MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 732320e7df67f64d118dce44157b95240d5cbf7a2db10c004a5e73a20d034399. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 732320e7df67f64d118dce44157b95240d5cbf7a2db10c004a5e73a20d034399
SHA3-384 hash: 1fdbe9b71b13f89e32f4cc8f733be7df95e16bc7215968802381f092f7cb3b917304b4d7ca86942a1c902e6647767936
SHA1 hash: f125b467c5c9398443ac21d832b9b7759ed5b889
MD5 hash: 75c584f55cef85e30e15ab8413af0c65
humanhash: mountain-sixteen-alpha-bakerloo
File name:75c584f5_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:769'024 bytes
First seen:2021-05-05 10:08:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ac62c7ac20802c7720e58661a0a5643f (1 x VirLock)
ssdeep 12288:eItNUGs3qkesrMsLxYmBBnSiL/LnUj31DL6nS8TVtnwnhRwUbyTm:eiNUGspksLxYmBBn1/LnUjJ2vTfnwnRh
Threatray 222 similar samples on MalwareBazaar
TLSH 71F48C20C00C54BAE67CE4B23BF2A5244C551AF4CB49349776F26D21B96E857FF6E328
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150381/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6804475-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a service
Launching a service
Creating a file in the Windows subdirectories
DNS request
Creating a file in the %temp% directory
Running batch commands
Searching for the window
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711782
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to check if Internet connection is working
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates an undocumented autostart registry key
Delayed program exit found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404815 Sample: 75c584f5_by_Libranalysis Startdate: 05/05/2021 Architecture: WINDOWS Score: 100 61 Antivirus / Scanner detection for submitted sample 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Machine Learning detection for sample 2->65 67 Machine Learning detection for dropped file 2->67 7 75c584f5_by_Libranalysis.exe 3 15 2->7         started        11 MKcoEoYQ.exe 4 2->11         started        13 svchost.exe 2->13         started        15 11 other processes 2->15 process3 dnsIp4 49 C:\Users\user\iwkYYAMo\YKsAEwIk.exe, PE32 7->49 dropped 51 C:\ProgramData\gMMUscck\MKcoEoYQ.exe, PE32 7->51 dropped 53 C:\ProgramData\JiwgAMMw\fkUUEYAU.exe, PE32 7->53 dropped 55 C:\Users\user\AppData\Local\Temp\cup.exe, PE32 7->55 dropped 83 Creates an undocumented autostart registry key 7->83 85 Uses cmd line tools excessively to alter registry or file data 7->85 87 Tries to detect virtualization through RDTSC time measurements 7->87 18 fkUUEYAU.exe 5 7->18         started        23 YKsAEwIk.exe 16 7->23         started        25 cmd.exe 1 7->25         started        31 3 other processes 7->31 89 Antivirus detection for dropped file 11->89 91 Machine Learning detection for dropped file 11->91 93 Delayed program exit found 11->93 95 Changes security center settings (notifications, updates, antivirus, firewall) 13->95 27 MpCmdRun.exe 13->27         started        59 127.0.0.1 unknown unknown 15->59 29 WerFault.exe 15->29         started        file5 signatures6 process7 dnsIp8 57 192.168.2.1 unknown unknown 18->57 47 C:\Users\user\Desktop\Pcgi.exe, PE32 18->47 dropped 69 Antivirus detection for dropped file 18->69 71 Contains functionality to check if Internet connection is working 18->71 73 Machine Learning detection for dropped file 18->73 75 Contains functionality to detect hardware virtualization (CPUID execution measurement) 18->75 77 Contains functionality to automate explorer (e.g. start an application) 23->77 79 Tries to detect virtualization through RDTSC time measurements 23->79 81 Delayed program exit found 23->81 33 WerFault.exe 23->33         started        35 cup.exe 2 25->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 31->41         started        43 conhost.exe 31->43         started        45 conhost.exe 31->45         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/732320e7df67f64d118dce44157b95240d5cbf7a2db10c004a5e73a20d034399/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 10:08:32 UTC
AV detection:
44 of 47 (93.62%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2730acfa6d41e164c1fe6ba4fb7f9e41b21a5ea42a646652e1d177b2d9f3af5d
VirLock
2e949fd381c6fe57dd97fa241bbc8c530cbc0e85891074056ff4085f0dbd9484
VirLock
3fd471944c8650c8883d23f0f7bf54d8aef165b0aad140353244b2a43be760f7
VirLock
8a139fcd70cf23b397ef1bb31a6b8a5990bd2018bd7e42da6db865a52d49549d
VirLock
c3cab87bb11691778b8aa91cd39945710eeb947e34ed4b980f0df655ed557b32
VirLock
db3491850413229a37f3aba3e72c53513a7a57c9eb560279c382e32473c2f4dc
VirLock
e7f4ee5fe23b5c2d98044b31c5e858b451ef78539c708f1cf14dbfc152617817
VirLock
ebd15c59cc12d2386b4c839280d0a344b3503dddc64a59ce0d5f019f9bb019cd
VirLock
f5cb4b0567d7d1dd4b6a26aa9e73651108bdc01e76320bd68b56e65551b38457
VirLock
fe0d1bf3cfb9d2c9efa26530095d4541d82b5b80bc73d21d387ca3e37846b5c8
VirLock
+ 212 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210505-yrwalg8lps/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
2618c865040a26afa6f3c0b3e49a0ee687e29644519c0fd57e5cc512ba687686
MD5 hash:
e14ac67990bcd5e37f24347f1358c922
SHA1 hash:
7163e4c8f1d9bc1ce547a8fd92e0a4a8429eabfb
Link:
https://www.unpac.me/results/e5d42552-0ed7-47fb-b650-ebd4b1482656/
SH256 hash:
68705ff46b9c4464c5f0edf8d1f39205398bb7f9435c963c76c41874b61a4bd4
MD5 hash:
7e836edad624d3f63066c3d580b3d4cb
SHA1 hash:
8846f234ce8cbb57a9e28ae00762941b44d7b2bd
Link:
https://www.unpac.me/results/e5d42552-0ed7-47fb-b650-ebd4b1482656/
SH256 hash:
732320e7df67f64d118dce44157b95240d5cbf7a2db10c004a5e73a20d034399
MD5 hash:
75c584f55cef85e30e15ab8413af0c65
SHA1 hash:
f125b467c5c9398443ac21d832b9b7759ed5b889
Link:
https://www.unpac.me/results/e5d42552-0ed7-47fb-b650-ebd4b1482656/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150381/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 11:15:38 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash