MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LCRYX


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4
SHA3-384 hash: b931abac71cab0a2808c90041b4ff18636db0361abd8493c87dad1da2732d8e8c47ff034e35e057ee6e6a3e581063f99
SHA1 hash: d414af7b30105b7845fcfe4360a4ae3b67a8e883
MD5 hash: ce03d8554a2bad706ac9dafddd149e23
humanhash: double-princess-floor-ceiling
File name:LCrypt0rX.vbs
Download: download sample
Signature LCRYX
Create hunting rule
File size:26'051 bytes
First seen:2025-04-26 10:47:33 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:y8en+HbpBStxYUQHSH7l+iyDbKUzbGvP9Sy+y3vh01phlUuW6:in2fDRbg73vg1Uc
TLSH T1BAC297025D1B8925D4F6E39122ABEC1ED7B5F3A7A8618D1435CCD8905B35FCC89B40EE
Magika vba
Reporter zhuzhu0009
Tags:LCRYX vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
RU RU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4183/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680cbafb3d067f848399839b
Tags:
ransomware virus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint notepad persistence powershell
Link:
https://www.filescan.io/uploads/680cb9ea218c4a98ade2f56b/reports/4f30bff1-433d-49c4-a54a-2a4634d429a9/overview
Verdict:
Malicious
Labled as:
Ransom.Python.O.Generic
Link:
https://www.hybrid-analysis.com/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4
Result
Threat name:
LCRYX
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1674695
Signature
Changes the wallpaper picture
Creates a Image File Execution Options (IFEO) Debugger entry
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates files inside the volume driver (system volume information)
Creates multiple autostart registry keys
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Disable Task Manager(disabletaskmgr)
Disables CMD prompt
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Disables UAC (registry)
Disables Windows Defender (via service or powershell)
Excessive usage of taskkill to terminate processes
Found Tor onion address
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
May disable shadow drive data (uses vssadmin)
Modifies the hosts file
Modifies the windows firewall
Modifies Windows Defender protection settings
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Queries Google from non browser process on port 80
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes a notice file (html or txt) to demand a ransom
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Ransomware
Yara detected LCRYX Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1674695 Sample: LCrypt0rX.vbs Startdate: 26/04/2025 Architecture: WINDOWS Score: 100 76 www.mediafire.com 2->76 78 www.google.com 2->78 80 3 other IPs or domains 2->80 94 Multi AV Scanner detection for submitted file 2->94 96 Yara detected LCRYX Ransomware 2->96 98 Yara detected Generic Ransomware 2->98 100 11 other signatures 2->100 10 wscript.exe 1 2->10         started        13 wbuser.exe 2->13         started        15 vdsldr.exe 2->15         started        17 vds.exe 2->17         started        signatures3 process4 signatures5 128 VBScript performs obfuscated calls to suspicious functions 10->128 130 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->130 132 Wscript starts Powershell (via cmd or directly) 10->132 136 12 other signatures 10->136 19 wscript.exe 31 25 10->19         started        134 Creates files inside the volume driver (system volume information) 13->134 process6 dnsIp7 82 www.google.com 192.178.49.164, 49687, 80 GOOGLEUS United States 19->82 84 www.mediafire.com 104.17.151.117, 443, 49688 CLOUDFLARENETUS United States 19->84 68 C:\Windows\advapi32_ext.vbs, ASCII 19->68 dropped 70 C:\Windows\System32\systemconfig.exe.vbs, ASCII 19->70 dropped 72 C:\Windows\System32\drivers\etc\hosts, ASCII 19->72 dropped 74 5 other malicious files 19->74 dropped 102 System process connects to network (likely due to code injection or exploit) 19->102 104 Wscript starts Powershell (via cmd or directly) 19->104 106 Creates an undocumented autostart registry key 19->106 108 19 other signatures 19->108 24 wscript.exe 19->24         started        27 cmd.exe 1 19->27         started        29 cmd.exe 1 19->29         started        31 10 other processes 19->31 file8 signatures9 process10 dnsIp11 110 Excessive usage of taskkill to terminate processes 24->110 34 taskkill.exe 24->34         started        36 taskkill.exe 24->36         started        38 taskkill.exe 24->38         started        50 173 other processes 24->50 112 May disable shadow drive data (uses vssadmin) 27->112 114 Uses ping.exe to sleep 27->114 116 Deletes shadow drive data (may be related to ransomware) 27->116 126 3 other signatures 27->126 40 conhost.exe 27->40         started        42 vssadmin.exe 1 29->42         started        45 conhost.exe 29->45         started        86 192.168.2.1, 80 unknown unknown 31->86 88 192.168.2.6, 138, 443, 49687 unknown unknown 31->88 90 www.fanfiction.net.cdn.cloudflare.net 104.18.19.242, 443, 49694, 49697 CLOUDFLARENETUS United States 31->90 118 System process connects to network (likely due to code injection or exploit) 31->118 120 Found Tor onion address 31->120 122 Windows Scripting host queries suspicious COM object (likely to drop second stage) 31->122 124 Loading BitLocker PowerShell Module 31->124 47 PING.EXE 31->47         started        52 7 other processes 31->52 signatures12 process13 dnsIp14 54 conhost.exe 34->54         started        56 conhost.exe 36->56         started        58 conhost.exe 38->58         started        138 Deletes shadow drive data (may be related to ransomware) 42->138 92 fanfiction.net 174.138.110.4 DIGITALOCEAN-ASNUS United States 47->92 60 conhost.exe 50->60         started        62 conhost.exe 50->62         started        64 conhost.exe 50->64         started        66 170 other processes 50->66 signatures15 process16
Score:
92%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-04-26 10:50:20 UTC
File Type:
Text (VBS)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pppiidd6rq3nzzgdxletpphtt43kn4iyaanua273xqsukhhej62a._file
Verdict:
malicious
Label(s):
genericransomware
Create hunting rule
Similar samples:
error
LCRYX
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution impact persistence privilege_escalation ransomware trojan
Link:
https://tria.ge/reports/250426-mv6v7stvcs/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Kills process with taskkill
Modifies Control Panel
Modifies registry class
Opens file in notepad (likely ransom note)
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Drops file in System32 directory
Sets desktop wallpaper using registry
Adds Run key to start application
Checks whether UAC is enabled
Command and Scripting Interpreter: PowerShell
Indicator Removal: Clear Persistence
Checks computer location settings
Blocklisted process makes network request
Blocks application from running via registry modification
Deletes backup catalog
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Drops file in Drivers directory
Event Triggered Execution: Image File Execution Options Injection
Modifies Windows Firewall
Deletes shadow copies
Modifies WinLogon for persistence
UAC bypass
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:Detects command variations typically used by ransomware
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/031685cd-ad1b-49ad-9e73-359617b835a7
Cape
Cape
https://www.capesandbox.com/analysis/4183/

Comments