MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cea77e77026b7fd48d2e2cc1eb6c7a4e020acadf44cfe2f5fe10fbcd1d3738c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CMLocker


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7cea77e77026b7fd48d2e2cc1eb6c7a4e020acadf44cfe2f5fe10fbcd1d3738c
SHA3-384 hash: e67bc8df20836898ca8d19cfca05596cbc767f4cd19ab1a707d335a9e132decdbec862e21e1b01c7fe065af5a10a0e23
SHA1 hash: eb604d0e919f4779cc524f8a837f3437acac2833
MD5 hash: fbaeb3757e8d010e5da5f4366a77f88a
humanhash: bravo-magazine-oscar-virginia
File name:Client.bin
Download: download sample
Signature CMLocker
Create hunting rule
File size:1'129'472 bytes
First seen:2023-02-28 05:27:21 UTC
Last seen:2023-03-09 04:57:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'453 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:RTvx8CkABhpfYUSxw/V8LnGGS6xdCsIfvIMeEybL7pma6dc38FrDwUc:RTvS+nfxAnF1dCY7Ey1V6C3KrM
Threatray 176 similar samples on MalwareBazaar
TLSH T15535020FB958CF20C7C46EF985D79C3917A6E8A3BA72B34A2F48725C090577A9C43785
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon c184b0a0b0a0aee8 (1 x CMLocker, 1 x AsyncRAT, 1 x Worm.Ramnit)
Reporter petikvx
Tags:CmLocker

Intelligence

File Origin
# of uploads :
3
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Client.exe
Verdict:
Malicious activity
Analysis date:
2023-02-27 08:10:01 UTC
Tags:
evasion ransomware
Link:
https://app.any.run/tasks/9f4240c8-9c2d-480a-948d-798e65d715dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LockDown
Create hunting rule
Link:
https://www.capesandbox.com/analysis/370504/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.18583.7620.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Sending a custom TCP request
Creating a file in the %AppData% directory
Launching a process
Launching cmd.exe command interpreter
Creating a process with a hidden window
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Creating a file in the mass storage device
Unauthorized injection to a system process
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63fd90e6bbedb8176ff19f45/reports/4c0a9044-dc1e-46bf-ad7a-3e6905999603/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/7cea77e77026b7fd48d2e2cc1eb6c7a4e020acadf44cfe2f5fe10fbcd1d3738c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LockDown Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba1e7ad0-0fe4-4b4d-9026-849c2a1793a2
Result
Threat name:
CMLocker
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1183884
Signature
Antivirus detection for dropped file
Creates executable files without a name
Deletes shadow drive data (may be related to ransomware)
Drops a file containing file decryption instructions (likely related to ransomware)
Found ransom note / readme
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May drop file containing decryption instructions (likely related to ransomware)
May encrypt documents and pictures (Ransomware)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes a notice file (html or txt) to demand a ransom
Yara detected CMLocker Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 816717 Sample: Client.bin.exe Startdate: 28/02/2023 Architecture: WINDOWS Score: 100 75 www.google.com 2->75 97 Malicious sample detected (through community Yara rule) 2->97 99 Antivirus detection for dropped file 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 7 other signatures 2->103 10 Client.bin.exe 1 6 2->10         started        13 WinSec.exe 2 2->13         started        15 WinSec.exe 2->15         started        signatures3 process4 file5 69 C:\Users\user\AppData\Local\Temp\sosis.exe, PE32 10->69 dropped 71 C:\ProgramData\WinSec.exe, PE32 10->71 dropped 73 C:\ProgramData\WinSec.exe:Zone.Identifier, ASCII 10->73 dropped 17 sosis.exe 4 10->17         started        21 WinSec.exe 3 10->21         started        process6 dnsIp7 59 C:\Users\user\AppData\Roaming\.exe, PE32 17->59 dropped 89 Antivirus detection for dropped file 17->89 91 Multi AV Scanner detection for dropped file 17->91 93 Machine Learning detection for dropped file 17->93 95 Creates executable files without a name 17->95 24 RegSvcs.exe 45 17->24         started        28 powershell.exe 3 17->28         started        77 127.0.0.1 unknown unknown 21->77 file8 signatures9 process10 file11 61 C:\Users\user\...\HELP_DECRYPT_YOUR_FILES.txt, Unicode 24->61 dropped 63 C:\Users\user\...\HELP_DECRYPT_YOUR_FILES.txt, Unicode 24->63 dropped 65 C:\Users\user\...\HELP_DECRYPT_YOUR_FILES.txt, Unicode 24->65 dropped 67 10 other malicious files 24->67 dropped 105 Drops a file containing file decryption instructions (likely related to ransomware) 24->105 107 Writes a notice file (html or txt) to demand a ransom 24->107 109 May encrypt documents and pictures (Ransomware) 24->109 111 Modifies existing user documents (likely ransomware behavior) 24->111 30 cmd.exe 24->30         started        33 cmd.exe 24->33         started        35 cmd.exe 24->35         started        37 chrome.exe 24->37         started        40 conhost.exe 28->40         started        signatures12 process13 dnsIp14 113 Deletes shadow drive data (may be related to ransomware) 30->113 42 conhost.exe 30->42         started        44 reg.exe 30->44         started        46 conhost.exe 33->46         started        48 vssadmin.exe 33->48         started        50 conhost.exe 35->50         started        52 vssadmin.exe 35->52         started        79 192.168.2.1 unknown unknown 37->79 81 239.255.255.250 unknown Reserved 37->81 54 chrome.exe 37->54         started        57 conhost.exe 37->57         started        signatures15 process16 dnsIp17 83 iplogger.com 148.251.234.93, 443, 49701 HETZNER-ASDE Germany 54->83 85 clients.l.google.com 142.251.143.110, 443, 49703 GOOGLEUS United States 54->85 87 8 other IPs or domains 54->87
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7cea77e77026b7fd48d2e2cc1eb6c7a4e020acadf44cfe2f5fe10fbcd1d3738c/
Threat name:
Win32.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2023-02-27 15:51:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ptvhpz3qe2372sgs4lgb5nwhutqcblfn6rgp4l274eh3zuotooga._file
Verdict:
malicious
Similar samples:
3d3ccb45761605f3cddf9c70d68dd7bc0e5661904b3f978d6e24bad724cbe958
CMLocker
43f13ec00b6df87637b5863be3ffe01fc85947a8918f567c1713dd8a4d6ba908
CMLocker
478bd9421ff11177d8974922f1eec334f1af15845054ce1dbc42b1c9bbd4a484
CMLocker
597e3670e4305971ce03454059d7c49ea1bb9a13425b04c403576cc0d3ffec48
CMLocker
8271b73c229772949561931797ba49d42098a5f9eb97276252462ba7c1261951
CMLocker
84ca5338192be829c40e31b95df0ddd56a46341841ab1d3d65c548c39f383808
CMLocker
a878bb11a3506ebd1b50a752517e2596455a7700f01a80859c0e3012ac15f09a
CMLocker
cabc78e64293721adffb17e17e420bba3b3e1d04b6a43c40f650f8a5cb0b5c4f
CMLocker
eef81aa34f56adfef9816a5c91883b920da81ef467c75d3d26accee5eabe5f52
CMLocker
+ 166 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware trojan
Link:
https://tria.ge/reports/230228-f51cvahe51/
Behaviour
Enumerates system info in registry
Interacts with shadow copies
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
UAC bypass
Unpacked files
SH256 hash:
28329df83aec686059b64e8a8ad18d76ef525061466845985c6036ea6d78d2dd
MD5 hash:
d552feba3aa46e41e86890fe237a8b5e
SHA1 hash:
6b62ac3afd0a1f66f24e6e07e52bd5b218316366
Link:
https://www.unpac.me/results/6f98bca6-8e03-4a2e-af4a-4cd41521036b/
SH256 hash:
5fef2acf0b0289500ddfcbcbe45c95973c37d30eecdb2f5f20894a5f5b43ef31
MD5 hash:
f6d05f1f65b85eb1228f6524bb3773e8
SHA1 hash:
2c1a3b5de5d9e34e20fcf39671b4359abd38507c
Link:
https://www.unpac.me/results/6f98bca6-8e03-4a2e-af4a-4cd41521036b/
SH256 hash:
e7a0e63d3ea01c387241916f0584cbf4b8525248b85db18cfa5aa495e0bd3095
MD5 hash:
bcc1f397cce5aac3ed1f76932658a221
SHA1 hash:
cbbd37834cc1cad4ee2c54420a304e21f174cfe0
Link:
https://www.unpac.me/results/6f98bca6-8e03-4a2e-af4a-4cd41521036b/
SH256 hash:
7ac53f5c9c8995226e5e0a870a486108466b4ea0b90dcb3459888122e237bc2b
MD5 hash:
610172a8f80361f0c213fa280b092810
SHA1 hash:
8507cd165d91cb5408ad4ba923a58c795e0358d7
Link:
https://www.unpac.me/results/6f98bca6-8e03-4a2e-af4a-4cd41521036b/
SH256 hash:
7cea77e77026b7fd48d2e2cc1eb6c7a4e020acadf44cfe2f5fe10fbcd1d3738c
MD5 hash:
fbaeb3757e8d010e5da5f4366a77f88a
SHA1 hash:
eb604d0e919f4779cc524f8a837f3437acac2833
Link:
https://www.unpac.me/results/6f98bca6-8e03-4a2e-af4a-4cd41521036b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7cea77e77026/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/7cea77e77026b7fd48d2e2cc1eb6c7a4e020acadf44cfe2f5fe10fbcd1d3738c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/370504/

Comments