MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c857d02af8759783d34e85f94b4f3a61a8ec6bf687b5d80668814025107466f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c857d02af8759783d34e85f94b4f3a61a8ec6bf687b5d80668814025107466f
SHA3-384 hash: 3612205a10e2b0eaabb2b754c32e98c2534ea2597cc7e1ad2a3801f4c580b54df357e5abe7988e7dfa7fa650ba54fe7c
SHA1 hash: 68b38ddb943df2f6479a8ecab18c948c58d8c994
MD5 hash: a8ff468a3acc85b3df9832833458f306
humanhash: magazine-snake-cat-may
File name:8c857d02af8759783d34e85f94b4f3a61a8ec6bf687b5d80668814025107466f
Download: download sample
File size:1'031'680 bytes
First seen:2021-08-30 06:11:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 24576:qnsJ39LyjbJkQFMhmC+6GD9Zf0EAjAx0a:qnsHyjtk2MYC5GDYEAsd
Threatray 16 similar samples on MalwareBazaar
TLSH T11A258E22F2D18437D1321A3D9C5BE3B5582ABE512D34794A3BE82E4F7F3968138652D3
dhash icon ce23f19e9254138e
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Rasomware2.0.exe
Verdict:
Malicious activity
Analysis date:
2021-08-18 23:01:06 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/62e4a059-1f33-4a9c-83f0-ec276eb38750

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183414/
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Win.Ransomware.Razy-9830003-0
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Moving a recently created file
Searching for the window
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Modifying an executable file
Deleting a recently created file
Changing a file
Reading critical registry keys
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Query of malicious DNS domain
Stealing user critical data
Enabling autorun
Encrypting user's files
Malware family:
Clay Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6704a8c-7b8f-4d1a-adab-6e3e4fb618d9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842202
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes the wallpaper picture
Contains functionality to detect sleep reduction / modifications
Contains functionality to disable the Task Manager (.Net Source)
Creates an undocumented autostart registry key
Disables the Windows task manager (taskmgr)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 474634 Sample: pfAtYPbF79.exe Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 33 xred.mooo.com 2->33 57 Antivirus detection for dropped file 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 9 other signatures 2->63 7 pfAtYPbF79.exe 1 6 2->7         started        11 EXCEL.EXE 2->11         started        14 Synaptics.exe 2->14         started        signatures3 process4 dnsIp5 25 C:\Users\user\...\._cache_pfAtYPbF79.exe, PE32 7->25 dropped 27 C:\ProgramData\Synaptics\Synaptics.exe, PE32 7->27 dropped 29 C:\ProgramData\Synaptics\RCXEAA5.tmp, PE32 7->29 dropped 31 C:\...\Synaptics.exe:Zone.Identifier, ASCII 7->31 dropped 65 Contains functionality to detect sleep reduction / modifications 7->65 16 ._cache_pfAtYPbF79.exe 1 2 7->16         started        19 Synaptics.exe 508 7->19         started        41 192.168.2.1 unknown unknown 11->41 file6 signatures7 process8 dnsIp9 43 Antivirus detection for dropped file 16->43 45 Multi AV Scanner detection for dropped file 16->45 47 Creates an undocumented autostart registry key 16->47 55 2 other signatures 16->55 35 freedns.afraid.org 50.23.197.95, 49706, 80 SOFTLAYERUS United States 19->35 37 docs.google.com 172.217.16.142, 443, 49703, 49704 GOOGLEUS United States 19->37 39 xred.mooo.com 19->39 23 C:\Users\user\DocumentsbehaviorgraphAOBCVIQIJ\~$cache1, PE32 19->23 dropped 49 Drops PE files to the document folder of the user 19->49 51 Machine Learning detection for dropped file 19->51 53 Contains functionality to detect sleep reduction / modifications 19->53 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c857d02af8759783d34e85f94b4f3a61a8ec6bf687b5d80668814025107466f/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2021-08-21 11:13:24 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
42 of 46 (91.30%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0fbdb66d81f97c74640af563b58b4d93872ed48a0397754b5c51a5c76d32900c
26274dd1baa5be91bd6bdb0db48895d89da2a78e6fac273257557de473adc841
3ecb471f2c1a3d3f33dbe47bc9457adfb09206948ec16c2d3f9c9a29f5b44508
4e5add107e83a073bd97b795409f41a1e0d1b26b8ebecae38f2e1f805a8cdde6
5fa54622d0d5f5abbeec7e634d6c2d868984e8cfb20b8502757c2df8fe94f7c7
9a9f7ea8a021b5c4e7984076bfe6f0ab42bddb7b50fa18ef0da17c12e8ef95e1
b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed
bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632
ff97bd0b382bcd07b0e71fd6249426a1d1246c52b07edd238eaa64136db737df
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion macro persistence ransomware
Link:
https://tria.ge/reports/210830-wnhj8q4mva/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Sets desktop wallpaper using registry
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Loads dropped DLL
Disables Task Manager via registry modification
Executes dropped EXE
Suspicious Office macro
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
8c857d02af8759783d34e85f94b4f3a61a8ec6bf687b5d80668814025107466f
MD5 hash:
a8ff468a3acc85b3df9832833458f306
SHA1 hash:
68b38ddb943df2f6479a8ecab18c948c58d8c994
Link:
https://www.unpac.me/results/83e0b515-cefa-4c45-8457-6786b63b0cfa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8c857d02af87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c857d02af8759783d34e85f94b4f3a61a8ec6bf687b5d80668814025107466f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183414/

Comments