MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8345bf3e9dae0a447bc1c65c99fa0e102e7f0f3fd77f137cc5c876ceb2a647b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8345bf3e9dae0a447bc1c65c99fa0e102e7f0f3fd77f137cc5c876ceb2a647b7
SHA3-384 hash: 0e3928fae328b5dbac38e1387ec0382988e56fa53f3fe62f78d3facd1384a6b0c125706b0ec58466789fa7cd62f35126
SHA1 hash: a29470726257be913e2c7bfdef442b8feb1416d0
MD5 hash: 2823b0c52e04d89b0e66bdc12c273cae
humanhash: edward-high-oranges-fruit
File name:SecuriteInfo.com.widgetinfecté.Gen.Variant.Bulz.313019.26335.15693
Download: download sample
File size:3'712'589 bytes
First seen:2021-01-23 17:50:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 81be19b89ecddb8d6e738108e9610011
ssdeep 98304:yxZui4e3CtjyrdguKdonlmGXyPS4qLLus8gV:ybXKjK2jKlmGCPS48LNpV
Threatray 11 similar samples on MalwareBazaar
TLSH 5D063321B0E09232C41678B54915E6F16EBB3C790BB31ADF6FD8967CFE246E15222347
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.widgetinfecté.Gen.Variant.Bulz.313019.26335.15693
Verdict:
Malicious activity
Analysis date:
2021-01-23 17:52:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/29c6d005-d5a9-4e73-a17a-a369fed7488d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113633/
Detection(s):
SecuriteInfo.com.widgetinfect.Gen.Variant.Bulz.313019.26335.15693.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Deleting a recently created file
Forced system process termination
Launching the process to interact with network services
Possible injection to a system process
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/588901
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates a Windows Service pointing to an executable in C:\Windows
Creates files in alternative data streams (ADS)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Machine Learning detection for sample
Powershell drops PE file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Renames wscript.exe to bypass HIPS
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious Csc.exe Source File Folder
Uses ipconfig to lookup or modify the Windows network settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343471 Sample: SecuriteInfo.com.widgetinfe... Startdate: 23/01/2021 Architecture: WINDOWS Score: 100 74 Antivirus detection for dropped file 2->74 76 Antivirus / Scanner detection for submitted sample 2->76 78 Sigma detected: Dot net compiler compiles file from suspicious location 2->78 80 4 other signatures 2->80 10 SecuriteInfo.com.widgetinfect#U00e9.Gen.Variant.Bulz.313019.26335.exe 12 2->10         started        14 explorer.exe 1 2->14         started        process3 file4 68 C:\Users\user\AppData\...\events.dll:widget, PE32+ 10->68 dropped 70 C:\Users\user\AppData\Local\...\events.dll, PE32+ 10->70 dropped 94 Detected unpacking (changes PE section rights) 10->94 96 Detected unpacking (overwrites its own PE header) 10->96 98 Creates files in alternative data streams (ADS) 10->98 16 cmd.exe 1 10->16         started        100 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 14->100 18 powershell.exe 53 14->18         started        signatures5 process6 file7 22 cmd.exe 1 16->22         started        24 conhost.exe 1 16->24         started        58 C:\Windows\Branding\mediasvc.png, PE32+ 18->58 dropped 60 C:\Windows\Branding\mediasrv.png, PE32+ 18->60 dropped 62 C:\Users\user\AppData\...\a304wepd.cmdline, UTF-8 18->62 dropped 82 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 18->82 84 Powershell drops PE file 18->84 26 reg.exe 18->26         started        29 csc.exe 18->29         started        32 powershell.exe 18->32         started        34 4 other processes 18->34 signatures8 process9 file10 36 cmd.exe 1 22->36         started        38 conhost.exe 22->38         started        40 ipconfig.exe 1 22->40         started        50 3 other processes 22->50 92 Creates a Windows Service pointing to an executable in C:\Windows 26->92 72 C:\Users\user\AppData\Local\...\a304wepd.dll, PE32 29->72 dropped 42 cvtres.exe 29->42         started        44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        48 conhost.exe 34->48         started        signatures11 process12 process13 52 rundll32.exe 36->52         started        process14 54 rundll32.exe 5 52->54         started        file15 64 C:\Users\user\AppData\Local\...\explorer.exe, PE32+ 54->64 dropped 66 C:\Users\user\AppData\Local\Temp\ready.ps1, ASCII 54->66 dropped 86 Renames wscript.exe to bypass HIPS 54->86 88 Creates processes via WMI 54->88 90 Drops PE files with benign system names 54->90 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8345bf3e9dae0a447bc1c65c99fa0e102e7f0f3fd77f137cc5c876ceb2a647b7/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-23 17:51:05 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0f12408c06ccf60608a60572d521bbc8012e6ce7e0d701781a0a33e0e1fd1519
10892007582c3c09a01a4de7ac9e2ca434704396e5cc899f26c9f83a626da2b5
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2
261603776412fc9028feb04ba71a42c5d6bd99c0e4fbb4610d19e6d649dba700
2c8ea0f991d74146f056e4ed453e92ad1798daf2878f5520f54cf3d70d607613
32031ca4487b08af41a597da7d22c05a3d4f676c33119c057f3f4a1431217887
44c7ef261a066790a4ce332afc634fb5f89f3273c0c908ec02ab666088b27757
c2d9409c2209201334bd83a2e1257be8adc7506019a721abe359249dbd74eced
d06d7b5c4613a3d9fa020854878558325da6fd932f74b8268360d4838286d43c
fc1b36e39f87cff2c9076a7e8316af297255a92824338b19b69022b47a47daa6
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
ransomware upx
Link:
https://tria.ge/reports/210123-jtm8nlltss/
Behaviour
Delays execution with timeout.exe
Gathers network information
NTFS ADS
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
4aadcb7664d02ccc43cc12f80c4e6d68ef25670c02cde5a5c3f61cf929c43102
MD5 hash:
a91b3b3b7c48536ed1537884e3e8674f
SHA1 hash:
29daf8e47ccf1cfd0b0a126ceaea842019a55d57
Link:
https://www.unpac.me/results/2cd2107c-bec0-447b-be31-d3d0d43327ed/
SH256 hash:
8345bf3e9dae0a447bc1c65c99fa0e102e7f0f3fd77f137cc5c876ceb2a647b7
MD5 hash:
2823b0c52e04d89b0e66bdc12c273cae
SHA1 hash:
a29470726257be913e2c7bfdef442b8feb1416d0
Link:
https://www.unpac.me/results/2cd2107c-bec0-447b-be31-d3d0d43327ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8345bf3e9dae0a447bc1c65c99fa0e102e7f0f3fd77f137cc5c876ceb2a647b7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/113633/

Comments