MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VovaLex


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae
SHA3-384 hash: f6cf6bbf1937449f7067b7a24e39b5c34b3bbc19fe52ceb0abf6cb78a44a32498a6e8de80359585359d8c31ecd29b9c5
SHA1 hash: dac66a285e89ee98cb84488df21f8c43c4acb5d3
MD5 hash: fa9649ba7f76190701b2f1ffaaf4d0df
humanhash: eight-moon-december-four
File name:772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin
Download: download sample
Signature VovaLex
Create hunting rule
File size:32'864'256 bytes
First seen:2021-01-30 11:30:03 UTC
Last seen:2021-01-30 14:17:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 47213d103768327f1ec64ab08cacc584 (2 x Vovalex)
ssdeep 49152:HCmgezLfoHrgYXrjGWwU+4FqEgmkFqBGkCZXgQRuLe9hKJsXe2WVV7T31Flh42EE:HvI7XgGgvEBLoXxwAcV7x34e6aj
Threatray 1 similar samples on MalwareBazaar
TLSH 4C773322B24095F4D55248F4CBD18A90AE607CB807B522DB2EF5B32D1E7DCD2AF7D681
Reporter Arkbird_SOLG
Tags:Ransomware Vovalex

Intelligence

File Origin
# of uploads :
2
# of downloads :
415
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin
Verdict:
No threats detected
Analysis date:
2021-01-30 11:31:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0def2c1a-6f63-443a-8f4d-93bedb3be816

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114879/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Creating a process from a recently created file
Creating a file
Creating a window
Result
Threat name:
VovaLex
Create hunting rule
Detection:
malicious
Classification:
rans.adwa.evad
Score:
40 / 100
Link:
https://www.joesandbox.com/analysis/594532
Signature
Connects to a URL shortener service
Modifies the hosts file
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Uses netsh to modify the Windows network and firewall settings
Writes many files with high entropy
Yara detected VovaLex Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 346304 Sample: yVn2ywuhEC.exe Startdate: 30/01/2021 Architecture: WINDOWS Score: 40 122 video.trontv.com 2->122 124 static.ads-twitter.com 2->124 126 48 other IPs or domains 2->126 128 Multi AV Scanner detection for submitted file 2->128 130 Yara detected VovaLex Ransomware 2->130 132 Uses netsh to modify the Windows network and firewall settings 2->132 134 2 other signatures 2->134 10 yVn2ywuhEC.exe 11 2->10         started        14 yVn2ywuhEC.exe 9 2->14         started        16 yVn2ywuhEC.exe 10 2->16         started        signatures3 process4 file5 98 C:\Users\user\...\3yYh0IvfZPkSsqrl.exe, PE32 10->98 dropped 100 C:\...\pkeyconfig-office.xrm-ms.vovalex, data 10->100 dropped 110 3 other malicious files 10->110 dropped 142 Writes many files with high entropy 10->142 18 3yYh0IvfZPkSsqrl.exe 2 10->18         started        102 C:\Users\user\...\0i1CtyGdkmLhJnVs.exe, PE32 14->102 dropped 104 pkeyconfig-office.xrm-ms.vovalex.vovalex, data 14->104 dropped 112 2 other malicious files 14->112 dropped 21 0i1CtyGdkmLhJnVs.exe 2 14->21         started        106 C:\Users\user\...\PHO27fVEZKCoh9MD.exe, PE32 16->106 dropped 108 pkeyconfig-office....lex.vovalex.vovalex, data 16->108 dropped 114 3 other malicious files 16->114 dropped 23 PHO27fVEZKCoh9MD.exe 2 16->23         started        signatures6 process7 file8 70 C:\Users\user\...\3yYh0IvfZPkSsqrl.tmp, PE32 18->70 dropped 25 3yYh0IvfZPkSsqrl.tmp 93 29 18->25         started        72 C:\Users\user\...\0i1CtyGdkmLhJnVs.tmp, PE32 21->72 dropped 29 0i1CtyGdkmLhJnVs.tmp 31 29 21->29         started        31 PHO27fVEZKCoh9MD.tmp 3 10 23->31         started        process9 file10 80 C:\Users\user\AppData\...\is-VGHOK.tmp, PE32 25->80 dropped 82 C:\Users\user\AppData\...\is-AVBP3.tmp, PE32 25->82 dropped 84 C:\Users\user\AppData\...\is-8L18J.tmp, PE32 25->84 dropped 94 2 other files (none is malicious) 25->94 dropped 140 Modifies the hosts file 25->140 33 uTorrent.exe 48 74 25->33         started        38 netsh.exe 3 25->38         started        40 netsh.exe 3 25->40         started        52 2 other processes 25->52 86 C:\Windows\System32\drivers\etc\hosts, ASCII 29->86 dropped 88 C:\Users\user\AppData\...\is-N5OCA.tmp, PE32 29->88 dropped 90 C:\Users\user\AppData\...\is-JP462.tmp, PE32 29->90 dropped 96 3 other files (none is malicious) 29->96 dropped 42 netsh.exe 3 29->42         started        44 netsh.exe 29->44         started        46 netsh.exe 29->46         started        48 netsh.exe 29->48         started        92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->92 dropped 50 unins000.exe 31->50         started        signatures11 process12 dnsIp13 116 161.230.30.190, 17720, 6881 VODAFONE-PTVodafonePortugalPT Portugal 33->116 118 42.111.6.220, 62544 VODAFONE-INVodafoneIndiaLtdIN India 33->118 120 112 other IPs or domains 33->120 74 C:\Users\...\77EC63BDA74BD0D0E0426DC8F8008506, Microsoft 33->74 dropped 76 C:\Users\user\AppData\Local\...\utt5E55.tmp, MS-DOS 33->76 dropped 136 Writes many files with high entropy 33->136 138 Tries to detect sandboxes / dynamic malware analysis system (registry check) 33->138 54 conhost.exe 38->54         started        56 conhost.exe 40->56         started        58 conhost.exe 42->58         started        60 conhost.exe 44->60         started        62 conhost.exe 46->62         started        64 conhost.exe 48->64         started        78 C:\Users\user\AppData\Local\...\_iu14D2N.tmp, PE32 50->78 dropped 66 conhost.exe 52->66         started        68 conhost.exe 52->68         started        file14 signatures15 process16
Gathering data
Threat name:
Win64.Ransomware.Vovalex
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 02:23:59 UTC
File Type:
PE+ (Exe)
Extracted files:
13
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
e9ee500bcceeb9608800148f7c750e5d8676fb515f0decde33cc8b419f4e5b49
VovaLex
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210130-ldlzlvzy6x/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malwrhunterteam/status/1351808079164276736
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/114879/

Comments