MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66ec6a7bb5cec8d1205685833524b4f577af75570896e0b368f16e5ee0d2a955. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MilkmanVictory

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	66ec6a7bb5cec8d1205685833524b4f577af75570896e0b368f16e5ee0d2a955
SHA3-384 hash:	44b4958a3e551c5470dc1ab90d0ed8b17ee7e12373be79fcfd179d5d471aadd8773117cda130355f37c3522b6eb66665
SHA1 hash:	de1e804c81536890bccc963920095ade140b5173
MD5 hash:	65e18bae9b8c42b63bf3b969d3cdb6ca
humanhash:	wolfram-cardinal-earth-island
File name:	HEUR-Trojan-Ransom.MSIL.Agent.gen-66ec6a7bb5cec8d1205685833524b4f577af75570896e0b368f16e5ee0d2a955
Download:	download sample
Signature	MilkmanVictory Create hunting rule
File size:	15'328 bytes
First seen:	2022-09-21 04:04:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	192:VwmJXzXNuc0T+lKdOdabU2iB8CXg6Sm/hlVN4nLnC/31im5ccz5a86IoIfVp1Us:Km5+bU276HzV2nLKlXBEItfV4s
Threatray	30 similar samples on MalwareBazaar
TLSH	T1E662F81A37D88239F57F7E7AA973A2191771FA43DC26CE1C6598508D18B274C8A90F23
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	petikvx
Tags:	exe milkmanvictory Ransomware signed

Code Signing Certificate

Organisation:	DESKTOP-NPHDS94\Antig
Issuer:	DESKTOP-NPHDS94\Antig
Algorithm:	sha256WithRSAEncryption
Valid from:	2020-05-16T07:19:08Z
Valid to:	2021-05-16T13:19:08Z
Serial number:	37eaffce3b0960b7479410f9c5cd5fad
Thumbprint Algorithm:	SHA256
Thumbprint:	c3328c7c50299c78cd71ac5b18f32f8aaf966d57d1b52fbe84a1a9b52adebcf3
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

398

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

milkman victory.zip

Verdict:

Suspicious activity

Analysis date:

2020-06-29 12:33:35 UTC

Tags:

ransomware

Link:

https://app.any.run/tasks/42b59dbe-ff3f-42e8-a8e2-28b29051351b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/311871/

Detection(s):

Win.Ransomware.Hiddentear-9752356-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Changing a file

Reading critical registry keys

Modifying an executable file

Creating a file

DNS request

Moving of the original file

Stealing user critical data

Encrypting user's files

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/632a8d8c397677696537abe6/reports/79420fa5-d6d0-415f-b72f-5963ed05659f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

MilkmanVictory Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/017c0f5b-dda9-42ba-b1bc-aab7a1edf1e7

Result

Threat name:

MilkmanVictory

Detection:

malicious

Classification:

rans.troj

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1074252

Signature

Antivirus / Scanner detection for submitted sample

Found ransom note / readme

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for submitted file

Passes username and password via HTTP get

Snort IDS alert for network traffic

Yara detected MilkmanVictory Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/66ec6a7bb5cec8d1205685833524b4f577af75570896e0b368f16e5ee0d2a955/

Threat name:

ByteCode-MSIL.Ransomware.HiddenTear

Status:

Malicious

First seen:

2020-05-16 17:36:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m3wgu65vz3encicwqwbtkjfu6v3265kxbclobm3i6fxf5ygsvfkq._file

Verdict:

malicious

MilkmanVictory

314e2e73917551cc14aae604b7b5966c25b4090fc80498760b69d606ba9b5fdd

MilkmanVictory

401ef7313f18b5c28eeb101392554cb7f13af2c00f9501ef92f045e2c458486f

MilkmanVictory

69d1c8462f71dd4283483577ba89fac2e505d549fd5c9f583194466ceda0d93c

MilkmanVictory

7a17a4c22417f911d2af4c7a90802c610c40a5494e577ad48a3291ec39ffaf27

MilkmanVictory

7cdd7e30c7091fd2fa3e879dd70087517412a165bf14c4ea4fd354337f22c415

MilkmanVictory

bd06c34a413a4ca8e49ec57f8ea6f52f69eb16c4fce86db93761c4da50c94edc

MilkmanVictory

bd536759944175a20fecaabcfa4740743d87ecfe9cc9b8c8adf4c0736ece4314

MilkmanVictory

ea40e7d13c60b9e59430c04c98eb834e0f64fc9f30cf9140726ca8713e843270

MilkmanVictory

fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd

MilkmanVictory

+ 20 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

ransomware

Link:

https://tria.ge/reports/220921-enh7kaehh3/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Sets desktop wallpaper using registry

Modifies extensions of user files

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/26793127-daad-4c1f-adb0-9632ef3c46d4

Unpacked files

SH256 hash:

66ec6a7bb5cec8d1205685833524b4f577af75570896e0b368f16e5ee0d2a955

MD5 hash:

65e18bae9b8c42b63bf3b969d3cdb6ca

SHA1 hash:

de1e804c81536890bccc963920095ade140b5173

Link:

https://www.unpac.me/results/eca22c77-7de3-4b7a-82df-88959b2dd8e3/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/66ec6a7bb5ce/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.12

Link:

https://yomi.yoroi.company/submissions/66ec6a7bb5cec8d1205685833524b4f577af75570896e0b368f16e5ee0d2a955

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/311871/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample