MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6
SHA3-384 hash: 892559d7a8e6a2fe6e93939ebec12a062e9f4f616aa114918c86c85778498e65abbb1e6e51ba594aebb8751caa55bf50
SHA1 hash: e467f2bc6f01f2a13effaf8f6283d616ccf40e2e
MD5 hash: e26982b170856ca8ca96a2f41b2306fb
humanhash: emma-robert-red-orange
File name:SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043
Download: download sample
File size:448'000 bytes
First seen:2020-08-27 18:32:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cbd1e401ab8e2d37b0662881c06d3eef
ssdeep 6144:4PKaiNEsC9FldnKUuQYG5lFq++hSRplvIpgis7FahUEW1F:4POCFldnHKdhSRpl8s7ghG
Threatray 14 similar samples on MalwareBazaar
TLSH 0F948D24B336C507E36E47B4A2A74B382EBB95C87AB4544751B23F1D3DBB3C9792A500
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51863/
Detection(s):
SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Deleting of the original file
Result
Threat name:
Zeppelin
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/452957
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates files in the recycle bin to hide itself
Deletes itself after installation
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops a file containing file decryption instructions (likely related to ransomware)
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
May encrypt documents and pictures (Ransomware)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Delete shadow copy via WMIC
Sigma detected: System File Execution Location Anomaly
Sigma detected: WannaCry Ransomware
Uses bcdedit to modify the Windows boot settings
Writes to foreign memory regions
Yara detected Ransomware_Generic
Yara detected Zeppelin Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 278848 Sample: SecuriteInfo.com.Generic.mg... Startdate: 27/08/2020 Architecture: WINDOWS Score: 100 79 Sigma detected: WannaCry Ransomware 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus / Scanner detection for submitted sample 2->83 85 10 other signatures 2->85 8 SecuriteInfo.com.Generic.mg.e26982b170856ca8.exe 2 18 2->8         started        13 csrss.exe 15 2->13         started        15 csrss.exe 15 2->15         started        process3 dnsIp4 69 www.geodatatool.com 158.69.65.151, 443, 49713, 49714 OVHFR Canada 8->69 71 192.168.2.1 unknown unknown 8->71 73 geoiptool.com 8->73 59 C:\Users\user\AppData\Roaming\...\csrss.exe, PE32 8->59 dropped 61 C:\Users\user\...\csrss.exe:Zone.Identifier, ASCII 8->61 dropped 107 Detected unpacking (changes PE section rights) 8->107 109 Detected unpacking (overwrites its own PE header) 8->109 111 Contains functionality to inject threads in other processes 8->111 113 4 other signatures 8->113 17 csrss.exe 4 16 8->17         started        21 notepad.exe 8->21         started        75 geoiptool.com 13->75 77 geoiptool.com 15->77 file5 signatures6 process7 dnsIp8 63 iplogger.org 88.99.66.31, 443, 49731, 49732 HETZNER-ASDE Germany 17->63 65 www.geodatatool.com 17->65 67 geoiptool.com 17->67 87 Antivirus detection for dropped file 17->87 89 Multi AV Scanner detection for dropped file 17->89 91 Detected unpacking (changes PE section rights) 17->91 95 5 other signatures 17->95 23 csrss.exe 22 17->23         started        27 cmd.exe 1 17->27         started        29 cmd.exe 1 17->29         started        31 4 other processes 17->31 93 Deletes itself after installation 21->93 signatures9 process10 file11 51 C:\Users\user\Desktop\...\PWCCAWLGRE.xlsx, data 23->51 dropped 53 C:\Users\user\Desktop\...\PIVFAGEAAV.xlsx, data 23->53 dropped 55 C:\Users\user\Desktop\PIVFAGEAAV.docx, data 23->55 dropped 57 2 other malicious files 23->57 dropped 97 Creates files in the recycle bin to hide itself 23->97 99 Drops a file containing file decryption instructions (likely related to ransomware) 23->99 101 May encrypt documents and pictures (Ransomware) 23->101 103 Modifies existing user documents (likely ransomware behavior) 23->103 105 Deletes shadow drive data (may be related to ransomware) 27->105 33 conhost.exe 27->33         started        35 WMIC.exe 27->35         started        37 vssadmin.exe 27->37         started        39 WMIC.exe 1 29->39         started        41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        45 conhost.exe 31->45         started        47 conhost.exe 31->47         started        49 2 other processes 31->49 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6/
Threat name:
Win32.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2020-08-27 15:52:05 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0f6e1a84d618af64ce5864d7b7a0d946439b3f82efa34f994cb420dc3d11fb71
15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50
2daee8093a5e8dcd35e17c353a86b6969d09e5d75509f0184d5477cf87260f92
40e665c7875b98b0f5f5225666c6502616aa64f22c8e6d6d012c606b092e0b53
56e2a716ae6fc8ed5c93d57954d0cbeedd5eb47baa263e1bf2d7c29003d08dfd
6ad7afd41c395e87314488f1aeb47244de899abb289feba16c9ffbde7f55f15e
74976d37d3e53fc66a54b5b8010969340da5099c200e75e7c5b20f41e06a4a57
7f12ab6909f7a932ee097634ab529b1e2c1f07534097785c90ff03eb9671e784
8b49bc1afd15dcc2bcc23b7637d58aca9a17b5b8a9e66ebdd109200fda384f0e
f893e2e5b6cb171f4cbe389fa1ce8565a12c01da43c997d8439af8f4a41af668
+ 4 additional samples on MalwareBazaar
Result
Malware family:
buran
Create hunting rule
Score:
  10/10
Tags:
ransomware persistence family:buran
Link:
https://tria.ge/reports/200827-5bhw2szgs6/
Behaviour
Interacts with shadow copies
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Modifies service
Adds Run key to start application
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Executes dropped EXE
Deletes shadow copies
Buran
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/51863/
  
URLhaus
https://urlhaus.abuse.ch/url/445259/
  
Delivery method
Distributed via web download

Comments