MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f68531d649862e8772e2237d258f607cc7636af5ec5a8ba91e1009b46ea0832. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f68531d649862e8772e2237d258f607cc7636af5ec5a8ba91e1009b46ea0832
SHA3-384 hash: b640afa8884dce247d39867cdc50c6b413a2d0538ae85bfa2c9364c13e3d116faf7d1e304105cd7d47987450321636d1
SHA1 hash: 0ff040a5cb9d5f57fcffb01ed5b60fecce21b283
MD5 hash: f190ca8fa0b8cd1e4ce7a94b2adc3fac
humanhash: three-earth-oxygen-louisiana
File name:Nude-Photos.png.exe
Download: download sample
File size:1'205'511 bytes
First seen:2022-02-23 06:27:17 UTC
Last seen:2022-02-23 08:11:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:jW6VXRh80bJ/wT3UlNyuQBAdzyoFqX73eFvXx36F6XRoC7BFOXnj2ejil:i6ftoTkSuQGyoFqr3eFvsF6BflFOlK
Threatray 6'575 similar samples on MalwareBazaar
TLSH T19545F213ED5456F1FC315835140A16836FA9B6378BA0ABABB3D8893B5CF4120D227E77
File icon (PE):PE icon
dhash icon 8d8d99351b9b9595
Reporter adm1n_usa32
Tags:exe


Avatar
adm1n_usa32
fake ransomware???

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Nude-Photos.png.exe
Verdict:
Malicious activity
Analysis date:
2022-02-23 06:25:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3cb34584-bb57-4382-afea-25425e73351b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/243544/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop19.29639.11151.20467.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Moving a file to the %temp% directory
Searching for the window
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7066/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/6215d3f6a2660f3bb92cf6d8/reports/bb98ffff-558f-4a75-9728-9ee21dce5613/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/662bd5e9-8a72-4675-9ce9-2d38adfb6dc5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.adwa.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/944482
Signature
Antivirus detection for URL or domain
Command shell drops VBS files
Drops PE files to the startup folder
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses an obfuscated file name to hide its real file extension (double extension)
Writes a notice file (html or txt) to demand a ransom
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 576960 Sample: Nude-Photos.png.exe Startdate: 23/02/2022 Architecture: WINDOWS Score: 66 122 Antivirus detection for URL or domain 2->122 124 Multi AV Scanner detection for dropped file 2->124 126 Multi AV Scanner detection for submitted file 2->126 128 3 other signatures 2->128 11 Nude-Photos.png.exe 1 12 2->11         started        14 dell.exe 2->14         started        16 windowss.exe 2->16         started        process3 file4 104 C:\Users\user\AppData\Local\...\windowss.exe, PE32 11->104 dropped 106 C:\Users\user\AppData\Local\Temp\windll.exe, PE32 11->106 dropped 108 C:\Users\user\AppData\Local\Temp\open.exe, PE32 11->108 dropped 110 C:\Users\user\AppData\Local\Temp\dell.exe, PE32 11->110 dropped 18 cmd.exe 5 11->18         started        22 windll.exe 5 9 11->22         started        24 windowss.exe 9 11->24         started        30 2 other processes 11->30 26 wscript.exe 14->26         started        28 notepad.exe 14->28         started        process5 file6 82 C:\Users\user\AppData\...\windowss.exe, PE32 18->82 dropped 84 C:\Users\user\AppData\Roaming\...\windll.exe, PE32 18->84 dropped 86 C:\Users\user\AppData\Roaming\...\open.exe, PE32 18->86 dropped 88 C:\Users\user\AppData\Roaming\...\dell.exe, PE32 18->88 dropped 130 Drops PE files to the startup folder 18->130 32 conhost.exe 18->32         started        90 C:\Users\user\AppData\Local\Temp\windll.VBS, ASCII 22->90 dropped 132 Multi AV Scanner detection for dropped file 22->132 34 wscript.exe 1 22->34         started        36 notepad.exe 22->36         started        38 wscript.exe 24->38         started        40 notepad.exe 24->40         started        92 C:\Users\user\AppData\Local\Temp\Readme.txt, ISO-8859 30->92 dropped 134 Writes a notice file (html or txt) to demand a ransom 30->134 42 wscript.exe 30->42         started        44 wscript.exe 30->44         started        46 notepad.exe 30->46         started        48 notepad.exe 30->48         started        signatures7 process8 process9 50 cmd.exe 34->50         started        54 cmd.exe 38->54         started        56 cmd.exe 42->56         started        58 cmd.exe 44->58         started        file10 94 C:\Users\user\AppData\Local\Temp\launch.vbs, ASCII 50->94 dropped 136 Command shell drops VBS files 50->136 60 wscript.exe 50->60         started        62 conhost.exe 50->62         started        96 C:\Users\...\Locked_25.Locked_fille (copy), PE32 54->96 dropped 98 C:\Users\...\Locked_24.Locked_fille (copy), PE32 54->98 dropped 100 C:\Users\...\Locked_23.Locked_fille (copy), PE32 54->100 dropped 102 C:\Users\...\Locked_22.Locked_fille (copy), PE32 54->102 dropped 64 conhost.exe 54->64         started        66 cmd.exe 54->66         started        68 chrome.exe 56->68         started        71 conhost.exe 56->71         started        73 conhost.exe 58->73         started        signatures11 process12 dnsIp13 75 cmd.exe 60->75         started        112 192.168.2.1 unknown unknown 68->112 114 239.255.255.250 unknown Reserved 68->114 77 chrome.exe 68->77         started        process14 dnsIp15 80 conhost.exe 75->80         started        116 buybitcoin.ooguy.com 45.81.224.127, 49760, 49761, 80 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 77->116 118 unlock.camdvr.org 185.212.130.27, 49763, 80 INTERNET-ITNL Germany 77->118 120 6 other IPs or domains 77->120 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f68531d649862e8772e2237d258f607cc7636af5ec5a8ba91e1009b46ea0832/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-02-10 19:56:27 UTC
File Type:
PE (Exe)
Extracted files:
91
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1aca49752cef2bb58d097e0ac96963e32f14e4e6b1e6e24e11125d1e9ef54cf2
4081406d27f30f1dd68fca09d23aa9db54af4ea4fccfa3c486c5aa31ff772054
6ec6d3425cc3bdc664f5938119469a2947ad061dac33fafbd303998c9311a254
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
9e1565a4e0af404cf7eb096a60ddb70b5d5adf849312ea6f76c6374841759166
a78b5e96e936a31fcb952db9eb67412582ce33dd95db11ff97902320de0dec59
b5c7fbd5e805b6f1a9796c041be4f9829d2157e5b59a6608871511d045b8d79c
d4972e632408d130ac20c21fff113636a07cee0fbb133c713222167e37a661a0
+ 6'565 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/220223-g8cavshba6/
Behaviour
Enumerates system info in registry
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
8f68531d649862e8772e2237d258f607cc7636af5ec5a8ba91e1009b46ea0832
MD5 hash:
f190ca8fa0b8cd1e4ce7a94b2adc3fac
SHA1 hash:
0ff040a5cb9d5f57fcffb01ed5b60fecce21b283
Link:
https://www.unpac.me/results/ab5b7a89-943c-4aa2-b2d3-bcab89828f79/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f68531d649862e8772e2237d258f607cc7636af5ec5a8ba91e1009b46ea0832

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8f68531d649862e8772e2237d258f607cc7636af5ec5a8ba91e1009b46ea0832

(this sample)

anyrun
any.run
https://app.any.run/tasks/3cb34584-bb57-4382-afea-25425e73351b
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/243544/

Comments