MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c99bd2354d8922cd7cce1ae7660ddbb05bc008aa8279ba666cd90325a3a3bc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

WannaCry

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	5c99bd2354d8922cd7cce1ae7660ddbb05bc008aa8279ba666cd90325a3a3bc0
SHA3-384 hash:	0a0bc25c9a10f8648760e3650f60c500328dca092fce31af14fefce324ba0aa4e9cf04a8fb9fb49849f3ebed7b17cdf7
SHA1 hash:	99669b70f7aa1fb82abba38c1785512aa0048049
MD5 hash:	44cb07cad6cb86b1644045ce8bbce418
humanhash:	jersey-ceiling-maine-montana
File name:	44cb07cad6cb86b1644045ce8bbce418
Download:	download sample
Signature	WannaCry Create hunting rule
File size:	5'267'459 bytes
First seen:	2022-07-20 05:45:26 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	2e5708ae5fed0403e8117c645fb23e5b (874 x WannaCry, 4 x Worm.Virut)
ssdeep	12288:pvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+D/z:JbLgddQhfdmMSirYbcMNgef0y
Threatray	13'194 similar samples on MalwareBazaar
TLSH	T15F362356366C81FCC11A5234A0634936EAB77C6A22BD970F8B94CB560D13750BFB8F47
TrID	38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.0% (.EXE) Win64 Executable (generic) (10523/12/4) 8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	openctibr
Tags:	dll OpenCTI.BR Sandboxed

Intelligence

File Origin

# of uploads :

# of downloads :

220

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/292622/

Detection(s):

Win.Ransomware.Wanna-9769986-0

Win.Dropper.Mikey-9810063-0

Win.Ransomware.Wannacryptor-9940180-0

Win.Ransomware.Wanacryptor-9942127-1

Win.Ransomware.WannaCry-6313787-0

Win.Malware.Djwy-6775897-0

Win.Ransomware.Wanna-6888334-0

Win.Malware.Djwy-6923377-0

Win.Exploit.Doublepulsar-7427328-0

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd.exe greyware greyware overlay packed ransomware shell32.dll wanna wannacry worm

Link:

https://www.filescan.io/uploads/62d7972680dba4f80a251bbb/reports/70178529-5561-4e9f-8fce-d6c978a25452/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Mimikatz

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ad6fab9f-5f62-4a05-aaf7-e89b09adbda3

Result

Threat name:

Wannacry, Virut

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1037736

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5c99bd2354d8922cd7cce1ae7660ddbb05bc008aa8279ba666cd90325a3a3bc0/

Threat name:

Win32.Ransomware.WannaCry

Status:

Malicious

First seen:

2019-06-21 07:35:34 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lsm32i2u3cjczv6m4gxhmyg5xmc3yaekvatzxjtgzwidewr2hpaa._file

Verdict:

malicious

WannaCry

37613693f8ec6c691c81d4a1560bef4d0f7d24ff60f77763edf2d994b44eed63

WannaCry

640dce63eee0174f579c4b7e9c5be5d343b7c92fa00bfa8b5939da503cc30b6f

WannaCry

6448d228f342fb138a747f8fa317b004553f36f83fdd1b200baf80b7b9d9f5da

WannaCry

69d11b63913d84025f1469123b83bb21066a274f2240f87e119f49362abbc9ca

WannaCry

8167a2eb7ddb581480903b49be8644972c638a83d878df59a34bc0dff0338170

WannaCry

83d1b64a9bca34640ec3722e9ef0dcb18669ec1b5a866f4e7517e760005b7d73

WannaCry

9a52b3add7580749d5c6fac089238e11939a8926ae5f9482a61a25ad7182a21f

WannaCry

a60b47e8c834aa97ddda9bd70dd41d8dc61649fd878ea913bc242ae79fe8cc77

WannaCry

fd9bb6bf944bfc60dee7e7c762615be99ce4bd822df2af5df8ec0bf8cab2d805

WannaCry

+ 13'184 additional samples on MalwareBazaar

Result

Malware family:

wannacry

Score:

10/10

Tags:

family:wannacry discovery evasion ransomware worm

Link:

https://tria.ge/reports/220720-ggbj9achbr/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Drops file in System32 directory

Creates a large amount of network flows

Contacts a large (1263) amount of remote hosts

Executes dropped EXE

Contacts a large (3111) amount of remote hosts

Modifies firewall policy service

Wannacry

Unpacked files

SH256 hash:

5c99bd2354d8922cd7cce1ae7660ddbb05bc008aa8279ba666cd90325a3a3bc0

MD5 hash:

44cb07cad6cb86b1644045ce8bbce418

SHA1 hash:

99669b70f7aa1fb82abba38c1785512aa0048049

Link:

https://www.unpac.me/results/b16dbe95-b35f-41a0-b6d4-e17d7fd56321/

Malware family:

WannaCry

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5c99bd2354d8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/5c99bd2354d8922cd7cce1ae7660ddbb05bc008aa8279ba666cd90325a3a3bc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	WannaCry_Ransomware Create hunting rule
Author:	Florian Roth (with the help of binar.ly)
Description:	Detects WannaCry Ransomware
Reference:	https://goo.gl/HG2j5T

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/292622/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample