MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cdd7e30c7091fd2fa3e879dd70087517412a165bf14c4ea4fd354337f22c415. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HiddenTear

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	7cdd7e30c7091fd2fa3e879dd70087517412a165bf14c4ea4fd354337f22c415
SHA3-384 hash:	bebadf8bf0025513663e486d223879be814f1deb697b5e39ff051f0c85329cdbe3e2765282952feadadea4dd82714558
SHA1 hash:	6458f256381d5fb99e01abb0736c1ae4bb906ea1
MD5 hash:	7b34f5ecb7c14244aaa6e330c620584a
humanhash:	vermont-three-coffee-lemon
File name:	Marozka.exe
Download:	download sample
Signature	HiddenTear Create hunting rule
File size:	220'160 bytes
First seen:	2022-04-22 19:51:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	3072:nKxM+lmsolAIrRuw+mqv9j1MWLQ5MTmmsolNIrRuw+mqv9j1MWLQUod:nz+lDAAfTmDANy
Threatray	4 similar samples on MalwareBazaar
TLSH	T11D2435E1A740C465D8A796B9843BDAA7A433A24EDC6C490C3D92FF0B7D723474027D9B
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	6cecccccb4c2f2b2 (38 x AgentTesla, 30 x Formbook, 24 x PythonStealer)
Reporter	adm1n_usa32
Tags:	exe HiddenTear Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

722

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Marozka.zip

Verdict:

Malicious activity

Analysis date:

2019-06-26 19:32:58 UTC

Tags:

ransomware

Link:

https://app.any.run/tasks/e5b2d9c6-09ae-4fe1-8c6e-0051b97714b7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/265929/

Detection(s):

Win.Ransomware.Hiddentear-9752356-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Changing a file

Reading critical registry keys

Behavior that indicates a threat

Creating a file

DNS request

Sending a custom TCP request

Moving of the original file

Stealing user critical data

Encrypting user's files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

filecoder hiddentear obfuscated packed ransomware

Link:

https://www.filescan.io/uploads/62630763ba81efdb400529d7/reports/e1b9fa37-e7d1-4633-93e2-a13e40517b9e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9c5e161b-113e-42d3-890e-c7355376a9e4

Result

Threat name:

HiddenTear

Detection:

malicious

Classification:

rans

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/981663

Signature

Antivirus / Scanner detection for submitted sample

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

May drop file containing decryption instructions (likely related to ransomware)

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for submitted file

Yara detected HiddenTear ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7cdd7e30c7091fd2fa3e879dd70087517412a165bf14c4ea4fd354337f22c415/

Threat name:

ByteCode-MSIL.Ransomware.HiddenTear

Status:

Malicious

First seen:

2019-03-29 23:48:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

38 of 42 (90.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ptox4mghbep5f6r6q6o5oaehkf2bfilfx4kmj2sp2nkdg7zcyqkq._file

Verdict:

malicious

HiddenTear

baecc747370a4c396ef5403a3a2b286465d8fe4677bf1bfd23b8164ef5c22bbb

HiddenTear

fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd

HiddenTear

Result

Malware family:

n/a

Score:

8/10

Tags:

ransomware

Link:

https://tria.ge/reports/220422-yldzlsffh3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Modifies extensions of user files

Unpacked files

SH256 hash:

7cdd7e30c7091fd2fa3e879dd70087517412a165bf14c4ea4fd354337f22c415

MD5 hash:

7b34f5ecb7c14244aaa6e330c620584a

SHA1 hash:

6458f256381d5fb99e01abb0736c1ae4bb906ea1

Link:

https://www.unpac.me/results/ecf3a62a-f46c-4ab4-b941-402d560fd817/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7cdd7e30c7091fd2fa3e879dd70087517412a165bf14c4ea4fd354337f22c415

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_RANSOM_COVID19_Apr20_1 Create hunting rule
Author:	Florian Roth
Description:	Detects ransomware distributed in COVID-19 theme
Reference:	https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/

Rule name:	MAL_RANSOM_COVID19_Apr20_1_RID2ECC Create hunting rule
Author:	Florian Roth
Description:	Detects ransomware distributed in COVID-19 theme
Reference:	https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_RANSOMWARE_Indicator_Jul20 Create hunting rule
Author:	Florian Roth
Description:	Detects ransomware indicator
Reference:	https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

Rule name:	SUSP_RANSOMWARE_Indicator_Jul20_RID31A2 Create hunting rule
Author:	Florian Roth
Description:	Detects ransomware indicator
Reference:	https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/265929/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample