MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 695114d5f50f7ec14eee514b7390c18de275b820f22af27139832b594f798f0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WannaCry


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 695114d5f50f7ec14eee514b7390c18de275b820f22af27139832b594f798f0c
SHA3-384 hash: fde455991841a8a98e14ec345d39ffac1bd0c5197b1c0e1b47b36c0cc2ab29c8df5b4cd780ab9b56ecf337fb481b4cbb
SHA1 hash: 2f7ff48cb432122cdde2961e9cd0feb18d767227
MD5 hash: 4c5639ca18826695f459ccfc92c44f0e
humanhash: romeo-beryllium-glucose-louisiana
File name:Merzoct.exe
Download: download sample
Signature WannaCry
Create hunting rule
File size:25'155'584 bytes
First seen:2025-11-13 21:21:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'919 x AgentTesla, 19'821 x Formbook, 12'309 x SnakeKeylogger)
ssdeep 393216:uAmMJ8cQxLpkl58huW4EMo5b5qidkwqc6dDoRRFRobdzUFX4fCssymlwcaIXKz0T:5TycQxLpkMhuhtTidkDjDorXdQinJZ/a
Threatray 773 similar samples on MalwareBazaar
TLSH T1CA4733F4F7357A68E9982DFA84275353916014625AC78E27E3F2079293333EFB9026D1
TrID 75.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.9% (.EXE) Win64 Executable (generic) (10522/11/4)
4.6% (.EXE) Win32 Executable (generic) (4504/4/1)
2.1% (.ICL) Windows Icons Library (generic) (2059/9)
2.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:exe RUS WannaCry


Avatar
iamaachum
https://wdfiles.ru/1utk2

Intelligence

File Origin
# of uploads :
1
# of downloads :
382
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
WanaCry
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38149/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69164be0bdb0ec3a9dc10b04
Tags:
wannacry autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Creating a process with a hidden window
Running batch commands
Reading critical registry keys
Moving a recently created file
Changing a file
Creating a window
Searching for synchronization primitives
Searching for the window
Moving a file to the %temp% directory
Replacing files
Unauthorized injection to a recently created process
Stealing user critical data
Creating a file in the mass storage device
Encrypting user's files
Verdict:
Malicious
Labled as:
MSIL.Packy.Generic
Link:
https://www.hybrid-analysis.com/sample/695114d5f50f7ec14eee514b7390c18de275b820f22af27139832b594f798f0c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-13T13:44:00Z UTC
Last seen:
2025-11-14T17:56:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Trojan-Ransom.Win32.Wanna.zbu HEUR:Trojan-Spy.MSIL.Stealer.gen HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Exnet.gen
Link:
https://opentip.kaspersky.com/695114d5f50f7ec14eee514b7390c18de275b820f22af27139832b594f798f0c/results?tab=lookup
Result
Threat name:
Wannacry, Conti
Create hunting rule
Detection:
malicious
Classification:
rans.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1813819
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Command shell drops VBS files
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Detected Wannacry Ransomware
Drops PE files to the document folder of the user
Found stalling execution ending in API Sleep call
Found Tor onion address
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Wannacry ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1813819 Sample: Merzoct.exe Startdate: 13/11/2025 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for dropped file 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 6 other signatures 2->57 8 Merzoct.exe 4 2->8         started        process3 file4 37 C:\Users\user\AppData\...\WannaCrypt0r.exe, PE32 8->37 dropped 39 C:\Users\user\...\Killer Clown 2.0.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\...\Merzoct.exe.log, CSV 8->41 dropped 11 WannaCrypt0r.exe 2 1001 8->11         started        15 Killer Clown 2.0.exe 37 29 8->15         started        process5 file6 43 C:\Users\user\Documents\@WanaDecryptor@.exe, PE32 11->43 dropped 45 C:\Users\user\Desktop\YPSIACHYXW.docx, DOS 11->45 dropped 47 C:\Users\user\Desktop\@WanaDecryptor@.exe, PE32 11->47 dropped 49 11 other malicious files 11->49 dropped 63 Detected Wannacry Ransomware 11->63 65 Multi AV Scanner detection for dropped file 11->65 67 Creates files in the recycle bin to hide itself 11->67 69 7 other signatures 11->69 17 cmd.exe 11->17         started        21 taskdl.exe 11->21         started        23 attrib.exe 11->23         started        25 24 other processes 11->25 signatures7 process8 file9 35 C:\Users\user\AppData\Local\Temp\m.vbs, ASCII 17->35 dropped 59 Command shell drops VBS files 17->59 27 conhost.exe 17->27         started        29 cscript.exe 17->29         started        61 Multi AV Scanner detection for dropped file 21->61 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/695114d5f50f7ec14eee514b7390c18de275b820f22af27139832b594f798f0c
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.21 Win 32 Exe x86
Link:
https://app.malva.re/file/4c5639ca18826695f459ccfc92c44f0e
Gathering data
Verdict:
Malicious
Threat:
Family.WANNACRY
Link:
https://tip.neiki.dev/file/695114d5f50f7ec14eee514b7390c18de275b820f22af27139832b594f798f0c
Threat name:
ByteCode-MSIL.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2025-11-13 21:21:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nfirjvpvb57mctxokffxhegbrxrhloba6ivpe4jzqmvvst3zr4ga._file
Verdict:
malicious
Label(s):
wannacryptor
Create hunting rule
unc_loader_063
Create hunting rule
Similar samples:
0849b85e16da3b4fc89ec373fd9f42dc6cfa61f5592792bf48991f1e8d544d3a
WannaCry
1334569f29339f990ca7a43d323666c6d1b27d7c5d884c287e254aa8b7345daf
WannaCry
5064c5a2e7ead815daffd1dc3126ce6286240404f4416ce5f4f5550fa3c3a820
WannaCry
52f418cf6a5177d34668b112a0eb6c3621d7f1fbc046caded45d3750513f539d
WannaCry
6434bad20d634f234a51fef43cf45be1b023bc19cdf17918f5bfe6e94c885997
WannaCry
76bac32537fe948a8a8b2a4d7cd9877b8d0f603e39298e13c2534c5ef5063e8f
WannaCry
error
WannaCry
+ 763 additional samples on MalwareBazaar
Result
Malware family:
wannacry
Create hunting rule
Score:
  10/10
Tags:
family:wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
Link:
https://tria.ge/reports/251113-z7jyesbr2v/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Sets desktop wallpaper using registry
Adds Run key to start application
Enumerates connected drives
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Deletes shadow copies
Wannacry
Wannacry family
Verdict:
Malicious
Tags:
ransomware Win.Ransomware.Wannacry-9982112-0
YARA:
WannaDecryptor
Link:
https://app.threat.zone/submission/4f70ea49-c7b4-44f6-915d-f42062317d20
Malware family:
WannaCry
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/695114d5f50f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Zbot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/695114d5f50f7ec14eee514b7390c18de275b820f22af27139832b594f798f0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:WanaCry
Create hunting rule
Author:kevoreilly
Description:WanaCry Payload
Rule name:Windows_Ransomware_WannaCry_d9855102
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

WannaCry

Executable exe 695114d5f50f7ec14eee514b7390c18de275b820f22af27139832b594f798f0c

(this sample)

  
Link
https://tria.ge/251113-z2jqga1kev/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/38149/

Comments


Avatar
commented on 2025-11-14 14:26:48 UTC

Now I understand why hell exists