MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae
SHA3-384 hash:	d4f57dbe87c8ac537761b761e0e6caa7899fe1aeaf5c68f2678dc7ecf4631aaac5cbe94d6f2e3d7ffb847e18ec6cf1c3
SHA1 hash:	a598e6708c189caeef1fa76064feb4d0155abb3d
MD5 hash:	7d1ed67b77f47ba8aadf9a3ac7d0c371
humanhash:	floor-eight-apart-happy
File name:	87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae
Download:	download sample
File size:	2'282'496 bytes
First seen:	2022-02-09 12:42:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	54ce29e4dfd1dee03bad48f3aeeaf188
ssdeep	49152:nblXNZD9GPXnd3xxP3CPGtPcFblXNZD9GPXnd3xxP3CPGtPc:bl9Nwd6hl9Nwd6
Threatray	4'649 similar samples on MalwareBazaar
TLSH	T184B59D30BA82D136E56101F04FB8EB9A55ADF9290F3647CF73D44A2D69319D20E36E63
Reporter	struppigel
Tags:	exe Ransomware sc0rpio

struppigel

????Sc0rpio@mailfence.com
????Sc0rpio@cock.li
????\ReadMe_Now!.hta
????\Read_Me!_.txt
????C:\Users\Unknown\source\repos\ConsoleApplication5\Release\_out.pdb

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae.exe

Verdict:

Malicious activity

Analysis date:

2022-02-09 19:19:45 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/3e1094c9-2a68-4e58-922f-9ca0575f973a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/239517/

Detection(s):

SecuriteInfo.com.Trojan.Encoder.34930.15492.4779.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Running batch commands

Launching a process

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Creating a file

DNS request

Сreating synchronization primitives

Creating a process from a recently created file

Creating a window

Creating a file in the Windows directory

Creating a process with a hidden window

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6508/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug cmd.exe control.exe explorer.exe fingerprint greyware overlay schtasks.exe shell32.dll stealer update.exe

Link:

https://www.filescan.io/uploads/6203b6da845a69d77351999f/reports/a2740739-f694-4bcb-951d-6b9a2c44a994/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6bd27587-0c65-4726-8a62-f1695cb3a5af

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.spre.troj.adwa.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/936915

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae/

Threat name:

Win32.Ransomware.CryptoLock

Status:

Malicious

First seen:

2022-02-06 04:56:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Verdict:

malicious

Label(s):

ryuk

33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3

353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f

49921fa466e1dc65ea6c037726015a69c634fc1631a2e379bfb3d7cf7644bcad

581122114ad28f404b2cc4f8df5d77b6ed447f8f26f862960bb0181776bfacd9

91a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9

a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461

cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f

e0ba6af5f371f64548b29d2abb11a8e01cec53aed1a3af8e6d70813ce8732e83

e615aae714898a4f78dc35243b76440021527835c02cdb904349e412b9631b8c

+ 4'639 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion persistence ransomware spyware stealer trojan

Link:

https://tria.ge/reports/220209-pxxfnaacg9/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Enumerates processes with tasklist

Gathers system information

Interacts with shadow copies

Kills process with taskkill

Modifies data under HKEY_USERS

Modifies registry class

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Modifies Windows Firewall

Deletes shadow copies

UAC bypass

Unpacked files

SH256 hash:

87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae

MD5 hash:

7d1ed67b77f47ba8aadf9a3ac7d0c371

SHA1 hash:

a598e6708c189caeef1fa76064feb4d0155abb3d

Detections:

win_void_auto

Link:

https://www.unpac.me/results/a482533d-a77b-4d4b-87af-fa684d4cd802/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	detects command variations typically used by ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/239517/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample