MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ryuk


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed
SHA3-384 hash: ac1c566b6bea92023562ba87e2bbc4288030bb9474ebf6c9ec9f675e684a2fd68dac87f8644f6b7b61dc74bc39ddae0e
SHA1 hash: bffb380ef3952770464823d55d0f4dfa6ab0b8df
MD5 hash: 0eed6a270c65ab473f149b8b13c46c68
humanhash: kitten-don-chicken-yellow
File name:7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.bin
Download: download sample
Signature Ryuk
Create hunting rule
File size:279'664 bytes
First seen:2021-03-21 03:04:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 486ce563ebcda011bada80d689878d7b (1 x Ryuk)
ssdeep 3072:n/YRw64GUbH9dpWYEFq5hY9e1Z36NS31gs03ApyCb6DnE/PdrfS6sOK5hI+z7XI:Qa6owYEFq5hY9aqNS1y4/PdzS+s64I
Threatray 4 similar samples on MalwareBazaar
TLSH 87547D0E1F4CE8AFE797C27DF45992F20948AF289FE12A5362D43D33B8F26D11614625
Reporter Arkbird_SOLG
Tags:Ransomware Ryuk signed

Code Signing Certificate

Organisation:Kaspersky Lab
Issuer:VeriSign Class 3 Code Signing 2009-2 CA
Algorithm:sha1WithRSAEncryption
Valid from:2010-03-08T00:00:00Z
Valid to:2011-03-08T23:59:59Z
Serial number: 07be8f83f4455021f4e24fb021fca24a
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: bac4c0d47deb8fc2cfea50cd56e2091b5d4c597a032ed5791b42061b8181df18
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
ArkbirdDevil
Thanks to @struppigel for the detection

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'986
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.bin
Verdict:
No threats detected
Analysis date:
2021-03-21 03:07:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/08a8b08a-9fb4-4cdd-9f1a-7ae6a6a81e10

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Razy.852916.9686.6672.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ryuk
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b17d9eeb-1367-4d1b-8287-4ba07570f4c9
Result
Threat name:
Ryuk
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/646999
Signature
Antivirus / Scanner detection for submitted sample
Creates files in the recycle bin to hide itself
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Opens network shares
PE file has a writeable .text section
Sigma detected: Wake-On-Lan
Sigma detected: WannaCry Ransomware
Writes many files with high entropy
Yara detected Ryuk ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372468 Sample: o2mcBD6Tu7.bin Startdate: 21/03/2021 Architecture: WINDOWS Score: 100 52 Sigma detected: WannaCry Ransomware 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 4 other signatures 2->58 7 o2mcBD6Tu7.exe 502 2->7         started        process3 file4 34 C:\Users\...\iSyMGmNoTlan.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\Desktop\iSyMGmNoTlan.exe, MS-DOS 7->36 dropped 38 C:\Users\...\fDZGeWUElrep.exe:Zone.Identifier, ASCII 7->38 dropped 40 61 other files (51 malicious) 7->40 dropped 60 Creates files in the recycle bin to hide itself 7->60 62 Writes many files with high entropy 7->62 11 iSyMGmNoTlan.exe 7->11         started        15 fDZGeWUElrep.exe 2 7->15         started        18 net.exe 7->18         started        20 10 other processes 7->20 signatures5 process6 dnsIp7 42 C:\ProgramData\Microsoft42etwork\...\qmgr.db, data 11->42 dropped 44 C:\ProgramData\Microsoft44etwork\...\edb.log, data 11->44 dropped 64 Writes many files with high entropy 11->64 46 192.168.2.100 unknown unknown 15->46 48 192.168.2.101 unknown unknown 15->48 50 98 other IPs or domains 15->50 66 Opens network shares 15->66 22 conhost.exe 18->22         started        24 net1.exe 18->24         started        26 conhost.exe 20->26         started        28 conhost.exe 20->28         started        30 conhost.exe 20->30         started        32 11 other processes 20->32 file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed/
Threat name:
Win32.Infostealer.Dridex
Create hunting rule
Status:
Malicious
First seen:
2021-03-18 10:05:45 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6xlmtcqzuk5anwkewnai7lmmlwush77g4uugp7pxifqfqcz2xwq._file
Verdict:
unknown
Similar samples:
05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f
Ryuk
5833c87bcb55898337f74a84402e525cab70a611276e3e2faa9e880ff4059ba3
Ryuk
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
Ryuk
f1b22c0b6c144d82a0e470b2c6a649135a4f212ade39c8135e0273ec100ff34c
Ryuk
Unpacked files
SH256 hash:
6db4d7e054297e945afa365bb96ef3f8e1c2bdacdffdd08f6d0bc8e496af1403
MD5 hash:
f3ed01ac5759e4a59111b74de291e5b3
SHA1 hash:
c15b26fe574c82af97ecb71ca426bc4c5a9f278f
Detections:
win_ryuk_auto
Create hunting rule
Link:
https://www.unpac.me/results/7fd2b801-f810-4501-bd8f-ef8fc281a754/
SH256 hash:
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed
MD5 hash:
0eed6a270c65ab473f149b8b13c46c68
SHA1 hash:
bffb380ef3952770464823d55d0f4dfa6ab0b8df
Link:
https://www.unpac.me/results/7fd2b801-f810-4501-bd8f-ef8fc281a754/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7faeb64c50cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments