MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 5c90dc8a2bebed531a198159e4fc02c11aabf4a53eb6ce1036795db807e0fe44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
BitRansomware
Vendor detections: 11
| SHA256 hash: | 5c90dc8a2bebed531a198159e4fc02c11aabf4a53eb6ce1036795db807e0fe44 |
|---|---|
| SHA3-384 hash: | 8c69445fe873f212e0637c1f79b2b9c0920cb549905e6d996d9e151a5fe2bb7d223c6e74a111d0462401ba8e832945e9 |
| SHA1 hash: | c079555c39aff8fcb83174fc7785fb1fae2a4bdd |
| MD5 hash: | 0b71d4d1c712ea86e949ea7e9d22eaec |
| humanhash: | two-ack-queen-winter |
| File name: | 0b71d4d1c712ea86e949ea7e9d22eaec.exe |
| Download: | download sample |
| Signature | BitRansomware |
| File size: | 855'552 bytes |
| First seen: | 2022-01-24 06:59:05 UTC |
| Last seen: | 2022-01-24 09:10:46 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 12288:JqCU6ZuxQAks9YirgiKQJAKqVI0+z0D0eCE40Vl/LUmsC+LzuwuBaWG:JxU6Z9A/YiJl1qK0/9rLUgy6baWG |
| Threatray | 89 similar samples on MalwareBazaar |
| TLSH | T1BA0523137224CA5DE30482340C57C4BFB5BA7D25DF168A2B7ADBBF8FB1B99172940246 |
| Reporter |  abuse_ch |
| Tags: | BitRansomware exe |
Intelligence
File Origin
# of uploads :
2
# of downloads :
311
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5c90dc8a2bebed531a198159e4fc02c11aabf4a53eb6ce1036795db807e0fe44.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-24 10:16:15 UTC
Tags:
ransomware
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Launching a process
Creating a file
Creating a window
DNS request
Moving a recently created file
Changing a file
Modifying an executable file
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files directory
Moving a file to the Program Files subdirectory
Modifying a system executable file
Moving of the original file
Forced shutdown of a system process
Unauthorized injection to a system process
Encrypting user's files
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BitRansomware
Verdict:
Malicious
Result
Threat name:
Covid19 Cryptolocker
Detection:
malicious
Classification:
rans.spre.expl.evad
Score:
100 / 100
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide user accounts
Drops executable to a common third party application directory
Found ransom note / readme
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes many files with high entropy
Yara detected AntiVM3
Yara detected Covid19 Ransomware
Yara detected Cryptolocker ransomware
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Status:
Malicious
First seen:
2022-01-24 07:00:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 28 (64.29%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 79 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
10/10
Tags:
evasion persistence ransomware
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Enumerates connected drives
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Modifies Installed Components in the registry
Modifies extensions of user files
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
ad073540395de9b3b27de32d6c536be1000ab87a9e13be30f7ad8256659563b3
MD5 hash:
12091e1fa43eedd807c783ef3eaaf45f
SHA1 hash:
dfaed07fcebd80c9661498ad336e331bbd41b2ab
Detections:
win_adhubllka_a0
win_adhubllka_auto
SH256 hash:
5d308543f73ccc87dccef3c8c9368229e170ca6bf42f6fb11d2dcfb882759a8a
MD5 hash:
e4c87575fbb9bf93f39b797bc540f329
SHA1 hash:
b059138f86346085561cd3d083b546272b90a3e4
SH256 hash:
f8af82436d329077f704f4b3956ae4159ddf854c7a49fb659185ff3c7c1acf1b
MD5 hash:
6c99460b314a447166a6cd3f579ca263
SHA1 hash:
2291c521be2929e27e707f3422cae93de6232209
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
SH256 hash:
81c3028729a1470d363c5a1cfac2c7aeac98986a79b59ee4934f9c695c80e290
MD5 hash:
8248a61823722f2ecf2b3ca5eae9c434
SHA1 hash:
7136cb4b2352061f869e736ec147fd9d913c2449
SH256 hash:
169ee4513be689a9307e8c6430b472a9456e053330866491f24566cc458bb441
MD5 hash:
c2fa12ab286e673f745d712264a44233
SHA1 hash:
462253099bca44c1524825210cb54e2aee33a2a9
SH256 hash:
08cc4760e6ee65e6c8da270575348d3748698be6db0b779fd748bf0566feefa4
MD5 hash:
99e359192061184f1d75c3545e348ea7
SHA1 hash:
169e5a8c57059ea9e12661f6c596339d49f5c2cf
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
SH256 hash:
5c90dc8a2bebed531a198159e4fc02c11aabf4a53eb6ce1036795db807e0fe44
MD5 hash:
0b71d4d1c712ea86e949ea7e9d22eaec
SHA1 hash:
c079555c39aff8fcb83174fc7785fb1fae2a4bdd
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | win_adhubllka_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.adhubllka. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.