MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7860832a25f403c43865c00bd072fa58b2da66bc81152eec30582ad0a72932e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7860832a25f403c43865c00bd072fa58b2da66bc81152eec30582ad0a72932e6
SHA3-384 hash: 71e9f2ddc0890015bd755f0ed6c2d9caad5b639b01d9b875cca1a2e4093918e5b1889fb8ced721d56f39b0333669f2e7
SHA1 hash: 6c6e9ebe1e11714bd4c3584fc5b732ccfb782a05
MD5 hash: 80143152971ee77d14bb77c8d10346ec
humanhash: oregon-music-two-six
File name:ky.exe
Download: download sample
File size:431'680 bytes
First seen:2020-10-02 04:02:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 46af1dad00dd7ea779fbcd2a087e8ac8
ssdeep 12288:CeXzSAp2noO6CvOJHLc3vYndhqXtMLPCu4QRxEI:CejCnoFOqHLc2dhGMLPCu4QRxL
Threatray 6 similar samples on MalwareBazaar
TLSH 1A9423E4E0F8A2B7DD323F70A24BD098D3AC591D2A81064AA19F91606C7F7DDF31B465
Reporter vm001cn
Tags:Ransomware swmmiware symmiware

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/67620/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.43938747.299.13601.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the Windows subdirectories
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Sending a UDP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/479916
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates files in the recycle bin to hide itself
Detected unpacking (changes PE section rights)
Found PSEXEC tool (often used for remote process execution)
Hides threads from debuggers
Machine Learning detection for sample
Moves / writes many txt or jpg files (may be a ransomware encrypting documents)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Submitted sample is a known malware sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 292397 Sample: ky.exe Startdate: 02/10/2020 Architecture: WINDOWS Score: 100 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Machine Learning detection for sample 2->48 50 4 other signatures 2->50 10 ky.exe 8 2->10         started        14 explorer.exe 2->14         started        16 SearchUI.exe 2->16         started        process3 file4 40 C:\Users\user\Desktop\hyBrDFjOidLuty.exe, PE32 10->40 dropped 42 C:\Users\user\Desktop\PsExec.exe, PE32 10->42 dropped 60 Detected unpacking (changes PE section rights) 10->60 62 Submitted sample is a known malware sample 10->62 64 Tries to detect sandboxes and other dynamic analysis tools (window names) 10->64 66 2 other signatures 10->66 18 cmd.exe 1 10->18         started        signatures5 process6 process7 20 PsExec.exe 1 1 18->20         started        22 conhost.exe 18->22         started        process8 24 hyBrDFjOidLuty.exe 502 20->24         started        file9 32 C:\ProgramData\USOShared\SYMMYWARE.TXT, Unknown 24->32 dropped 34 C:\ProgramData\...\SYMMYWARE.TXT, Unknown 24->34 dropped 36 C:\ProgramData\Microsoft\...\SYMMYWARE.TXT, Unknown 24->36 dropped 38 3 other malicious files 24->38 dropped 52 Multi AV Scanner detection for dropped file 24->52 54 Creates files in the recycle bin to hide itself 24->54 56 Moves / writes many txt or jpg files (may be a ransomware encrypting documents) 24->56 58 Tries to harvest and steal browser information (history, passwords, etc) 24->58 28 explorer.exe 50 200 24->28         started        signatures10 process11 process12 30 notepad.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7860832a25f403c43865c00bd072fa58b2da66bc81152eec30582ad0a72932e6/
Threat name:
Win32.Ransomware.HiddenTear
Create hunting rule
Status:
Malicious
First seen:
2020-09-30 13:35:52 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
146de084ff60046edb599a6f8ae1503aa2a7f39c550807e9af069c2e8c9ea34c
2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279
53fd929034ec71904be8ef06d4c42f2467997f16364431cb3e46a24d82bdaf6f
5ef0b6ab46bb6853ddf281a6b12ca1b6c9d77a6b25a8db00e5f0771e793357a5
5fa108e621b0921235740af34e55a4515c4b78bc5463fcf47c92dfecec334e00
730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware persistence spyware
Link:
https://tria.ge/reports/201002-avbjhbd3we/
Behaviour
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies Control Panel
Suspicious use of SetWindowsHookEx
Modifies service
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Installed Components in the registry
Modifies extensions of user files
Unpacked files
SH256 hash:
7860832a25f403c43865c00bd072fa58b2da66bc81152eec30582ad0a72932e6
MD5 hash:
80143152971ee77d14bb77c8d10346ec
SHA1 hash:
6c6e9ebe1e11714bd4c3584fc5b732ccfb782a05
Link:
https://www.unpac.me/results/dbd71bf3-3678-4270-91f0-a8b8194c824b/
SH256 hash:
9ac3734c21e4656f3adc22373b12717dfd61a623d390b9639741e075580670b2
MD5 hash:
33a1efa3cf82c3e90bc8fb9a067f119e
SHA1 hash:
12fe00d6f5f827b3ef95e0f66ddcba85d45fa640
Link:
https://www.unpac.me/results/dbd71bf3-3678-4270-91f0-a8b8194c824b/
SH256 hash:
4307e767a82ae5a565a4004dac95acaf2fa9fb037c8a67784a8bf56a1fc87049
MD5 hash:
42c97dc17a354415ac1ff94d210830cb
SHA1 hash:
165ff5a5b8cbc282f326d7bb0d9e650bc574e8bd
Link:
https://www.unpac.me/results/dbd71bf3-3678-4270-91f0-a8b8194c824b/
SH256 hash:
27d92001e2d5a1dac237f27c80513f49d556dbf00b977eb6b8497acefda89f08
MD5 hash:
0321fd42473a523f8afef804c29d9ceb
SHA1 hash:
4549cfe5e619174ad5003752ca2d2828e262de21
Link:
https://www.unpac.me/results/dbd71bf3-3678-4270-91f0-a8b8194c824b/
SH256 hash:
eb75edb171cbd93f046efd75957c204def28d2088bc919298dd39c51fa36af7a
MD5 hash:
acab52785bbe18767b15f0a5e8d82115
SHA1 hash:
489f95db58d9515169aba7c8fbf0eb7d94e63b65
Link:
https://www.unpac.me/results/dbd71bf3-3678-4270-91f0-a8b8194c824b/
SH256 hash:
9b79b412ed627730b886f819f4375de3118192a71fe532877deb7e9929c96f7f
MD5 hash:
c936da6afe5691d59bafc1696258116f
SHA1 hash:
9c3a734ed4cb94f2924042ffc297b8d0fa03443c
Link:
https://www.unpac.me/results/dbd71bf3-3678-4270-91f0-a8b8194c824b/
SH256 hash:
0a03bfa9b0738cf17312535c76517951d09ec8f7583ef5f036d50e3ccab39be0
MD5 hash:
7bcb0a307d6a1660e374d2abb7db1b86
SHA1 hash:
f004c80f3193ac74f2960956474519a8b7d48294
Link:
https://www.unpac.me/results/dbd71bf3-3678-4270-91f0-a8b8194c824b/
SH256 hash:
4043f0dca4e01aea76961568bf4ed2fde5727520801351e9db6bc5cc5e9c726e
MD5 hash:
37f84b8e5dacfe4b4e393e5fa9b567e6
SHA1 hash:
867e3cba32f7a909922d7d6871b097bce2097e85
Link:
https://www.unpac.me/results/dbd71bf3-3678-4270-91f0-a8b8194c824b/
SH256 hash:
da50730580bd7fe14fca5c3547eb54882b6f79b42cd474530b9b07dd5de4f1ac
MD5 hash:
9ca339da8a96656779074b5caaa76c63
SHA1 hash:
f6813078253f72bf25c136debe45ac54cfbb7012
Link:
https://www.unpac.me/results/dbd71bf3-3678-4270-91f0-a8b8194c824b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
XPACK
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7860832a25f403c43865c00bd072fa58b2da66bc81152eec30582ad0a72932e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/67620/

Comments