MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76960749ed11d97582923e31d59115910ae74d8753c8e92f918f604ca8a0d26d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TellYouThePass


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76960749ed11d97582923e31d59115910ae74d8753c8e92f918f604ca8a0d26d
SHA3-384 hash: cb1af5c8120754724546190b4f3881adfdd20a737aa5218695d9ff9db1330e1d04ec88c5771f8e2a83a23a91e3dc1d3c
SHA1 hash: 64a5dc3748c94576dd508231d1bafce59bc3385a
MD5 hash: c88b15226ff88040d226d64b375ac12e
humanhash: zebra-three-lion-maryland
File name:tellyouthepass.exe
Download: download sample
Signature TellYouThePass
Create hunting rule
File size:3'190'272 bytes
First seen:2021-12-31 16:02:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 49152:fyXC3Y0KGJrb/ThvO90dL3BmAFd4A64nsfJvm2FsGmq3ihBe6Q2KbkSgAUIOGwTd:fyp7m2SGh+Bd1IRwe
Threatray 18 similar samples on MalwareBazaar
TLSH T130E54B13F89146E5C0ADE230C66992537A7278A9173023D73B50EFBA2F36BD46E79314
Reporter _CyberHunt_
Tags:exe log4j Ransomware TellYouThePass

Intelligence

File Origin
# of uploads :
1
# of downloads :
490
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5573431538647040.zip
Verdict:
No threats detected
Analysis date:
2021-12-28 11:41:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/78ace353-4716-400a-8799-4259a050c375

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216952/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Sending an HTTP GET request
Running batch commands
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3580/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
crypren filecoder tellyouthepass
Link:
https://www.filescan.io/uploads/61cf29ba8991ba72b3a23b30/reports/11c77f75-0407-4766-9a60-c1b2d02d6816/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e65845fd-a533-4be1-95ea-f029bc41403a
Result
Threat name:
Gocoder
Create hunting rule
Detection:
malicious
Classification:
rans
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/914340
Signature
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Gocoder ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546818 Sample: tellyouthepass.exe Startdate: 31/12/2021 Architecture: WINDOWS Score: 64 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected Gocoder ransomware 2->54 8 tellyouthepass.exe 104 2->8         started        process3 dnsIp4 50 193.56.29.207, 49745, 49749, 80 WHG-NETWORKPL United Kingdom 8->50 42 C:\Users\user\Desktop\...\QNCYCDFIJJ.docx, ASCII 8->42 dropped 44 C:\Users\user\Desktop\...FOYFBOLXA.jpg, ASCII 8->44 dropped 46 C:\Users\user\Desktop\...\QCFWYSKMHA.png, ASCII 8->46 dropped 48 C:\Users\user\...\LSBIHQFDVT.docx.locked, DOS 8->48 dropped 56 Modifies existing user documents (likely ransomware behavior) 8->56 13 cmd.exe 1 8->13         started        16 cmd.exe 1 8->16         started        18 cmd.exe 1 8->18         started        20 39 other processes 8->20 file5 signatures6 process7 signatures8 58 Uses schtasks.exe or at.exe to add and modify task schedules 13->58 22 taskkill.exe 1 13->22         started        24 taskkill.exe 1 16->24         started        26 conhost.exe 16->26         started        28 taskkill.exe 1 18->28         started        30 taskkill.exe 18->30         started        32 taskkill.exe 1 20->32         started        34 taskkill.exe 1 20->34         started        36 taskkill.exe 1 20->36         started        38 33 other processes 20->38 process9 process10 40 taskkill.exe 32->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76960749ed11d97582923e31d59115910ae74d8753c8e92f918f604ca8a0d26d/
Threat name:
Win64.Ransomware.TelUPass
Create hunting rule
Status:
Malicious
First seen:
2021-12-25 21:39:45 UTC
File Type:
PE+ (Exe)
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad
TellYouThePass
3a7e260aec294903b08eb34f2b9a985bd38bd66a409bbb7e58bd8f4e5c3a7806
TellYouThePass
460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984
TellYouThePass
8b10986bf59cc6c50698fd9a3de7522cc0767da1655f4c5c51601187eebbdac8
TellYouThePass
98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63
TellYouThePass
cd9077bf07eb4183aa5d7093cd32c9fddc43e2ecba91a682d666b041c39a4cd2
TellYouThePass
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware
Link:
https://tria.ge/reports/211231-thcvxshae8/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
76960749ed11d97582923e31d59115910ae74d8753c8e92f918f604ca8a0d26d
MD5 hash:
c88b15226ff88040d226d64b375ac12e
SHA1 hash:
64a5dc3748c94576dd508231d1bafce59bc3385a
Link:
https://www.unpac.me/results/05ee361b-d137-492b-943b-da8ad002a8a0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/76960749ed11/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76960749ed11d97582923e31d59115910ae74d8753c8e92f918f604ca8a0d26d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/_CyberHunt_/status/1476810724752064515
Cape
Cape
https://www.capesandbox.com/analysis/216952/

Comments