MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hive


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
SHA3-384 hash: 32771c4cdc2703b504a67ab571a470da9b0d51349abf36c64c70f65ddd03a05b9ea27c803bb262f8287c22fe1623391e
SHA1 hash: 9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
MD5 hash: 2f9fc82898d718f2abe99c4a6fa79e69
humanhash: muppet-fifteen-jupiter-six
File name:88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
Download: download sample
Signature Hive
Create hunting rule
File size:782'394 bytes
First seen:2021-07-03 15:44:39 UTC
Last seen:2021-07-04 04:23:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (449 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH
TLSH 97F423F804553C05C4A6B3F5CA8F7BCF81C5183A65CAFB48DF1CA92869FA0609525A9F
Reporter Finch39487976
Tags:exe Hive Ransomware

Intelligence

File Origin
# of uploads :
3
# of downloads :
493
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
Verdict:
Malicious activity
Analysis date:
2021-07-03 15:46:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a0c96976-1433-4540-8bbe-d69a188ae55b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.9462.12453.10694.UNOFFICIAL
Create hunting rule

Malware family:
Hive Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25922b50-80dc-48eb-942a-1668d55e2bc3
Result
Threat name:
Hive
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811446
Signature
Antivirus / Scanner detection for submitted sample
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Machine Learning detection for sample
May encrypt documents and pictures (Ransomware)
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Writes many files with high entropy
Yara detected Hive Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443857 Sample: YjC1HDPQ2u Startdate: 03/07/2021 Architecture: WINDOWS Score: 100 34 Antivirus / Scanner detection for submitted sample 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Hive Ransomware 2->38 40 5 other signatures 2->40 7 YjC1HDPQ2u.exe 502 2->7         started        process3 file4 26 d3dcompiler_47.dll...hc_pnRKC8AckVI.hive, Unknown 7->26 dropped 28 chrome_pwa_launche...GReSPcbByl6DnQ.hive, Unknown 7->28 dropped 30 chrome_elf.dll.NSO...XMMPuQcNglbT04.hive, Unknown 7->30 dropped 32 137 other malicious files 7->32 dropped 42 Creates files in the recycle bin to hide itself 7->42 44 May encrypt documents and pictures (Ransomware) 7->44 46 Writes many files with high entropy 7->46 11 cmd.exe 1 7->11         started        14 cmd.exe 1 7->14         started        signatures5 process6 signatures7 48 Deletes shadow drive data (may be related to ransomware) 11->48 16 timeout.exe 1 11->16         started        18 timeout.exe 1 11->18         started        20 timeout.exe 1 11->20         started        24 21 other processes 11->24 22 vssadmin.exe 1 14->22         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1/
Threat name:
Win32.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 05:39:05 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
27 of 46 (58.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rd3visrjulhlc5nbgxm7uiq4x7j6rry7glowwcjzs4l7qxvjv7iq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
ransomware spyware stealer upx
Link:
https://tria.ge/reports/210703-85gjwhwh3x/
Behaviour
Delays execution with timeout.exe
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Drops desktop.ini file(s)
Drops startup file
Reads user/profile data of web browsers
Drops file in Drivers directory
Modifies extensions of user files
Deletes shadow copies
Unpacked files
SH256 hash:
2f7d37c22e6199d1496f307c676223dda999c136ece4f2748975169b4a48afe5
MD5 hash:
f49a50f9867fa2be206aef078d2240f3
SHA1 hash:
1cc80ad88a022c429f8285d871f48529c6484734
Link:
https://www.unpac.me/results/449d1357-995c-4aaf-9206-2dce52b2a1e9/
SH256 hash:
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
MD5 hash:
2f9fc82898d718f2abe99c4a6fa79e69
SHA1 hash:
9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
Link:
https://www.unpac.me/results/449d1357-995c-4aaf-9206-2dce52b2a1e9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/88f7544a29a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/Malwaredev/status/1411297287523946500

Comments