MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6845211002813319a52b6d80f970da3a1f21d1035fdd6fe6f05dd067a131253e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Expiro


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6845211002813319a52b6d80f970da3a1f21d1035fdd6fe6f05dd067a131253e
SHA3-384 hash: c8fe2b74e13b25a55925ac5612520cf3bc3596f272ef86411e0798be1f790653709adff29184b1b68122da121e6a4a91
SHA1 hash: 7d876522e98410339c9bfcfa181bbdd198ac46fd
MD5 hash: bf48d6079ba8a53690ea35e88a47e4f7
humanhash: quebec-artist-uniform-monkey
File name:SecuriteInfo.com.Trojan.Encoder.31868.13923.7888
Download: download sample
Signature Expiro
Create hunting rule
File size:2'854'400 bytes
First seen:2020-06-04 12:34:50 UTC
Last seen:2020-06-04 13:31:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c2a6fbef41572f4c9ce8acb5a63cde7 (2 x Expiro, 1 x Nefilim, 1 x StealthWorker)
ssdeep 49152:SUNNStaC6puU4cUQbriMMZEV3Aei9xPDobNYsA6FoWkQPlNyCMM:SUTSUuU4cUQyM2EV3AvDaN3A6WWk04BM
Threatray 320 similar samples on MalwareBazaar
TLSH F8D56D02FCEA15EBCAFDF13085729761B671706843723BC35F94457A1A5AAE4AF2E304
Reporter SecuriteInfoCom
Tags:Expiro

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Encoder.31868.13923.7888.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win64.Ransomware.Sorena
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 03:38:00 UTC
File Type:
PE+ (Exe)
AV detection:
27 of 48 (56.25%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nbcsceacqezrtjjlnwaps4g2hipsduidl7ow7zxqlxigpijreu7a._file
Verdict:
unknown
Similar samples:
24a74c858b9e16322e848c84a2e9e915f493da9580b5f4653eb236c836484738
Expiro
2ba2c20a826f51ed753f4f4dd78118d6f371a2fd5b4b0a2ff640c8f046d4fb55
Expiro
4381f3472301d8b680f90832edd05d853bcef530b48f0476ce7ad1f6b150434c
Expiro
8100b701682e9fb7c4165631216913054e2e201f4cd63274ff1151ade42098c9
Expiro
84783d501b78575f30aa33097f9c7c885542b892512403424fc069b048189e98
Expiro
a42efc31e09f7b51c6f7038b4d12f2fa66b233dfe8e2edf811d439617246d03e
Expiro
bb8510a80af2965bdca1fdb2218ebfaa2a72402c0b767c3fde6b7807baa647b5
Expiro
c755cbe34fdad2ee86d4c6226d040ea111489e468df67a70c32cb890d1ed90ac
Expiro
e20afb0d09a4e47be30404425e599d42071b310c01f0d9674567a4f3e284b62c
Expiro
fd975fd3af1f754bf7b03eca4ae29e3054f34f7176b26c2578efddde76947f70
Expiro
+ 310 additional samples on MalwareBazaar
Result
Malware family:
vashsorena
Create hunting rule
Score:
  10/10
Tags:
family:vashsorena ransomware spyware
Link:
https://tria.ge/reports/201109-yp99hlrdtn/
Behaviour
Kills process with taskkill
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates system info in registry
Modifies Control Panel
Modifies registry class
Suspicious use of SetWindowsHookEx
Drops file in Program Files directory
JavaScript code in executable
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Expiro

Executable exe 6845211002813319a52b6d80f970da3a1f21d1035fdd6fe6f05dd067a131253e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/379057/
  
Delivery method
Distributed via web download

Comments