MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c6e62cd0eaae55ac50dbcab7eedf60547f47d0126bf6ac96010f7f07c300bb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c6e62cd0eaae55ac50dbcab7eedf60547f47d0126bf6ac96010f7f07c300bb0
SHA3-384 hash: d596538b6b0524f25dfc64b81067ec3933a043b8dc40b1e730886c2939aff81dfc3905a0a7a768dd7232ff244f7c4c54
SHA1 hash: 2b50681663bedaa1c8974a38fdbb4858c1020423
MD5 hash: ed23e753bb7838c9de72638b7c42672d
humanhash: green-salami-william-magnesium
File name:ed23e753_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:1'723'392 bytes
First seen:2021-05-05 09:08:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 573e4eede19b9aa8c429e2dcc91fc648 (1 x VirLock)
ssdeep 24576:hERITdnSNXYdonC1P2zicLNuaZNc15D6ULjbY05Rb9sswJdqBuC:TdnSGuSP4JK/L3bYknW6BuC
Threatray 154 similar samples on MalwareBazaar
TLSH EE85F1C1DA5C758FD9AC55BAB2401518E8428EB09DEBAF80AEDEE44D7133B487F0F911
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150224/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6803820-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Sending a UDP request
Creating a process from a recently created file
Creating a service
Launching a service
Creating a file in the Windows subdirectories
DNS request
Creating a file in the %temp% directory
Running batch commands
Deleting a recently created file
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.spre
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711741
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to automate explorer (e.g. start an application)
Creates an undocumented autostart registry key
Delayed program exit found
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404797 Sample: ed23e753_by_Libranalysis.exe Startdate: 05/05/2021 Architecture: WINDOWS Score: 100 53 Antivirus detection for dropped file 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 2 other signatures 2->59 7 ed23e753_by_Libranalysis.exe 3 15 2->7         started        11 LWsAIYQA.exe 4 2->11         started        13 McEgMwkU.exe 10 2->13         started        15 4 other processes 2->15 process3 file4 45 C:\Users\user\eOgUEMUQ\McEgMwkU.exe, PE32 7->45 dropped 47 C:\ProgramData\okMcMgQE\LWsAIYQA.exe, PE32 7->47 dropped 49 C:\ProgramData\MkowMwIc\XcQogswQ.exe, PE32 7->49 dropped 51 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 7->51 dropped 71 Creates an undocumented autostart registry key 7->71 73 Uses cmd line tools excessively to alter registry or file data 7->73 75 Tries to detect virtualization through RDTSC time measurements 7->75 17 McEgMwkU.exe 43 7->17         started        21 XcQogswQ.exe 13 7->21         started        23 cmd.exe 1 7->23         started        25 3 other processes 7->25 77 Antivirus detection for dropped file 11->77 79 Machine Learning detection for dropped file 11->79 81 Delayed program exit found 11->81 signatures5 process6 file7 37 C:\Users\user\Desktop\xQgo.exe, PE32 17->37 dropped 39 C:\Users\user\Desktop\vwQo.exe, PE32 17->39 dropped 41 C:\Users\user\Desktop\qIAm.exe, PE32 17->41 dropped 43 20 other malicious files 17->43 dropped 61 Antivirus detection for dropped file 17->61 63 Machine Learning detection for dropped file 17->63 65 Contains functionality to automate explorer (e.g. start an application) 17->65 69 3 other signatures 17->69 67 Tries to detect virtualization through RDTSC time measurements 21->67 27 setup.exe 1 23->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c6e62cd0eaae55ac50dbcab7eedf60547f47d0126bf6ac96010f7f07c300bb0/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 09:08:20 UTC
AV detection:
45 of 47 (95.74%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1326c4b5f16b37e3474154b0497d09583257a88c050637749e5ee9e91f705b74
VirLock
2109fa71b6cb894611ef5d30ce2aac8144eeeca21da28d56ddddca6d79a7561a
VirLock
45fae482574687582244d4310a6f4760477952443e0be052f9d7ef76640cdb3a
VirLock
5dcbbdb1d5a8b47a50a05b2cf13963139075616f4b6de2db2232aa73bde800c1
VirLock
92f33d787077d6ebe2fb62adf935c32d86cc39424bb3ec5eb066224c3e9da5e4
VirLock
9d1077e6f08763e2eda061f1ac773bd7dbe36bb6aa547abe75163dc46de442cd
VirLock
b69aa57f74809a88c35081e066a080f2235608838f5db899f4f888c6ae68da6f
VirLock
b9fb2adfa6f13b218e5fb9eca8a2d82c211a24f772abb27371b679f986752fd4
VirLock
cad9460071ba51cc3da556a9570acf179a3ed457897ba9052c4b039d83e7b732
VirLock
daf476c7cf8ab34bef6a21098167597e091739412d53a2cdf8069e5a338b0ad6
VirLock
+ 144 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210505-xc2e1lnea2/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
674ee222f2b861c329ff0acac80f3e7f1a2c817ff791e27b3f78a5946f208904
MD5 hash:
4f176bfd330c1d84164e6abe6f7abbdf
SHA1 hash:
2b17feaf36589fc4b723254afe3051c0fe87ec5f
Link:
https://www.unpac.me/results/ad038d6d-cb8a-42e8-a1e4-0a695ffbbd99/
SH256 hash:
77f33eba73ecacafd6a73b31d80919314bcfc5055852769935603d18c24ddbb8
MD5 hash:
e6fc3345cc635272e3bf2c886ebf0358
SHA1 hash:
3af14020300cac53f8fb5179ea205f898f42153e
Link:
https://www.unpac.me/results/ad038d6d-cb8a-42e8-a1e4-0a695ffbbd99/
SH256 hash:
cff0ea1b9444c031d7748b12129c34f91686aa519b15cde9e6b23e99cd9d3263
MD5 hash:
aedb450301c00dc388e160e4f1e38286
SHA1 hash:
575b57387ca540699a1f0cc5d2afd4702d0d4f2e
Link:
https://www.unpac.me/results/ad038d6d-cb8a-42e8-a1e4-0a695ffbbd99/
SH256 hash:
8c6e62cd0eaae55ac50dbcab7eedf60547f47d0126bf6ac96010f7f07c300bb0
MD5 hash:
ed23e753bb7838c9de72638b7c42672d
SHA1 hash:
2b50681663bedaa1c8974a38fdbb4858c1020423
Link:
https://www.unpac.me/results/ad038d6d-cb8a-42e8-a1e4-0a695ffbbd99/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150224/

Comments