813616d-ec2a-4bb0-b78a-1550b0a2c17f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314817/
Detection(s):
PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Creating a window
Changing a file
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Running batch commands
Launching the process to change network settings
Launching a process
Moving a file to the %temp% directory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633591af49c58ce767c415fb/reports/2715cfdc-12f1-42df-b157-2d243426294a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c05ba91e-a994-4ce2-a02e-fd5663044106
Result
Threat name:
Babuk, Cerber, DeriaLock, InfinityLock,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1080065
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Clears the journal log
Clears the windows event log
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Deletes keys related to Windows Defender
Deletes keys which are related to windows safe boot (disables safe mode boot)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disables security and backup related services
Disables the Windows registry editor (regedit)
Disables the windows security center
Disables the Windows task manager (taskmgr)
Disables Windows system restore
Drops executables to the windows directory (C:\Windows) and starts them
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Execute DLL with spoofed extension
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Cerber ransomware
Yara detected DeriaLock Ransomware
Yara detected InfinityLock Ransomware
Yara detected Mimikatz
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 712622 Sample: 63416c4d.exe Startdate: 29/09/2022 Architecture: WINDOWS Score: 100 129 www5.internet-security-guard.com 2->129 131 secure2.simplenetworkzqi.com 2->131 133 9 other IPs or domains 2->133 147 Snort IDS alert for network traffic 2->147 149 Malicious sample detected (through community Yara rule) 2->149 151 Antivirus detection for URL or domain 2->151 153 18 other signatures 2->153 10 63416c4d.exe 14 72 2->10         started        15 svchost.exe 2->15         started        17 cmd.exe 2->17         started        19 8 other processes 2->19 signatures3 process4 dnsIp5 143 raw.githubusercontent.com 10->143 145 github.com 10->145 115 C:\Users\user\Desktop\Fantom.exe, PE32 10->115 dropped 117 C:\Users\user\Desktopndermanch@Xyeta.exe, PE32 10->117 dropped 119 C:\...ndermanch@WinlockerVB6Blacksod.exe, PE32 10->119 dropped 121 65 other malicious files 10->121 dropped 185 Writes many files with high entropy 10->185 21 Endermanch@BadRabbit.exe 10->21         started        25 Endermanch@AntivirusPlatinum.exe 1 13 10->25         started        27 Endermanch@InfinityCrypt.exe 10->27         started        33 10 other processes 10->33 187 Changes security center settings (notifications, updates, antivirus, firewall) 15->187 29 MpCmdRun.exe 15->29         started        31 conhost.exe 17->31         started        file6 signatures7 process8 dnsIp9 91 C:\Windows\infpub.dat, data 21->91 dropped 155 Antivirus detection for dropped file 21->155 157 Multi AV Scanner detection for dropped file 21->157 159 Machine Learning detection for dropped file 21->159 36 rundll32.exe 21->36         started        41 conhost.exe 21->41         started        93 C:\Windows\antivirus-platinum.exe, PE32 25->93 dropped 95 C:\Windows\302746537.exe, PE32 25->95 dropped 103 2 other files (none is malicious) 25->103 dropped 161 Drops executables to the windows directory (C:\Windows) and starts them 25->161 43 302746537.exe 25->43         started        105 7 other malicious files 27->105 dropped 163 Writes many files with high entropy 27->163 45 conhost.exe 29->45         started        123 93.107.12.20 VODAFONE-IRELAND-ASNIE Ireland 33->123 125 93.107.12.21 VODAFONE-IRELAND-ASNIE Ireland 33->125 127 104 other IPs or domains 33->127 97 C:\Users\user\AppData\Local\6AdwCleaner.exe, PE32 33->97 dropped 99 C:\Program Files (x86)\...\libltdl3.dll, PE32 33->99 dropped 101 C:\Program Files (x86)\...\avpc2009.exe, PE32 33->101 dropped 107 2 other files (none is malicious) 33->107 dropped 165 Detected unpacking (changes PE section rights) 33->165 167 Detected unpacking (creates a PE file in dynamic memory) 33->167 169 Detected unpacking (overwrites its own PE header) 33->169 171 11 other signatures 33->171 47 6AdwCleaner.exe 33->47         started        49 avpc2009.exe 33->49         started        51 taskkill.exe 33->51         started        53 3 other processes 33->53 file10 signatures11 process12 dnsIp13 135 google.ru 36->135 109 C:\Windows\dispci.exe, PE32 36->109 dropped 111 C:\Windows\cscc.dat, PE32+ 36->111 dropped 113 C:\Windows\97B6.tmp, data 36->113 dropped 173 System process connects to network (likely due to code injection or exploit) 36->173 175 Connects to many different private IPs via SMB (likely to spread or exploit) 36->175 177 Connects to many different private IPs (likely to spread or exploit) 36->177 183 4 other signatures 36->183 55 cmd.exe 36->55         started        57 cmd.exe 36->57         started        59 cmd.exe 36->59         started        70 3 other processes 36->70 179 Multi AV Scanner detection for dropped file 43->179 61 cmd.exe 43->61         started        137 www.vikingwebscanner.com 47->137 181 Antivirus detection for dropped file 47->181 139 yandex.ru 49->139 141 google.ru 49->141 64 conhost.exe 51->64         started        66 conhost.exe 53->66         started        68 conhost.exe 53->68         started        file14 signatures15 process16 signatures17 72 conhost.exe 55->72         started        74 schtasks.exe 55->74         started        83 2 other processes 57->83 85 2 other processes 59->85 195 Drops executables to the windows directory (C:\Windows) and starts them 61->195 197 Uses schtasks.exe or at.exe to add and modify task schedules 61->197 76 antivirus-platinum.exe 61->76         started        79 conhost.exe 61->79         started        81 regsvr32.exe 61->81         started        87 2 other processes 61->87 89 3 other processes 70->89 process18 signatures19 189 Disables the Windows task manager (taskmgr) 76->189 191 Disables Windows system restore 76->191 193 Disables the Windows registry editor (regedit) 76->193
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5715421db87e90b962c061ed1a9e6af443f012ddd61d0a0a3450212063416c4d/
Threat name:
Win32.Ransomware.PolyRansom
Create hunting rule
Status:
Malicious
First seen:
2021-02-07 08:48:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k4kuehnyp2ilsywamhwrvhtk6rb7aew52yoqucrukaqsay2bnrgq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
bootkit discovery evasion persistence themida upx
Link:
https://tria.ge/reports/220929-pt342aaha3/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies Control Panel
Modifies Internet Explorer settings
Modifies Internet Explorer start page
Modifies registry class
Modifies registry key
Modifies system certificate store
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Views/modifies file attributes
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
Writes to the Master Boot Record (MBR)
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Themida packer
Contacts a large (1137) amount of remote hosts
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Stops running service(s)
UPX packed file
Checks for common network interception software
Enumerates VirtualBox registry keys
Malware Config
Dropper Extraction:
http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=IYMUGYHL&2=i-s&3=61&4=9200&5=6&6=2&7=919041&8=1033
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8e3ae873-d910-432d-b54a-3e6ad77a2e7c
Unpacked files
SH256 hash:
c26e67f93294ef08f6f45bc0dd03e3d6bc66a23dc44de6e9f557e991caa5da69
MD5 hash:
9c534f10d1201a193d9bccc7ae9d86e4
SHA1 hash:
8b63ebfe77f60ff977dc12b31b73fc975be95110
Link:
https://www.unpac.me/results/9593958d-16cb-4c85-b971-9ba1841e5c87/
SH256 hash:
5715421db87e90b962c061ed1a9e6af443f012ddd61d0a0a3450212063416c4d
MD5 hash:
179e9c53d04c3b66d135bc6bd4480b75
SHA1 hash:
564514e182d9789c5ddb2b687c133e0d89df717a
Link:
https://www.unpac.me/results/9593958d-16cb-4c85-b971-9ba1841e5c87/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5715421db87e90b962c061ed1a9e6af443f012ddd61d0a0a3450212063416c4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/314817/

Comments