MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 640dce63eee0174f579c4b7e9c5be5d343b7c92fa00bfa8b5939da503cc30b6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

WannaCry

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	640dce63eee0174f579c4b7e9c5be5d343b7c92fa00bfa8b5939da503cc30b6f
SHA3-384 hash:	896a271f83712d79a2855f872944e4473b981d9c3af6818a542fd47de8ab5c9019ca62e85af1232df747747997fda639
SHA1 hash:	e62a3938f9e90cedb569610a2105c2e7d2435048
MD5 hash:	fd87758748797802178a51c34cc53aa5
humanhash:	montana-avocado-six-kilo
File name:	fd87758748797802178a51c34cc53aa5
Download:	download sample
Signature	WannaCry Create hunting rule
File size:	5'267'459 bytes
First seen:	2022-07-20 06:01:58 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	2e5708ae5fed0403e8117c645fb23e5b (874 x WannaCry, 4 x Worm.Virut)
ssdeep	98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:TDqPe1Cxcxk3ZAEUadzR8yc4H
Threatray	13'197 similar samples on MalwareBazaar
TLSH	T187363398612CB2FCF0450EB44473896AB7B33C6967BA4E1F9BC086660D53F5BAFD0641
TrID	38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.0% (.EXE) Win64 Executable (generic) (10523/12/4) 8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	openctibr
Tags:	dll OpenCTI.BR Sandboxed

Intelligence

File Origin

# of uploads :

# of downloads :

231

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/292653/

Detection(s):

Win.Ransomware.Wanna-9769986-0

Win.Ransomware.Wannacryptor-9940180-0

Win.Ransomware.Wanacryptor-9942127-1

Win.Ransomware.WannaCry-6313787-0

Win.Malware.Djwy-6775897-0

Win.Ransomware.Wanna-6888027-0

Win.Ransomware.Wanna-6888334-0

Win.Malware.Djwy-6923377-0

Win.Exploit.Doublepulsar-7427328-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd.exe greyware greyware overlay packed packed ransomware shell32.dll wanna wannacry worm

Link:

https://www.filescan.io/uploads/62d79add80dba4f80a251e6e/reports/f40550f4-899f-457b-9461-06fb11b719a8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Mimikatz

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a492f88c-90ff-44bc-a797-a85e3813d918

Result

Threat name:

Wannacry, Virut

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1037702

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/640dce63eee0174f579c4b7e9c5be5d343b7c92fa00bfa8b5939da503cc30b6f/

Threat name:

Win32.Ransomware.WannaCry

Status:

Malicious

First seen:

2017-10-19 06:55:11 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mqg44y7o4alu6v44jn7jyw7f2nb3psjpuaf7vc2zhhnfapgdbnxq._file

Verdict:

malicious

WannaCry

69d11b63913d84025f1469123b83bb21066a274f2240f87e119f49362abbc9ca

WannaCry

8167a2eb7ddb581480903b49be8644972c638a83d878df59a34bc0dff0338170

WannaCry

83d1b64a9bca34640ec3722e9ef0dcb18669ec1b5a866f4e7517e760005b7d73

WannaCry

84382639746a15b8d22e688cc3dd7a30f6fda64f18580348b14c23aa34c8a6cd

WannaCry

8fa3eaa46c7d8d1f44a2eeca895f802f2aa7a2251bab347ccb765c72d63ccb58

WannaCry

9a52b3add7580749d5c6fac089238e11939a8926ae5f9482a61a25ad7182a21f

WannaCry

a60b47e8c834aa97ddda9bd70dd41d8dc61649fd878ea913bc242ae79fe8cc77

WannaCry

b8e40ed3d1f01fd75f0f43d4784d92aaa9596f289f23c35969af1a4c1e149c30

WannaCry

fd9bb6bf944bfc60dee7e7c762615be99ce4bd822df2af5df8ec0bf8cab2d805

WannaCry

+ 13'187 additional samples on MalwareBazaar

Result

Malware family:

wannacry

Score:

10/10

Tags:

family:wannacry discovery evasion ransomware worm

Link:

https://tria.ge/reports/220720-grgh9adabp/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Drops file in System32 directory

Creates a large amount of network flows

Contacts a large (1228) amount of remote hosts

Executes dropped EXE

Contacts a large (3221) amount of remote hosts

Modifies firewall policy service

Wannacry

Unpacked files

SH256 hash:

640dce63eee0174f579c4b7e9c5be5d343b7c92fa00bfa8b5939da503cc30b6f

MD5 hash:

fd87758748797802178a51c34cc53aa5

SHA1 hash:

e62a3938f9e90cedb569610a2105c2e7d2435048

Link:

https://www.unpac.me/results/55d9f6a0-ca6e-4d2c-b23a-b935ff349255/

Malware family:

WannaCry

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/640dce63eee0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/640dce63eee0174f579c4b7e9c5be5d343b7c92fa00bfa8b5939da503cc30b6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	WannaCry_Ransomware Create hunting rule
Author:	Florian Roth (with the help of binar.ly)
Description:	Detects WannaCry Ransomware
Reference:	https://goo.gl/HG2j5T

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/292653/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample