MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Nabucur


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738
SHA3-384 hash: 27496dfdb15bf3339e519e1097f8ed60fc471341437b1b8163d055610319cae301c284f05860e6f339d080e37690342e
SHA1 hash: 4a740bc0de76cf7597d001f5cb659b220de6dccd
MD5 hash: e8583ee36603531bcf5001346c7474a7
humanhash: neptune-colorado-winner-march
File name:Trojan-Ransom.Win32.PolyRansom.bvlo-792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738.exe
Download: download sample
Signature Nabucur
Create hunting rule
File size:153'088 bytes
First seen:2022-09-29 12:37:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:p+OvuAoccS2sTQMMBXZ+YSuwydCcGmDceCd4aMc9KDouBIOQ:p+OvujS2sTFOXZ+YKmADd4alwJN
TLSH T196E31288AE9DBA63C8DE57FCC0E98D14435C92261A12FB4FE6A46CD40D4AFD305467B3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter petikvx
Tags:exe Nabucur Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
544
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
cerber
Create hunting rule
ID:
1
File name:
d.exe
Verdict:
Malicious activity
Analysis date:
2021-02-06 22:00:08 UTC
Tags:
trojan ransomware cerber troldesh shade infinitylock
Link:
https://app.any.run/tasks/4409ef5b-1bf1-4eee-8952-daf19d0e21ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314816/
Detection(s):
PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Creating a window
Searching for synchronization primitives
Searching for the window
Changing a file
Running batch commands
Launching a process
Creating a process with a hidden window
Launching the process to change network settings
Moving a file to the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Changing settings of the browser security zones
Changing critical settings of the Internet Explorer browser
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633591ae5c60ccc9fcfe8327/reports/af57fc27-945f-4456-b8c1-bc48edf8942d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/82bd16d7-d44c-442e-8075-7482b36472ef
Result
Threat name:
Babuk, Cerber, DeriaLock, InfinityLock,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1080066
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Clears the journal log
Clears the windows event log
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Deletes keys related to Windows Defender
Deletes keys which are related to windows safe boot (disables safe mode boot)
Disables security and backup related services
Disables the Windows registry editor (regedit)
Disables the windows security center
Disables the Windows task manager (taskmgr)
Disables Windows system restore
Drops executables to the windows directory (C:\Windows) and starts them
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Execute DLL with spoofed extension
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Cerber ransomware
Yara detected DeriaLock Ransomware
Yara detected InfinityLock Ransomware
Yara detected Mimikatz
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 712625 Sample: 07bb0738.exe Startdate: 29/09/2022 Architecture: WINDOWS Score: 100 129 www.vikingwebscanner.com 2->129 131 searchaccount.org 2->131 133 8 other IPs or domains 2->133 145 Snort IDS alert for network traffic 2->145 147 Multi AV Scanner detection for domain / URL 2->147 149 Malicious sample detected (through community Yara rule) 2->149 151 18 other signatures 2->151 10 07bb0738.exe 14 72 2->10         started        15 svchost.exe 2->15         started        17 svchost.exe 1 2->17         started        19 10 other processes 2->19 signatures3 process4 dnsIp5 141 raw.githubusercontent.com 10->141 143 github.com 10->143 115 C:\Users\user\Desktop\Fantom.exe, PE32 10->115 dropped 117 C:\Users\user\Desktopndermanch@Xyeta.exe, PE32 10->117 dropped 119 C:\...ndermanch@WinlockerVB6Blacksod.exe, PE32 10->119 dropped 121 65 other malicious files 10->121 dropped 183 Writes many files with high entropy 10->183 21 Endermanch@BadRabbit.exe 10->21         started        25 Endermanch@InfinityCrypt.exe 10->25         started        27 Endermanch@AntivirusPlatinum.exe 1 13 10->27         started        35 9 other processes 10->35 185 Changes security center settings (notifications, updates, antivirus, firewall) 15->185 29 MpCmdRun.exe 15->29         started        31 conhost.exe 17->31         started        33 conhost.exe 19->33         started        file6 signatures7 process8 dnsIp9 91 C:\Windows\infpub.dat, data 21->91 dropped 153 Antivirus detection for dropped file 21->153 155 Multi AV Scanner detection for dropped file 21->155 157 Machine Learning detection for dropped file 21->157 38 rundll32.exe 21->38         started        42 conhost.exe 21->42         started        103 12 other malicious files 25->103 dropped 159 Writes many files with high entropy 25->159 93 C:\Windows\antivirus-platinum.exe, PE32 27->93 dropped 95 C:\Windows\302746537.exe, PE32 27->95 dropped 105 2 other files (none is malicious) 27->105 dropped 161 Drops executables to the windows directory (C:\Windows) and starts them 27->161 44 302746537.exe 27->44         started        46 conhost.exe 29->46         started        135 93.107.12.20 VODAFONE-IRELAND-ASNIE Ireland 35->135 137 93.107.12.21 VODAFONE-IRELAND-ASNIE Ireland 35->137 139 104 other IPs or domains 35->139 97 C:\Users\user\AppData\Local\6AdwCleaner.exe, PE32 35->97 dropped 99 C:\Program Files (x86)\...\libltdl3.dll, PE32 35->99 dropped 101 C:\Program Files (x86)\...\avpc2009.exe, PE32 35->101 dropped 107 7 other files (5 malicious) 35->107 dropped 163 Creates an undocumented autostart registry key 35->163 165 Creates multiple autostart registry keys 35->165 167 Uses netsh to modify the Windows network and firewall settings 35->167 169 6 other signatures 35->169 48 6AdwCleaner.exe 35->48         started        51 avpc2009.exe 35->51         started        53 taskkill.exe 35->53         started        55 3 other processes 35->55 file10 signatures11 process12 dnsIp13 109 C:\Windows\dispci.exe, PE32 38->109 dropped 111 C:\Windows\cscc.dat, PE32+ 38->111 dropped 113 C:\Windows\586F.tmp, data 38->113 dropped 171 System process connects to network (likely due to code injection or exploit) 38->171 173 Connects to many different private IPs via SMB (likely to spread or exploit) 38->173 175 Connects to many different private IPs (likely to spread or exploit) 38->175 181 4 other signatures 38->181 57 cmd.exe 38->57         started        59 cmd.exe 38->59         started        61 cmd.exe 38->61         started        70 2 other processes 38->70 63 cmd.exe 44->63         started        123 www.vikingwebscanner.com 48->123 177 Antivirus detection for dropped file 48->177 179 Multi AV Scanner detection for dropped file 48->179 125 yandex.ru 51->125 127 google.ru 51->127 66 conhost.exe 53->66         started        68 conhost.exe 55->68         started        file14 signatures15 process16 signatures17 72 conhost.exe 57->72         started        74 schtasks.exe 57->74         started        85 2 other processes 59->85 87 2 other processes 61->87 193 Drops executables to the windows directory (C:\Windows) and starts them 63->193 195 Uses schtasks.exe or at.exe to add and modify task schedules 63->195 76 antivirus-platinum.exe 63->76         started        79 conhost.exe 63->79         started        81 regsvr32.exe 63->81         started        89 2 other processes 63->89 83 conhost.exe 70->83         started        process18 signatures19 187 Disables the Windows task manager (taskmgr) 76->187 189 Disables Windows system restore 76->189 191 Disables the Windows registry editor (regedit) 76->191
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-02-07 08:09:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pevslc3dzrqkxlg4zeqywbavfacqqgz47dir32dvs2oh6b53a44a._file
Verdict:
malicious
Result
Malware family:
wannacry
Create hunting rule
Score:
  10/10
Tags:
family:badrabbit family:mimikatz family:troldesh family:wannacry bootkit discovery evasion persistence ransomware themida trojan upx worm
Link:
https://tria.ge/reports/220929-pt342abhbp/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Modifies Control Panel
Modifies Internet Explorer settings
Modifies Internet Explorer start page
Modifies registry class
Modifies registry key
Modifies system certificate store
Runs net.exe
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System policy modification
Views/modifies file attributes
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Checks computer location settings
Drops startup file
Identifies Wine through registry keys
Loads dropped DLL
Modifies file permissions
Themida packer
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Sets file execution options in registry
Stops running service(s)
UPX packed file
mimikatz is an open source tool to dump credentials on Windows
BadRabbit
Mimikatz
Modifies WinLogon for persistence
Troldesh, Shade, Encoder.858
Wannacry
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cf577cc0-7aa4-472a-a37a-b78e87360e92
Unpacked files
SH256 hash:
c26e67f93294ef08f6f45bc0dd03e3d6bc66a23dc44de6e9f557e991caa5da69
MD5 hash:
9c534f10d1201a193d9bccc7ae9d86e4
SHA1 hash:
8b63ebfe77f60ff977dc12b31b73fc975be95110
Link:
https://www.unpac.me/results/7f045afb-acc1-4576-b9c0-99c9db6b047f/
SH256 hash:
792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738
MD5 hash:
e8583ee36603531bcf5001346c7474a7
SHA1 hash:
4a740bc0de76cf7597d001f5cb659b220de6dccd
Link:
https://www.unpac.me/results/7f045afb-acc1-4576-b9c0-99c9db6b047f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/314816/

Comments