MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hive


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177
SHA3-384 hash: ec65bfbb8208e3a9cc3e932da4887f8df9636d5feea9ccc624b9675fead8ee190d0f496199778bba35b5c9a5eea0b1ba
SHA1 hash: 26dde522d6f3f87ac982495028494c7f50799696
MD5 hash: 32bd8e6843879a761e6fa9436a90bb66
humanhash: four-india-india-arkansas
File name:installer
Download: download sample
Signature Hive
Create hunting rule
File size:4'036'096 bytes
First seen:2022-01-05 07:35:35 UTC
Last seen:2022-01-05 10:12:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 49152:raOpVvyV0G+7rb/T2vO90dL3BmAFd4A64nsfJcdXuvPDj03G+m+96CqPrsbg11V8:raP06d+X/M/LiruVk
Threatray 20 similar samples on MalwareBazaar
TLSH T17416C747B8B1B6E4C89583740D5165DCE930340E2768A3FB57A153612BA2FE87FB3B90
Reporter itsdhanunjaya_v
Tags:exe Hive

Intelligence

File Origin
# of uploads :
2
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
installer
Verdict:
No threats detected
Analysis date:
2022-01-05 07:41:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b27f4db7-8566-421d-b2e0-4d91065f2068

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217387/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop19.19242.19557.1952.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Launching a process
Creating a file in the mass storage device
Launching the process to interact with network services
Blocking the Windows Defender launch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cobalt filecoder razy
Link:
https://www.filescan.io/uploads/61d54a6692bdc4b4077fdb51/reports/c1edd1fe-cf4e-47e6-8233-7046f0f4b93c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Hive Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69ef2c6e-e4e0-4827-84a5-9d97ce0df3e5
Result
Threat name:
Hive
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/915695
Signature
Disables Windows Defender (deletes autostart)
Found Tor onion address
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Uses cmd line tools excessively to alter registry or file data
Yara detected Hive Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 548173 Sample: installer Startdate: 05/01/2022 Architecture: WINDOWS Score: 72 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Hive Ransomware 2->48 50 Found Tor onion address 2->50 52 Sigma detected: Copying Sensitive Files with Credential Data 2->52 7 installer.exe 1 2->7         started        process3 file4 38 vstoee90.tlb.uICf2..._AAAAAAAAAAA0.bvddx, PE32+ 7->38 dropped 40 vstoee100.tlb.uICf..._AAAAAAAAAAA0.bvddx, PE32+ 7->40 dropped 42 oregres.dll.mui.uI..._AAAAAAAAAAA0.bvddx, PE32 7->42 dropped 44 stopwords.ENU.uICf..._AAAAAAAAAAA0.bvddx, PE32 7->44 dropped 54 Uses cmd line tools excessively to alter registry or file data 7->54 11 reg.exe 1 1 7->11         started        14 net.exe 1 7->14         started        16 net.exe 1 7->16         started        18 17 other processes 7->18 signatures5 process6 signatures7 56 Disables Windows Defender (deletes autostart) 11->56 20 conhost.exe 11->20         started        22 conhost.exe 14->22         started        24 net1.exe 1 14->24         started        26 conhost.exe 16->26         started        28 net1.exe 1 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 18->32         started        34 conhost.exe 18->34         started        36 20 other processes 18->36 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177/
Threat name:
Win64.Ransomware.HiveCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-12-26 03:34:56 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 43 (46.51%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1df11bc19aa52b623bdf15380e3fded56d8eb6fb7b53a2240779864b1a6474ad
Hive
460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984
Hive
47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35
Hive
76960749ed11d97582923e31d59115910ae74d8753c8e92f918f604ca8a0d26d
Hive
98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63
Hive
a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850
Hive
+ 10 additional samples on MalwareBazaar
Result
Malware family:
hive
Create hunting rule
Score:
  10/10
Tags:
family:hive evasion ransomware spyware stealer trojan
Link:
https://tria.ge/reports/220105-je9elsadck/
Behaviour
Interacts with shadow copies
Opens file in notepad (likely ransom note)
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Launches sc.exe
Reads user/profile data of web browsers
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
Deletes Windows Defender Definitions
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
Unpacked files
SH256 hash:
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177
MD5 hash:
32bd8e6843879a761e6fa9436a90bb66
SHA1 hash:
26dde522d6f3f87ac982495028494c7f50799696
Link:
https://www.unpac.me/results/e897287e-6b0c-43be-b1f3-e76425f688e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.46
Link:
https://yomi.yoroi.company/submissions/87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217387/

Comments