MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 1 Comments

SHA256 hash: 7af61ce420051640c50b0e73e718dd8c55dddfcb58917a3bead9d3ece2f3e929
SHA3-384 hash: abddb4502ebe7a7a6a5c0e31b83eccdbe0011b44ee02b6742e66ea5f0b9244cd6e1188bb4b902acd788b7f8451a6d9d5
SHA1 hash: 60747604d54a18c4e4dc1a2c209e77a793e64dde
MD5 hash: 3ca359f5085bb96a7950d4735b089ffe
humanhash: april-butter-berlin-texas
File name:edp_ragnarlocker
Download: download sample
Signature RagnarLocker
File size:48'640 bytes
First seen:2020-08-01 02:08:10 UTC
Last seen:2020-08-03 10:01:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 839139e8d46f551df7ae96cb6ef00736
ssdeep 768:BpBsvKMNyoq65co7Bjd/3oqab0k3R2pXlj+Bnk:BpPM4o4qFoqaXC+6
TLSH 2C235C214697E056E9930874312BBCE9FA7D5A718758EBE3BE001C81287D9F2962C773
Reporter @JAMESWT_MHT
Tags:RagnarLocker

Intelligence


File Origin
# of uploads :
2
# of downloads :
39
Origin country :
IT IT
Mail intelligence
No data
Vendor Threat Intelligence
Gathering data
Result
Threat name:
RagnarLocker
Detection:
malicious
Classification:
rans.spyw.evad
Score:
92 / 100
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to extract many sensitive information (likely to send to a C&C)
Contains functionality to infect the boot sector
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Sigma detected: Delete shadow copy via WMIC
Writes many files with high entropy
Yara detected RagnarLocker ransomware
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255505 Sample: edp_ragnarlocker Startdate: 01/08/2020 Architecture: WINDOWS Score: 92 29 Yara detected RagnarLocker ransomware 2->29 31 Sigma detected: Delete shadow copy via WMIC 2->31 33 May disable shadow drive data (uses vssadmin) 2->33 35 3 other signatures 2->35 7 edp_ragnarlocker.exe 501 2->7         started        11 notepad.exe 2->11         started        process3 file4 21 C:\Users\user\Desktop\...21VWZAPQSQL.docx, Unknown 7->21 dropped 23 C:\Users\user\DesktopbehaviorgraphRXZDKKVDB.pdf, Unknown 7->23 dropped 25 C:\Users\user\Desktop\...FOYFBOLXA.docx, Unknown 7->25 dropped 27 131 other malicious files 7->27 dropped 37 May disable shadow drive data (uses vssadmin) 7->37 39 Contains functionality to infect the boot sector 7->39 41 Deletes shadow drive data (may be related to ransomware) 7->41 43 4 other signatures 7->43 13 WMIC.exe 1 7->13         started        15 vssadmin.exe 1 7->15         started        signatures5 process6 process7 17 conhost.exe 13->17         started        19 conhost.exe 15->19         started       
Threat name:
Win32.Ransomware.Ragnar
Status:
Malicious
First seen:
2020-04-29 05:39:31 UTC
AV detection:
29 of 31 (93.55%)
Threat level
  5/5
Result
Malware family:
ragnarlocker
Score:
  10/10
Tags:
ransomware persistence family:ragnarlocker bootkit
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Drops file in Program Files directory
Modifies service
Writes to the Master Boot Record (MBR)
Drops startup file
Modifies extensions of user files
Deletes shadow copies
RagnarLocker
Threat name:
Filecoder
Score:
1.00

Yara Signatures


Rule name:ragnarlocker_ransomware
Author:Christiaan Beek | Marc Rivero | McAfee ATR Team
Description:Rule to detect RagnarLocker samples
Reference:https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments