MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89f0d1195df4ff42f0d0ff7726474b2ad6a135cbc78f255ff89b19903459bc67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WannaCry


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89f0d1195df4ff42f0d0ff7726474b2ad6a135cbc78f255ff89b19903459bc67
SHA3-384 hash: 286ca7c93f2c6256d9a6e466309fe6194616627c44fdbe09214f4bebb2de563b56f1691299ea978122dbc90df0c84014
SHA1 hash: 5c64d92015518d307b5e5856bc4e4ced71a08c2b
MD5 hash: f4467cf9b7f5c536f0766ac2851b53b7
humanhash: orange-oscar-robin-helium
File name:f4467cf9b7f5c536f0766ac2851b53b7
Download: download sample
Signature WannaCry
Create hunting rule
File size:5'267'459 bytes
First seen:2025-01-15 16:45:48 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 2e5708ae5fed0403e8117c645fb23e5b (1'108 x WannaCry, 7 x Worm.Virut, 2 x Expiro)
ssdeep 24576:RbLgurihdmMSirYbcMNgef0QeQjG/D8kIqRYo:RnnMSPbcBVQej/1
Threatray 1'057 similar samples on MalwareBazaar
TLSH T1E536239A75AC51F8C2163770A4778E26E1B73C6D21BA9B0F9B808A321C03B55FB54F53
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter mentality
Tags:dll exe WannaCry

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
CA CA
Vendor Threat Intelligence
Detection(s):
Win.Ransomware.Wanna-9769986-0
Create hunting rule

Win.Ransomware.Wanacryptor-9942127-1
Create hunting rule

Win.Ransomware.WannaCry-10011460-0
Create hunting rule

Win.Ransomware.WannaCry-6313787-0
Create hunting rule

Win.Malware.Djwy-6775897-0
Create hunting rule

Win.Ransomware.Wanna-6888027-0
Create hunting rule

Win.Ransomware.Wanna-6888334-0
Create hunting rule

Win.Malware.Djwy-6923377-0
Create hunting rule

Win.Exploit.Doublepulsar-7427328-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6787e64a4487910100df59cc
Tags:
ransomware shellcode virus madi
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd crypto crypto lolbin microsoft_visual_cc overlay ransomware smb threat wanna wannacry wannacryptor
Link:
https://www.filescan.io/uploads/6787e64da8210c4ace643962/reports/38a6a1ff-8ede-482a-b463-98aee4a68e03/overview
Verdict:
Malicious
Labled as:
CVE-2017-0147
Link:
https://www.hybrid-analysis.com/sample/89f0d1195df4ff42f0d0ff7726474b2ad6a135cbc78f255ff89b19903459bc67
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/364c0ff8-eb45-4ec5-85c9-474df5ba76e9
Result
Threat name:
Wannacry
Create hunting rule
Detection:
malicious
Classification:
rans.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1592051
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Wannacry ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592051 Sample: f5mfkHLLVe.dll Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 36 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->36 38 ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->38 40 77026.bodis.com 2->40 48 Suricata IDS alerts for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 7 other signatures 2->54 9 loaddll32.exe 1 2->9         started        11 mssecsvr.exe 12 2->11         started        signatures3 process4 dnsIp5 15 rundll32.exe 9->15         started        18 cmd.exe 1 9->18         started        20 conhost.exe 9->20         started        22 rundll32.exe 1 9->22         started        42 192.168.2.102 unknown unknown 11->42 44 192.168.2.103 unknown unknown 11->44 46 98 other IPs or domains 11->46 56 Connects to many different private IPs via SMB (likely to spread or exploit) 11->56 58 Connects to many different private IPs (likely to spread or exploit) 11->58 signatures6 process7 signatures8 60 Drops executables to the windows directory (C:\Windows) and starts them 15->60 24 mssecsvr.exe 13 15->24         started        27 rundll32.exe 18->27         started        process9 file10 32 C:\WINDOWS\qeriuwjhrf (copy), PE32 24->32 dropped 29 mssecsvr.exe 13 27->29         started        process11 file12 34 C:\Windows\tasksche.exe, PE32 29->34 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/89f0d1195df4ff42f0d0ff7726474b2ad6a135cbc78f255ff89b19903459bc67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89f0d1195df4ff42f0d0ff7726474b2ad6a135cbc78f255ff89b19903459bc67/
Threat name:
Win32.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2017-12-21 12:20:08 UTC
File Type:
PE (Dll)
Extracted files:
3
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rhyncgk56t7uf4gq753smr2lfllkcnoly6hskx7ytmmzanczxrtq._file
Verdict:
malicious
Label(s):
wannacryptor
Create hunting rule
Similar samples:
016b40a769d4d34da8cdf3bf08a166c3243b659c31c152d3c0899993a7aa8f07
WannaCry
0ca55fe01cf52696f424100ee6de4e8dd262ce1c83257d22bc3edc42c30fb944
WannaCry
0f1516a8c0600c59defcf96c87c27de6a81e732ecb2f64b5e48904c31ab2cbb2
WannaCry
3befcb73c9497db265428aa3dc0b0692fa5722344d4a772b25973e244b085266
WannaCry
499e277bcb0c1712223fe211751a00e56a9ab6580e96e27128877615aca811cb
WannaCry
540749acd2da3530292fed430ee05bd8752bd4f40499b987da31a24e67959352
WannaCry
8b51945ada866301cd583744f4363bbeac1b7ec84ee78c0135824a2dc57f7244
WannaCry
9782298315b127534cfb24720e76e4cc946f71a72126da11f9bcb738b94d6b49
WannaCry
b10225bfe75854f01b5f9aea098c2fde6f5fdc543f2a81aadafe389ae9a1dc94
WannaCry
f2cf2c68920d3812d76104aa8388cfa07934c53a39e8f48e098a282ddccbfbcf
WannaCry
+ 1'047 additional samples on MalwareBazaar
Result
Malware family:
wannacry
Create hunting rule
Score:
  10/10
Tags:
family:wannacry discovery ransomware worm
Link:
https://tria.ge/reports/250115-t9yayaylas/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Creates a large amount of network flows
Executes dropped EXE
Contacts a large (3196) amount of remote hosts
Wannacry
Wannacry family
Unpacked files
SH256 hash:
0148dbfdc337ff5e2336d30ff70a7773654d4ee35abae07cb1fbf8e535bc1880
MD5 hash:
c7d08f76b56c9c49cecd83e3ab46c0de
SHA1 hash:
5e96b2a29fc1e813529d8bbd87f744afbca2134e
Detections:
WannaCry
Create hunting rule
ransomware_windows_wannacry
Create hunting rule
WannaCry_Ransomware
Create hunting rule
Link:
https://www.unpac.me/results/669fa160-0441-43f7-9439-546046eec19b/
Parent samples :
62c9a15ea404a7c537028bcabcb5753c0e6c535981c38eef417e6db0611f3eb7
8d0c9d2e438f33dd7806ed8017baa1f114b6157f9f0eb1fb5d3b59351609120c
c5eeafb62d5b0fce524e12ad5a94f7e221636dc1bfc8622c8d7e0e61bc0950f8
89f0d1195df4ff42f0d0ff7726474b2ad6a135cbc78f255ff89b19903459bc67
1fc5e4c8809b39d79324848bceac749000ea572d050c81275ae3053a83ba7d12
40916f54c402abf22b13fa86ffc65a9a88ebc005ab10421fcdd39d9750e75b8d
2bfb9742d15e8c2d1e01defd46d2f09e1d758e68e49a7c1c5dc1a4557b311c7d
SH256 hash:
171351416d41d63e9273e1e841c4fe26ddff18ee08b0fa1171fdf6323d259446
MD5 hash:
d8dd1b7fc91796806acb27752e394289
SHA1 hash:
975e9304979a27acf1b9f67f52327fb6811921d5
Detections:
WannaCry
Create hunting rule
ransomware_windows_wannacry
Create hunting rule
WannaCry_Ransomware
Create hunting rule
WannaCry_Ransomware_Gen
Create hunting rule
Link:
https://www.unpac.me/results/669fa160-0441-43f7-9439-546046eec19b/
SH256 hash:
89f0d1195df4ff42f0d0ff7726474b2ad6a135cbc78f255ff89b19903459bc67
MD5 hash:
f4467cf9b7f5c536f0766ac2851b53b7
SHA1 hash:
5c64d92015518d307b5e5856bc4e4ced71a08c2b
Detections:
WannaCry
Create hunting rule
Link:
https://www.unpac.me/results/669fa160-0441-43f7-9439-546046eec19b/
Malware family:
WannaCry
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/89f0d1195df4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89f0d1195df4ff42f0d0ff7726474b2ad6a135cbc78f255ff89b19903459bc67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:WannaCry_Ransomware
Create hunting rule
Author:Florian Roth (Nextron Systems) (with the help of binar.ly)
Description:Detects WannaCry Ransomware
Reference:https://goo.gl/HG2j5T

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA

Comments