MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e590d9214e8d824147463c5039418e928a2b6f3c3b4a4e4f33724edc2877b3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e590d9214e8d824147463c5039418e928a2b6f3c3b4a4e4f33724edc2877b3c
SHA3-384 hash: 42a15ab92e0e9b3f60ae012c82de67cd53e56d7fb8d063886a4e373f0e245b97faa0c9fb1913000ad9becb6c836b70fd
SHA1 hash: 141d1f2ce87e54d69a67779ec126f7408fd0516c
MD5 hash: e7f59a2129300dc874d60e8b927edba4
humanhash: oscar-nuts-wisconsin-avocado
File name:WinLocker.exe
Download: download sample
File size:786'515 bytes
First seen:2021-06-17 18:06:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9882eb4035dda06820977e0c5b3ceed0
ssdeep 24576:VWYlc//////QS8iIOfPOerAY29QdkU0nPEzTC:1lc//////QSrIUPOMGYkpPMW
Threatray 43 similar samples on MalwareBazaar
TLSH D9F48E32F190C037C13376799C1B92D9642ABF212E38688B7BE52E5C5F396923E251D7
Reporter Anonymous
Tags:exe


Avatar
Anonymous
Retrieved from https://padlet-uploads.storage.googleapis.com/500279229/c4d1ce167d49df4f2206a5fe210b189f/WinLocker.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WinLocker.exe
Verdict:
No threats detected
Analysis date:
2021-06-17 18:09:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5109ea5b-8a45-4963-b68f-48cb5d4758e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166633/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Win.Trojan.Skillis-56
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f500ab05-97cb-4457-b0a8-5ddd378a185b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/803888
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Command shell drops VBS files
Disables the Windows task manager (taskmgr)
Drops batch files with force delete cmd (self deletion)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 436299 Sample: WinLocker.exe Startdate: 17/06/2021 Architecture: WINDOWS Score: 100 38 Antivirus detection for dropped file 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 2 other signatures 2->44 7 WinLocker.exe 6 2->7         started        11 cmd.exe 1 2->11         started        process3 file4 30 C:\Users\user\Desktop\WinLocker.exe_, PE32 7->30 dropped 32 C:\Users\...\WinLocker.exe_:Zone.Identifier, ASCII 7->32 dropped 34 C:\Setup.bat, DOS 7->34 dropped 48 Drops batch files with force delete cmd (self deletion) 7->48 13 cmd.exe 3 5 7->13         started        50 Uses ipconfig to lookup or modify the Windows network settings 11->50 17 conhost.exe 11->17         started        19 ipconfig.exe 1 11->19         started        signatures5 process6 file7 36 C:\Windows\msgBox1.vbs, ASCII 13->36 dropped 52 Command shell drops VBS files 13->52 54 Uses cmd line tools excessively to alter registry or file data 13->54 56 Uses netsh to modify the Windows network and firewall settings 13->56 58 Modifies the windows firewall 13->58 21 reg.exe 1 1 13->21         started        24 netsh.exe 1 3 13->24         started        26 wscript.exe 13->26         started        28 3 other processes 13->28 signatures8 process9 signatures10 46 Disables the Windows task manager (taskmgr) 21->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e590d9214e8d824147463c5039418e928a2b6f3c3b4a4e4f33724edc2877b3c/
Threat name:
Win32.Trojan.Ulise
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 18:07:09 UTC
AV detection:
40 of 46 (86.96%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
267adb8b92c06ae53186fc26b40caf4d9e1ae4893475b2d1d8f29b040c67d9b4
36cbc77a5caaf8f805bc7347ee4cd27657fca600ea5e202e633aca7a09d73297
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
a5e57e24a9d5cac8c01746cce2c81d95d6fc0178a3b133985473aad06ba986a9
ae3974aeea651951c5c5802cf7a556c7626529790db1fd34f29be31c29f58ce2
c0e6f7a4aa809d2b93ba137245380ada0a44ac5576935e13e165d02b1b937583
d1597e584fec8eb356aa5c831045b2ce68531e69fe70436fa3ca0d8dd1d90ca7
d33c5c0efe677cbbe2c7ba65c9327f10d9fc6b8d43bf8130da0d6ae9db99c8f7
d81e62102d9b748aaabf4f06bf0c09a66dfaaac7836374016a5f076b6f7ed418
e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37
+ 33 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence spyware stealer
Link:
https://tria.ge/reports/210617-ylwcmqcl3s/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Modifies Windows Firewall
Unpacked files
SH256 hash:
6e590d9214e8d824147463c5039418e928a2b6f3c3b4a4e4f33724edc2877b3c
MD5 hash:
e7f59a2129300dc874d60e8b927edba4
SHA1 hash:
141d1f2ce87e54d69a67779ec126f7408fd0516c
Link:
https://www.unpac.me/results/12cb85d3-b414-4182-a840-b3477ff022cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e590d9214e8d824147463c5039418e928a2b6f3c3b4a4e4f33724edc2877b3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6e590d9214e8d824147463c5039418e928a2b6f3c3b4a4e4f33724edc2877b3c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/166633/
  
URLhaus
https://urlhaus.abuse.ch/url/1375214/
  
Delivery method
Distributed via web download

Comments