MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72beedaed8ef9d2d5eb1d9a8410276fee83f4da5de7e9d4c8bef4e7fbeb3be1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WannaCry


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72beedaed8ef9d2d5eb1d9a8410276fee83f4da5de7e9d4c8bef4e7fbeb3be1d
SHA3-384 hash: e8112d0f20125ee243d823ae34312d7d04ae6fe8f4163543a47fc417b121998009432a28f6820b3b5eb8d95db070412a
SHA1 hash: 8464301c80afbff7638b92c6bcbdd45774be6a97
MD5 hash: 20ef171731af9752a83cece44d65a2eb
humanhash: arizona-golf-foxtrot-xray
File name:72beedaed8ef9d2d5eb1d9a8410276fee83f4da5de7e9d4c8bef4e7fbeb3be1d
Download: download sample
Signature WannaCry
Create hunting rule
File size:5'267'459 bytes
First seen:2026-01-04 07:43:11 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 2e5708ae5fed0403e8117c645fb23e5b (1'108 x WannaCry, 7 x Worm.Virut, 2 x Expiro)
ssdeep 24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYo:znAQqMSPbcBVQej/1
Threatray 1'202 similar samples on MalwareBazaar
TLSH T13936236A756CA1FCC116237564778E2696B77C5A22BD970F8F408B620C03764FFA8B07
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter Butter1
Tags:dll eternalblue honeypot SMB WannaCry

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
AU AU
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47524/
Detection(s):
Win.Ransomware.Wanna-9769986-0
Create hunting rule

Win.Ransomware.Wannacryptor-9940180-0
Create hunting rule

Win.Ransomware.Wanacryptor-9942127-1
Create hunting rule

Win.Ransomware.WannaCry-10011460-0
Create hunting rule

Win.Ransomware.WannaCry-6313787-0
Create hunting rule

Win.Malware.Djwy-6775897-0
Create hunting rule

Win.Ransomware.Wanna-6888027-0
Create hunting rule

Win.Ransomware.Wanna-6888334-0
Create hunting rule

Win.Malware.Djwy-6923377-0
Create hunting rule

BC.Win.Exploit.Exe_With_CVE_2017_0147-6316126-2
Create hunting rule

Win.Exploit.Doublepulsar-7427328-0
Create hunting rule

SecuriteInfo.com.Trojan.DownLoader46.24199.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695a1a1ae148d42004df342b
Tags:
wannacry madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/72beedaed8ef9d2d5eb1d9a8410276fee83f4da5de7e9d4c8bef4e7fbeb3be1d
Verdict:
Malicious
File Type:
dll x32
First seen:
2017-10-12T20:06:00Z UTC
Last seen:
2017-11-05T20:51:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Eb.b Trojan.Win32.Eb.a HEUR:Worm.Win32.Generic HEUR:Trojan-Ransom.Win32.Wanna.gen HEUR:Trojan.Win32.Generic HEUR:Trojan.Win32.EquationDrug.gen HEUR:Exploit.Win32.MS17-010.gen HEUR:Trojan-Ransom.Win32.Wanna.a Trojan-Ransom.Win32.Wanna.zbu Trojan-Ransom.Win32.Wanna.sb Trojan-Ransom.Win32.Wanna.m Trojan.Win32.EquationDrug.sb Trojan-Ransom.Win32.Wanna.d
Link:
https://opentip.kaspersky.com/72beedaed8ef9d2d5eb1d9a8410276fee83f4da5de7e9d4c8bef4e7fbeb3be1d/results?tab=lookup
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4fb8562-94ab-4d4b-8346-2ffd4c3874d1
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/72beedaed8ef9d2d5eb1d9a8410276fee83f4da5de7e9d4c8bef4e7fbeb3be1d
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE Memory-Mapped (Dump)
Link:
https://app.malva.re/file/20ef171731af9752a83cece44d65a2eb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72beedaed8ef9d2d5eb1d9a8410276fee83f4da5de7e9d4c8bef4e7fbeb3be1d/
Verdict:
Malicious
Threat:
Trojan-Ransom.Win32.Wanna
Link:
https://tip.neiki.dev/file/72beedaed8ef9d2d5eb1d9a8410276fee83f4da5de7e9d4c8bef4e7fbeb3be1d
Threat name:
Win32.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2017-10-14 22:09:38 UTC
File Type:
PE (Dll)
Extracted files:
4
AV detection:
34 of 36 (94.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ok7o3lwy56os2xvr3guecatw73ud6tnf3z7j2tel55hh7pvtxyoq._file
Verdict:
malicious
Label(s):
wannacryptor
Create hunting rule
Similar samples:
016b40a769d4d34da8cdf3bf08a166c3243b659c31c152d3c0899993a7aa8f07
WannaCry
0ca55fe01cf52696f424100ee6de4e8dd262ce1c83257d22bc3edc42c30fb944
WannaCry
6247b0dfc220bc6d0a78f7dd02159ffb9ea4bfaddba26a4891cfc89044d74b2c
WannaCry
7ab0e9ddbab262e9d049de139e13f3ef8caefc72336dc2ff6575bb49044385f5
WannaCry
8b51945ada866301cd583744f4363bbeac1b7ec84ee78c0135824a2dc57f7244
WannaCry
aee6ea06bd64f629b2f5726c4060ee6ebe4137f6561fa8ceb4f16f08e326e4cd
WannaCry
c49b0554d235d4bead3f4d25d9ab9a38a9113d85f9f06891d15365e8270010f4
WannaCry
c9db9ce17eb23dd902c86fdf9190599718bb01572983cdb14e10f9c4d71a3977
WannaCry
d6c5d9c75c40e9f7c6bf19c254cfcb5914e2f00b75a4590f3c775c29ca991e18
WannaCry
error
WannaCry
f2cf2c68920d3812d76104aa8388cfa07934c53a39e8f48e098a282ddccbfbcf
WannaCry
+ 1'192 additional samples on MalwareBazaar
Result
Malware family:
wannacry
Create hunting rule
Score:
  10/10
Tags:
family:wannacry discovery ransomware worm
Link:
https://tria.ge/reports/260106-jc6wpsev2c/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Creates a large amount of network flows
Executes dropped EXE
Contacts a large (3341) amount of remote hosts
Wannacry
Wannacry family
Unpacked files
SH256 hash:
72beedaed8ef9d2d5eb1d9a8410276fee83f4da5de7e9d4c8bef4e7fbeb3be1d
MD5 hash:
20ef171731af9752a83cece44d65a2eb
SHA1 hash:
8464301c80afbff7638b92c6bcbdd45774be6a97
Detections:
WannaCry
Create hunting rule
Link:
https://www.unpac.me/results/088e7dbc-c2ed-4741-8303-4c3e65164b1b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:WannaCry_Ransomware
Create hunting rule
Author:Florian Roth (Nextron Systems) (with the help of binar.ly)
Description:Detects WannaCry Ransomware
Reference:https://goo.gl/HG2j5T

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/47524/

Comments