MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 780bb152049a5921fabbe0de066b53c36bf45d895b60b1651e35c69052e6703d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

WannaCry

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	780bb152049a5921fabbe0de066b53c36bf45d895b60b1651e35c69052e6703d
SHA3-384 hash:	9a2cbaf789a404fd9899f0e9bea004d3a7f3316b14b2be5d802486d8c1b9ee2d4a98ace2d9b7a1b695f907dbb3ac74cb
SHA1 hash:	1ca884d2cef10526374aa7f6a859f977c2a0e051
MD5 hash:	edf913f2d9993f003e5fe25be9a48929
humanhash:	lamp-mango-one-mars
File name:	Winnucker.exe
Download:	download sample
Signature	WannaCry Create hunting rule
File size:	4'718'592 bytes
First seen:	2021-11-28 16:07:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e80f3830dd25af995ae103210a1b90e6 (1 x WannaCry)
ssdeep	98304:F4bkS+MpRcwqJqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3:EHJqJqPe1Cxcxk3ZAEUadzR8yc4g
Threatray	126 similar samples on MalwareBazaar
TLSH	T17E2601E1B2A2D0BFE2E006320FDD57315A75E10DC95996575F40EEAA1C362E1A732E33
Reporter	tech_skeech
Tags:	exe KRBanker WannaCry

Intelligence

File Origin

# of uploads :

# of downloads :

955

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Winnucker.exe.vir

Verdict:

Malicious activity

Analysis date:

2021-11-28 04:20:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cd3b1934-ea85-4b6a-a486-feab11f85129

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Ransomware.Petya-6992434-0

Win.Ransomware.Encoder-9846353-0

Win.Malware.Memz-9869845-0

ditekSHen.MALWARE.Win.Ransomware.KillMBR.UNOFFICIAL

Win.Ransomware.WannaCry-6313787-0

Win.Malware.Djwy-6775897-0

Win.Ransomware.Wanna-6888027-0

Win.Ransomware.Wanna-6888334-0

Win.Malware.Djwy-6923377-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Creating a file

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cryptolocker flystudio greyware keylogger mbrlock packed petya powershell ransomware wanna wannacry

Link:

https://www.filescan.io/uploads/61a3a964bbfd2af97cb7ba06/reports/3af5adec-fd52-49ee-86a0-767ef3c97da3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

KRBanker

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ff41403a-ca9a-48bc-a1f0-348553bf0787

Result

Threat name:

Petya

Detection:

malicious

Classification:

rans.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/897433

Signature

Antivirus detection for dropped file

Found Tor onion address

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Petya ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/780bb152049a5921fabbe0de066b53c36bf45d895b60b1651e35c69052e6703d/

Threat name:

Win32.Ransomware.CryptoLock

Status:

Malicious

First seen:

2021-11-23 06:39:52 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 28 (96.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=paf3cuqetjmsd6v34dpam22tynv7ixmjlnqlczi6gxdjauxgoa6q._file

Verdict:

malicious

WannaCry

3179fe15e7ff91a0e02a7a75667f8c230e95817d1ac0e0fb0f34a74d33c0b8ad

WannaCry

37877d87fff1b903df41bdb21fb500b0371f72de500c6f6768aec4d76966de67

WannaCry

435858766d123afb7afef259fca8564e883fffce4bdebe7da7b047f8030dfe4f

WannaCry

7333ddf4a7e53eeda33a8360b307471358597aeff78f4a5a7f4610640f97bdc7

WannaCry

76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

WannaCry

a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3

WannaCry

b6a56587ff63ad2c27323d56510915125be1f171324029353303659eb438d0ed

WannaCry

c286536081ae21b1210e9b2d44cad98ba7849dcfcc1e3c864e9e60216682bd27

WannaCry

+ 116 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

upx

Link:

https://tria.ge/reports/211128-tk74vahgdn/

Behaviour

Suspicious use of SetWindowsHookEx

Loads dropped DLL

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Unpacked files

SH256 hash:

780bb152049a5921fabbe0de066b53c36bf45d895b60b1651e35c69052e6703d

MD5 hash:

edf913f2d9993f003e5fe25be9a48929

SHA1 hash:

1ca884d2cef10526374aa7f6a859f977c2a0e051

Detections:

win_agent_tesla_g1

Link:

https://www.unpac.me/results/e342597e-9ff5-4e72-a6a2-d5de3080a422/

Malware family:

WannaCry

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/780bb152049a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/780bb152049a5921fabbe0de066b53c36bf45d895b60b1651e35c69052e6703d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	WannaCry_Ransomware Create hunting rule
Author:	Florian Roth (with the help of binar.ly)
Description:	Detects WannaCry Ransomware
Reference:	https://goo.gl/HG2j5T

Rule name:	XiaoBa Create hunting rule
Author:	@bartblaze
Description:	Identifies XiaoBa ransomware unpacked or in memory.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

WannaCry

exe 780bb152049a5921fabbe0de066b53c36bf45d895b60b1651e35c69052e6703d

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample