MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

VanHelsing

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17
SHA3-384 hash:	b0d0d017cbc13093b52a1ce22d5508bda0f5edd35406e8a10d9cf1695a0922428cec1b9858fd68649d423b166b569c04
SHA1 hash:	79106dd259ba5343202c2f669a0a61b10adfadff
MD5 hash:	5c254d25751269892b6f02d6c6384aef
humanhash:	whiskey-nebraska-rugby-lima
File name:	86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17
Download:	download sample
Signature	VanHelsing Create hunting rule
File size:	1'476'096 bytes
First seen:	2025-03-17 10:00:36 UTC
Last seen:	2025-03-19 09:28:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e870a99add7c0b9f65f6f1716f8997a3 (1 x VanHelsing)
ssdeep	24576:lVN4zWHoN+fFqqPuD6Iedm2q3QKtgNIGqvKD9McwPDCkw6Bh0lhSMXlemqth5yR1:Fo5+fFqgdh02q3ntgNLqw9nwPDC7bODU
TLSH	T1AD65AE2175D0C077E0B315301ABCABB65A3EBA305B7589DF67D45A6E1E306C29A30B37
TrID	68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	exe Ransomware Vanhelsing

Intelligence

File Origin

# of uploads :

# of downloads :

637

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17

Verdict:

No threats detected

Analysis date:

2025-03-17 10:11:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b5802356-08f2-4dc3-9f4a-e1c2b1936560

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67d801003962f1a6f4724aca

Tags:

ransomware virus blic

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Creating a file

Changing a file

Connection attempt

Modifies multiple files

Creating a file in the %AppData% directory

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Reading critical registry keys

Creating a file in the Windows subdirectories

Stealing user critical data

Encrypting user's files

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

cmd fingerprint lolbin microsoft_visual_cc remote wmic

Link:

https://www.filescan.io/uploads/67d7f2e901edd28374b1ffed/reports/79d12407-a7ae-4207-8a63-5317a7e76235/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Sysinternals

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/8e5c9e0d-f2b4-4e39-96ef-01b8fc0ec3d6

Result

Threat name:

n/a

Detection:

malicious

Classification:

rans.spre.phis.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1640467

Signature

Changes the wallpaper picture

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Contains functionality to compare user and computer (likely to detect sandboxes)

Found evasive API chain checking for user administrative privileges

Found PSEXEC tool (often used for remote process execution)

Found Tor onion address

Joe Sandbox ML detected suspicious sample

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for submitted file

Overwrites Mozilla Firefox settings

Tries to harvest and steal browser information (history, passwords, etc)

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17/

Threat name:

Win32.Exploit.Generic

Status:

Malicious

First seen:

2025-03-17 01:49:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 38 (57.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q3mbevcprysq6g2suq3svkvyovszfdjwiry5cfowngumy7wfbylq._file

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery ransomware spyware stealer

Link:

https://tria.ge/reports/250317-l1823sxsa1/

Behaviour

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

System Location Discovery: System Language Discovery

Drops file in Windows directory

Sets desktop wallpaper using registry

Reads user/profile data of web browsers

Renames multiple (253) files with added filename extension

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/93fae61f-0d91-4d87-90f7-f3da31ed3611

Unpacked files

SH256 hash:

86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17

MD5 hash:

5c254d25751269892b6f02d6c6384aef

SHA1 hash:

79106dd259ba5343202c2f669a0a61b10adfadff

Link:

https://www.unpac.me/results/e42a20a3-2606-4727-bb28-72f2121b4972/

SH256 hash:

38f803929f3400537abce3adb27fb360a562bb58ef6fef5670d8eda1af042cb9

MD5 hash:

901ae11d5e7648350343469a92fad606

SHA1 hash:

29ba6d7d33c1b73033258f5c353e6f3077c45109

Link:

https://www.unpac.me/results/e42a20a3-2606-4727-bb28-72f2121b4972/

SH256 hash:

a24b15869a883b405c5368c002f51086a3199744be4809bbbd04a7416f7b1db3

MD5 hash:

972ab5e9cef912813e59c58a9576b656

SHA1 hash:

080c87e36aada3c5ad27aac49fe668285808a709

Link:

https://www.unpac.me/results/e42a20a3-2606-4727-bb28-72f2121b4972/

SH256 hash:

2d83ba09f6dece1dc85dc9ae1814cc3b882fada56003a87f1489ba2e8d98bc67

MD5 hash:

e0a75c86c260c6a44ff23aaabeb0a20c

SHA1 hash:

d300997572da16caa73c0c9248ba68d9aaf2a5aa

Link:

https://www.unpac.me/results/e42a20a3-2606-4727-bb28-72f2121b4972/

SH256 hash:

f5926b3eb4cf4307e1a30600739f36c6875408609e44a7f3816de4b158dc9f59

MD5 hash:

75d3ef175872e9abb452f0238dc0a776

SHA1 hash:

9972006e582fe7a1ff6d7867ccd240f6bae1569d

Link:

https://www.unpac.me/results/e42a20a3-2606-4727-bb28-72f2121b4972/

SH256 hash:

22e3170cc418e2703c9579ab0988870bf3ef7edff2b6181158f3d4d2455b33c5

MD5 hash:

d3f7226f971df2704a50a5e1228b482d

SHA1 hash:

facc12bb5683d3402cd6ab0c30430bfcb6bb3864

Link:

https://www.unpac.me/results/e42a20a3-2606-4727-bb28-72f2121b4972/

SH256 hash:

8bbd2fe90567197faebeb7ab11329a1843897d4cacce99fc0020b043509b40af

MD5 hash:

bddf3bb99c6c7657b6efdfe596b4f8c9

SHA1 hash:

25da2c474a3961ee4a86b65aa90d4e41420723be

Link:

https://www.unpac.me/results/e42a20a3-2606-4727-bb28-72f2121b4972/

SH256 hash:

b7634d96d331a872a41bdf67df0fd4cca5b0705388bc96a441c029ec1c5c86d9

MD5 hash:

e6976968fc62f389e34f4e5599e9254c

SHA1 hash:

7db5f4359f3c8fffbe9fa23d83f2de7852c0edba

Link:

https://www.unpac.me/results/e42a20a3-2606-4727-bb28-72f2121b4972/

SH256 hash:

754468c69e79d0db2777831c452dcf7b8f6258b207e7a09d6b41fcff89d2de09

MD5 hash:

ad3c0cf9127622f84fa0ef7b88a39cdd

SHA1 hash:

2f427d20460d76f23e622d8d99386df11b638009

Link:

https://www.unpac.me/results/e42a20a3-2606-4727-bb28-72f2121b4972/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/86d812544f8e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_Sandworm_ArguePatch_Apr_2022_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:	https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CoInitializeSecurity
NET_SHARE_API	Can access Network Share	NETAPI32.dll::NetShareEnum
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AllocConsole KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateFileW KERNEL32.dll::MoveFileExW KERNEL32.dll::GetWindowsDirectoryW KERNEL32.dll::GetFileAttributesW KERNEL32.dll::FindFirstFileW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyW ADVAPI32.dll::RegOpenKeyW ADVAPI32.dll::RegSetKeyValueW
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.dll::freeaddrinfo WS2_32.dll::getaddrinfo

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample