MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d809e8c9b98c16647bbfac49854c28ecc3fe6d4345410deeaa79445cc50cf51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Zeppelin

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	7d809e8c9b98c16647bbfac49854c28ecc3fe6d4345410deeaa79445cc50cf51
SHA3-384 hash:	99d02239f095e8c0d6c037e6871bb4dd059e7e794d31f04d559dcb8aa9fa5ea2951ae71b510520bddaf414ca04b883d5
SHA1 hash:	2c363ae3d852b727cdb94e58fe656f54caa97e3b
MD5 hash:	32cde8ee26dee01ba73a2e6a245b7976
humanhash:	football-fanta-kansas-north
File name:	32cde8ee26dee01ba73a2e6a245b7976.exe
Download:	download sample
Signature	Zeppelin Create hunting rule
File size:	1'631'232 bytes
First seen:	2020-11-04 14:06:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0bdd0f4049bbdb0c55b8eb2942d26f10 (1 x Zeppelin)
ssdeep	24576:MZKeyIEwGpKGfGe5dwddAeiHLFO90rgbNAxFKWlyaDdt42Cuq3o/8l9C15t:MZV8wufzCMlgBAmSDdq2FEls5t
Threatray	9 similar samples on MalwareBazaar
TLSH	8175CF227A91D475E29E783ADE10C1FD2561BDA9DD7490A331C03F3FB93B142827EA61
Reporter	abuse_ch
Tags:	buran exe Ransomware Zeppelin

Intelligence

File Origin

# of uploads :

1

# of downloads :

2'013

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/82910/

Detection(s):

SecuriteInfo.com.Generic.mg.32cde8ee26dee01b.8200.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Creating a file in the %temp% directory

Deleting a recently created file

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Zeppelin

Detection:

malicious

Classification:

rans.troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/520207

Signature

Contains functionality to inject threads in other processes

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Yara detected Zeppelin Ransomware

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7d809e8c9b98c16647bbfac49854c28ecc3fe6d4345410deeaa79445cc50cf51/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2020-11-04 14:08:08 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pwaj5de3tdawmr537lcjqvgcr3gd7zwugrkbbxxku6keltcqz5iq._file

Verdict:

malicious

Label(s):

gozi

Similar samples:

0f81f4eb37083c821598ffd57cff12a082f19ca2de57c86faff65755ef332686

15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50

24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085

39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

4b7a2dff949a14956a679adb981bbec0aec0e198c04a454f54c5e9dcf5854b54

4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a

8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6

dac7b64601ffa3176296bc0647aa7cd30c50b95ea5002410000439ce506b5b9e

f40b9e6f7cfed63bba3b6eae6b0403ab26906caa77830027ed39a05918c4b877

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/201104-vr7be21v96/

Behaviour

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Program crash

Looks up external IP address via web service

Unpacked files

SH256 hash:

7d809e8c9b98c16647bbfac49854c28ecc3fe6d4345410deeaa79445cc50cf51

MD5 hash:

32cde8ee26dee01ba73a2e6a245b7976

SHA1 hash:

2c363ae3d852b727cdb94e58fe656f54caa97e3b

Link:

https://www.unpac.me/results/bfebc83a-9f35-4819-b0c9-bf661411e436/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 7d809e8c9b98c16647bbfac49854c28ecc3fe6d4345410deeaa79445cc50cf51

(this sample)

Cape

Cape

https://www.capesandbox.com/analysis/82910/

URLhaus

https://urlhaus.abuse.ch/url/786033/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/786032/

URLhaus

https://urlhaus.abuse.ch/url/786030/

URLhaus

https://urlhaus.abuse.ch/url/786036/

URLhaus

https://urlhaus.abuse.ch/url/786034/

URLhaus

https://urlhaus.abuse.ch/url/786031/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample