MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Zeppelin

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af
SHA3-384 hash:	669daea405aec01f5293dfbeeffec99e451b8cdd38d5ff87f0baea57aaf3926feebe9270b9e797e983c6e2d21fff79e3
SHA1 hash:	7c2c197b14447cbf4bd0d040a36493ec1d9d8bc7
MD5 hash:	ada523db2c2418fa37398c41b370c125
humanhash:	football-seventeen-lemon-foxtrot
File name:	66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin
Download:	download sample
Signature	Zeppelin Create hunting rule
File size:	262'144 bytes
First seen:	2020-11-06 15:28:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8acb34bed3caa60cae3f08f75d53f727 (15 x Zeppelin)
ssdeep	6144:Qia1gMHvEXtAuL5Qnqn64DQFu/U3buRKlemZ9DnGAe+h9w+8:QIMH2Gw5Qb4DQFu/U3buRKlemZ9DnGAK
Threatray	13 similar samples on MalwareBazaar
TLSH	C7448D36AAC08937D1321E3CDE4E52AE516FBA301E18585779E81F8D9F7D3A2652C1C3
Reporter	Arkbird_SOLG
Tags:	buran Ransomware retrohunt Zeppelin

Intelligence

File Origin

# of uploads :

# of downloads :

1'994

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Ransomware.Buhtrap-8010932-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

PUA.Win.Adware.Dealply-6888238-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Creating a file in the %temp% directory

Deleting a recently created file

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Launching the default Windows debugger (dwwin.exe)

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af/

Threat name:

Win32.Ransomware.Zeppelin

Status:

Malicious

First seen:

2020-09-30 07:18:00 UTC

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

buran

Score:

10/10

Tags:

family:buran persistence ransomware

Link:

https://tria.ge/reports/201106-2cl6klxjw6/

Behaviour

Interacts with shadow copies

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Program crash

Drops file in Program Files directory

Modifies service

Adds Run key to start application

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Executes dropped EXE

Modifies extensions of user files

Deletes shadow copies

ServiceHost packer

Buran

Unpacked files

SH256 hash:

66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af

MD5 hash:

ada523db2c2418fa37398c41b370c125

SHA1 hash:

7c2c197b14447cbf4bd0d040a36493ec1d9d8bc7

Detections:

win_zeppelin_ransomware_auto

Link:

https://www.unpac.me/results/df9e01ad-29ef-4ecd-8a03-69cb18a25b6b/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://github.com/StrangerealIntel/DailyIOC/blob/master/2020-11-06/Buran/Ran_Buran_Oct_2020_1.yar

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample