MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b
SHA3-384 hash: 17c95d31a68b903a7a91f67c272bf5b4065b9f70f01a676d8dd5281ee7b60b22184b41b82faf1ee6330c131fcc3af3f4
SHA1 hash: dcdc748bb8a8cb4d16c2d88e40fbd634b2396d42
MD5 hash: d06622833d3ee1c907d90bccec01ec74
humanhash: equal-queen-ink-jupiter
File name:HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe
Download: download sample
File size:221'184 bytes
First seen:2022-09-29 12:32:59 UTC
Last seen:2024-07-24 14:56:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:o7DtWs7prq6+ouCpk2mpcWJ0r+QNTBf8JMzmmsoltIrRuw+mqv9j1MWLQKq7:o7Jpldk1cWQRNTB0izmDAtS
Threatray 235 similar samples on MalwareBazaar
TLSH T16124A5E0A780C0B5D8A74679843796A7A533B21DDE68494E3B89BF0B7D3334640379DB
TrID 59.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
13.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.6% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 6cecccccb4c2f2b2 (38 x AgentTesla, 30 x Formbook, 24 x PythonStealer)
Reporter petikvx
Tags:exe Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
448
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BY.exe
Verdict:
Malicious activity
Analysis date:
2021-01-25 00:44:53 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/61103a65-cc95-43bb-8d41-b687a550a9bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314764/
Detection(s):
SecuriteInfo.com.Malware.AI.392946571.12299.9836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Creating a file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Sending a custom TCP request
Changing a file
Reading critical registry keys
Modifying an executable file
Unauthorized injection to a recently created process
Launching a tool to kill processes
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Blocking a possibility to launch for cmd.exe command interpreter
Changing the Windows explorer settings
Stealing user critical data
Enabling autorun
Encrypting user's files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug hacktool mmc.exe packed packed ransomware shell32.dll
Link:
https://www.filescan.io/uploads/633590895c60ccc9fcfe82fe/reports/dd1d6a87-c593-4e79-9532-0cd77deb527a/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42e69c0f-e04c-4c4b-b051-3f5cdaf798be
Result
Threat name:
AESCRYPT Ransomware, BabaYaga, Babadeda,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1080302
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Detected unpacking (overwrites its own PE header)
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Found ransom note / readme
Found Tor onion address
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Yara detected AESCRYPT Ransomware
Yara detected Babadeda
Yara detected BabaYaga Ransomware
Yara detected Cobra Locker ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 712858 Sample: nSlwgx0Gbu.exe Startdate: 29/09/2022 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->41 43 8 other signatures 2->43 8 nSlwgx0Gbu.exe 5 2->8         started        process3 file4 25 C:\Users\user\AppData\Local\...\something.exe, PE32 8->25 dropped 27 C:\Users\user\AppData\Local\...\BabaYaga.exe, PE32 8->27 dropped 11 BabaYaga.exe 6 3 8->11         started        15 something.exe 8 8->15         started        17 taskkill.exe 1 8->17         started        process5 file6 29 C:\Users\user\...\LIJDSFKJZG.jpg.enc (copy), DOS 11->29 dropped 31 C:\Users\user\Desktop\LIJDSFKJZG.jpg, DOS 11->31 dropped 33 C:\Users\user\Desktop\readme.txt, ASCII 11->33 dropped 35 3 other malicious files 11->35 dropped 45 Antivirus detection for dropped file 11->45 47 Multi AV Scanner detection for dropped file 11->47 49 Protects its processes via BreakOnTermination flag 11->49 55 4 other signatures 11->55 51 Detected unpacking (overwrites its own PE header) 15->51 53 Machine Learning detection for dropped file 15->53 19 cmd.exe 1 15->19         started        21 conhost.exe 17->21         started        signatures7 process8 process9 23 conhost.exe 19->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b/
Threat name:
ByteCode-MSIL.Ransomware.Gendarmerie
Create hunting rule
Status:
Malicious
First seen:
2021-01-25 17:40:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2c7th5izuulbty5tro37zd4ql7rvwsxe7c36uahuepi5geqzonq._file
Verdict:
malicious
Similar samples:
064c82c9caf9d7ac84081f1a3e7db2f8b53fe0b63b42f950700305cfb61912ac
40fa2841472cc954499bfa367343a445a348ec9312744bdfb32cc671489eccc7
4710c5debc1ad17a85ef82676a4b6b7e15054966de57b0f4bab61c4ede209830
5fcf5f6ab5218cdcc5745e391ff77ec1e7769134048c9f8432f1325f3c59dd5f
6e34f951634493ec7a71e5c3418ed7d973ffc87351a5459722e04016c94b1471
8e604b70dd6ca05df996f71508ba0c06b89da8c0107b789076617a8664ba4e6d
9bc57cb47132054e4fc642fdde80688017ef460270e75888c12bd8d7845e4bc4
b3847c94d840dd53c3ba7248734424f06715deacf6dd6ebb727c2f1a7de4c945
cb53b1c63e40be27b7aa7cd458dbe467e6b6e887fbac6b373374a124c0253caf
ed770464373d7578963c4f42cacca5e9b3094443a1666d1fa02fad0f4420f4f9
+ 225 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion exploit persistence ransomware
Link:
https://tria.ge/reports/220929-pq7m2sagb7/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops desktop.ini file(s)
Loads dropped DLL
Modifies file permissions
Checks computer location settings
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Executes dropped EXE
Modifies extensions of user files
Possible privilege escalation attempt
Modifies WinLogon for persistence
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/62744ced-78de-4c9d-9e9a-bfa385b17a0c
Unpacked files
SH256 hash:
bed19c8647924a665df723bc139f962f244254eca50e24091af084b03e929df6
MD5 hash:
255157e43ec2bb21d5b8ec800f5d34ce
SHA1 hash:
9735fc4659abe4f99547002fd7cce8559bc77038
Link:
https://www.unpac.me/results/719103f8-93dd-47bd-ba73-a850d356f81e/
SH256 hash:
e2477685e5831120f9b424f99bbeee79f700d1cd3ccae025ea46172fc1433dae
MD5 hash:
b96f6781a1637637f0f25803545dae7b
SHA1 hash:
29cc78d4d641b6ad69b36e4e873e63f46010b21f
Link:
https://www.unpac.me/results/719103f8-93dd-47bd-ba73-a850d356f81e/
SH256 hash:
5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b
MD5 hash:
d06622833d3ee1c907d90bccec01ec74
SHA1 hash:
dcdc748bb8a8cb4d16c2d88e40fbd634b2396d42
Link:
https://www.unpac.me/results/719103f8-93dd-47bd-ba73-a850d356f81e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_LegionLocker
Create hunting rule
Author:ditekSHen
Description:Detects LegionLocker ransomware
Rule name:MAL_RANSOM_COVID19_Apr20_1
Create hunting rule
Author:Florian Roth
Description:Detects ransomware distributed in COVID-19 theme
Reference:https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Rule name:MAL_RANSOM_COVID19_Apr20_1_RID2ECC
Create hunting rule
Author:Florian Roth
Description:Detects ransomware distributed in COVID-19 theme
Reference:https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest8
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/314764/

Comments