MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84f416154320af7571f93624d2005f846720a86c59a003ccf6939d3599b7e52c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackOut


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84f416154320af7571f93624d2005f846720a86c59a003ccf6939d3599b7e52c
SHA3-384 hash: 59e988b3075c0872d4cd79f2f55b7c01714c74312cb03934823998fa5aa523ee7ac66a4c3ab4b9af4c9bd5c807f4d131
SHA1 hash: 29ec56bc6f8813521f0af2499665f78cb4c7517c
MD5 hash: 9073239b3b7b38bc0eabb124fac2194b
humanhash: skylark-moon-quebec-colorado
File name:84f416154320af7571f93624d2005f846720a86c59a003ccf6939d3599b7e52c
Download: download sample
Signature BlackOut
Create hunting rule
File size:218'624 bytes
First seen:2022-04-12 08:55:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:fpJdaiVkrsoSZwROw0ZxHkLnmpnChUDOWNgiER+X15Okm18eQ1eeD9iYr+:hJIiVkIoX0XHkLnmuiAseQ1eM9iYr
Threatray 212 similar samples on MalwareBazaar
TLSH T100245A6E72D04F11E94869B8D2E7993003F3ED837273E38A3E5442965E527E88DCA7C5
Reporter struppigel
Tags:BlackOut exe MSIL Ransomware tomybank

Intelligence

File Origin
# of uploads :
1
# of downloads :
489
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
war.rtf
Verdict:
Malicious activity
Analysis date:
2022-03-18 04:19:28 UTC
Tags:
ole-embedded generated-doc exploit CVE-2017-11882
Link:
https://app.any.run/tasks/e2d2e679-935e-48b5-819c-41f3b33902dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262928/
Detection(s):
Win.Ransomware.DotNetCryptor-6959671-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Searching for the window
Changing a file
Creating a file in the %temp% subdirectories
Creating a file
Modifying an executable file
Creating a file in the Program Files directory
Creating a file in the Program Files subdirectories
Reading critical registry keys
Creating a file in the Windows directory
Moving a recently created file
Running batch commands
Launching a process
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Setting a single autorun event
Stealing user critical data
Creating a file in the mass storage device
Deleting volume shadow copies
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe filecoder obfuscated packed ransomware replace.exe
Link:
https://www.filescan.io/uploads/62553ea4eab80a7a6cff0ae4/reports/a006ee6b-9248-4d36-bde9-9c55f0539ae8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/45e5ad4b-b986-4200-a932-e3a613310933
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/975210
Signature
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Disables the Windows task manager (taskmgr)
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84f416154320af7571f93624d2005f846720a86c59a003ccf6939d3599b7e52c/
Threat name:
Win32.Ransomware.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-03-21 13:27:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
32 of 42 (76.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qt2bmfkdecxxk4pzgysneac7qrtsbkdmlgqahthwsootlgnx4uwa._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
163f0f159705867530e310ee48ffb66a057fba8a236ca2473c3de1d2f9ea48c9
BlackOut
6339a14fb049a069fed24b0a9827ab82710426e174139d172a6536bfb1519402
BlackOut
69c3aa9651a8fbff9bb671965c487748da86334da51a2136b2d8cd23716c5177
BlackOut
7910bae57ea65b0389078fce2009e479c73546df088973cbfbd55a8b783f27e1
BlackOut
d0b4b43432238e361c9f553caa05df5c34c462d55bb18a6db5e076faaaf05da9
BlackOut
d8973dcdc7704e93175add543a41e8322bdb15c4f92b2fa642713ed09681ffad
BlackOut
f70727686d1c3a2d0c67ef4de64837b484948a7f0c91a37996ecf4774aadc2da
BlackOut
+ 202 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware
Link:
https://tria.ge/reports/220412-kv8zfshefl/
Behaviour
Interacts with shadow copies
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Drops desktop.ini file(s)
Maps connected drives based on registry
Checks computer location settings
Deletes itself
Disables Task Manager via registry modification
Deletes shadow copies
Modifies boot configuration data using bcdedit
Unpacked files
SH256 hash:
84f416154320af7571f93624d2005f846720a86c59a003ccf6939d3599b7e52c
MD5 hash:
9073239b3b7b38bc0eabb124fac2194b
SHA1 hash:
29ec56bc6f8813521f0af2499665f78cb4c7517c
Link:
https://www.unpac.me/results/3cd5a23c-6f86-4608-a032-4f898eb18101/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/84f416154320af7571f93624d2005f846720a86c59a003ccf6939d3599b7e52c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/262928/

Comments