MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c743c890151d0719150246382b5e0158e8abc4a29dd4b2f049ce7d313b1a330. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Targeted


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c743c890151d0719150246382b5e0158e8abc4a29dd4b2f049ce7d313b1a330
SHA3-384 hash: 4eec4ef8c9dbf785c134c4713a0915278232782d88ac301e24526949a4be8da1ba4a2e09990ab94ff9eab41df2372d7e
SHA1 hash: 8a1d92c8e5b7a5b3a6a34137c9eee01f89cd5564
MD5 hash: 70c464221d3e4875317c9edbef04a035
humanhash: helium-fillet-illinois-nitrogen
File name:70c464221d3e4875317c9edbef04a035
Download: download sample
Signature Targeted
Create hunting rule
File size:144'896 bytes
First seen:2023-01-28 02:55:29 UTC
Last seen:2023-03-23 22:10:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d59243e057545e233bed18dcd0f74e50 (2 x Targeted, 1 x Mallox)
ssdeep 3072:EpcLP/OYl2YNm96RhybfaX4mZd0+x02dfw5apKyu7dLzLV+hhgxQA:Epcflpi62bSX4B+7KVohyxQ
TLSH T194E36C527AD1C472E2B30E311974EA725A3FFD305F21AA5F639402AE9F305D0A931E67
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe Targeted

Intelligence

File Origin
# of uploads :
4
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
70c464221d3e4875317c9edbef04a035
Verdict:
Malicious activity
Analysis date:
2023-01-28 02:57:01 UTC
Tags:
evasion ransomware
Link:
https://app.any.run/tasks/9aa88966-0a29-4846-9c56-0a4cfa674875

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357665/
Detection(s):
Win.Ransomware.Rapid-9371249-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a file in the Program Files subdirectories
Changing a file
Running batch commands
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Launching a service
Sending a custom TCP request
Launching a process
Creating a file in the Program Files directory
Network activity
Moving a recently created file
Moving a file to the Program Files subdirectory
Replacing files
Creating a file in the mass storage device
Deleting volume shadow copies
Encrypting user's files
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63584/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe crypter evasive filecoder fingerprint greyware outsider ransomware rapid shell32.dll stealer
Link:
https://www.filescan.io/uploads/63d48ec31c9cbf7d6253afdb/reports/38055628-2acd-493c-954b-ffdae00f0bf9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TargetCompany Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ac24f48-9466-4f78-bfdd-c830e1189e29
Result
Threat name:
Targeted Ransomware, TrojanRansom
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160671
Signature
Antivirus detection for URL or domain
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Found ransom note / readme
Machine Learning detection for sample
May check the online IP address of the machine
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for submitted file
Opens network shares
Uses bcdedit to modify the Windows boot settings
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected RansomwareGeneric
Yara detected Targeted Ransomware
Yara detected TrojanRansom
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 793408 Sample: M74aRxVX4H.exe Startdate: 28/01/2023 Architecture: WINDOWS Score: 100 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Found ransom note / readme 2->50 52 5 other signatures 2->52 7 M74aRxVX4H.exe 3 528 2->7         started        12 notepad.exe 2->12         started        process3 dnsIp4 40 192.168.2.1, 135, 274 unknown unknown 7->40 42 api4.ipify.org 64.185.227.155, 49697, 80 WEBNXUS United States 7->42 44 3 other IPs or domains 7->44 32 C:\Users\user\AppData\...\FILE RECOVERY.txt, data 7->32 dropped 34 C:\Users\user\AppData\...\FILE RECOVERY.txt, data 7->34 dropped 36 C:\Users\user\AppData\...\FILE RECOVERY.txt, data 7->36 dropped 38 64 other malicious files 7->38 dropped 54 May disable shadow drive data (uses vssadmin) 7->54 56 Creates files in the recycle bin to hide itself 7->56 58 May check the online IP address of the machine 7->58 60 5 other signatures 7->60 14 cmd.exe 7->14         started        16 cmd.exe 7->16         started        18 vssadmin.exe 7->18         started        20 cmd.exe 7->20         started        file5 signatures6 process7 process8 22 conhost.exe 14->22         started        24 sc.exe 14->24         started        26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c743c890151d0719150246382b5e0158e8abc4a29dd4b2f049ce7d313b1a330/
Threat name:
Win32.Ransomware.GarrantDecrypt
Create hunting rule
Status:
Malicious
First seen:
2023-01-24 02:44:59 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
32 of 39 (82.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nr2dzcibkhihdekqerryfnpacwhivpckfhouwlyettt5ge5rumya._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion ransomware
Link:
https://tria.ge/reports/230128-de1vksdh47/
Behaviour
Interacts with shadow copies
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Stops running service(s)
Deletes shadow copies
Unpacked files
SH256 hash:
6c743c890151d0719150246382b5e0158e8abc4a29dd4b2f049ce7d313b1a330
MD5 hash:
70c464221d3e4875317c9edbef04a035
SHA1 hash:
8a1d92c8e5b7a5b3a6a34137c9eee01f89cd5564
Link:
https://www.unpac.me/results/cb3139eb-ab4d-4f6e-9b5a-02f084978abb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6c743c890151/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c743c890151d0719150246382b5e0158e8abc4a29dd4b2f049ce7d313b1a330

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:Royal_Ran_V1
Create hunting rule
Author:DigitalPanda

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Targeted

Executable exe 6c743c890151d0719150246382b5e0158e8abc4a29dd4b2f049ce7d313b1a330

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2520417/
Cape
Cape
https://www.capesandbox.com/analysis/357665/

Comments


Avatar
zbet commented on 2023-01-28 02:55:43 UTC

url : hxxp://80.66.75.36/aRX.exe