MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fe741671e4f7eff22dead5393a4fcfa06c7ee683649ea352a4787240b7c7a77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fe741671e4f7eff22dead5393a4fcfa06c7ee683649ea352a4787240b7c7a77
SHA3-384 hash: fa8e349ffb2e9530e6b0104476a3482520cf26f1005914d1155dec07c5fa71173026716fbbc22a25067c624114a75f22
SHA1 hash: e7f1427dd4e041ff5fa4111097b8fec3a5ccb300
MD5 hash: 967a74427ba55b5c20417975bff6b253
humanhash: north-diet-uniform-purple
File name:967a7442_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:769'024 bytes
First seen:2021-05-05 10:08:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a79e201072e4d77215f367bd43048e71 (1 x VirLock)
ssdeep 12288:CCbL+ZOyhB4VhtqhAv8M6bKt14UgzB7HPblhsIUaW1uBfI1QBZgBZ/cnBlxtmLTm:TWoyD4Vhtqihv14h5YwZgBZ/cnB9oTm
Threatray 208 similar samples on MalwareBazaar
TLSH 9BF49D0AF65E64B6FE14F02C41A6A23E13D398E3757286704EC9EEF27E2A51B135C507
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150379/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6804475-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a service
DNS request
Launching a service
Sending a UDP request
Creating a file in the Windows subdirectories
Searching for the window
Creating a file in the %temp% directory
Running batch commands
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711787
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to check if Internet connection is working
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates an undocumented autostart registry key
Delayed program exit found
Detected unpacking (overwrites its own PE header)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404817 Sample: 967a7442_by_Libranalysis Startdate: 05/05/2021 Architecture: WINDOWS Score: 100 64 Antivirus / Scanner detection for submitted sample 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Machine Learning detection for sample 2->68 8 967a7442_by_Libranalysis.exe 3 13 2->8         started        12 AIAYYYUQ.exe 4 2->12         started        14 svchost.exe 2->14         started        16 12 other processes 2->16 process3 dnsIp4 52 C:\Users\user\nQIQQUkU\yYMwUkco.exe, PE32 8->52 dropped 54 C:\Users\user\AppData\Local\Temp\cpush.exe, PE32 8->54 dropped 56 C:\ProgramData\sGYwIoMQ\RSYoQQEk.exe, PE32 8->56 dropped 58 C:\ProgramData\QskcMAwY\AIAYYYUQ.exe, PE32 8->58 dropped 84 Creates an undocumented autostart registry key 8->84 86 Uses cmd line tools excessively to alter registry or file data 8->86 88 Tries to detect virtualization through RDTSC time measurements 8->88 90 Delayed program exit found 8->90 19 yYMwUkco.exe 14 8->19         started        22 RSYoQQEk.exe 20 8->22         started        24 cmd.exe 1 8->24         started        30 3 other processes 8->30 92 Antivirus detection for dropped file 12->92 94 Machine Learning detection for dropped file 12->94 96 Changes security center settings (notifications, updates, antivirus, firewall) 14->96 60 127.0.0.1 unknown unknown 16->60 26 WerFault.exe 16->26         started        28 WerFault.exe 16->28         started        file5 signatures6 process7 signatures8 70 Antivirus detection for dropped file 19->70 72 Contains functionality to check if Internet connection is working 19->72 74 Machine Learning detection for dropped file 19->74 80 3 other signatures 19->80 32 WerFault.exe 19->32         started        76 Injects code into the Windows Explorer (explorer.exe) 22->76 78 Tries to detect virtualization through RDTSC time measurements 22->78 34 yYMwUkco.exe 22->34         started        37 explorer.exe 22->37         started        39 cpush.exe 2 24->39         started        42 conhost.exe 24->42         started        44 conhost.exe 30->44         started        46 conhost.exe 30->46         started        48 conhost.exe 30->48         started        process9 dnsIp10 62 192.168.2.1 unknown unknown 34->62 50 WerFault.exe 34->50         started        82 Detected unpacking (overwrites its own PE header) 39->82 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fe741671e4f7eff22dead5393a4fcfa06c7ee683649ea352a4787240b7c7a77/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 10:08:31 UTC
AV detection:
44 of 47 (93.62%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2730acfa6d41e164c1fe6ba4fb7f9e41b21a5ea42a646652e1d177b2d9f3af5d
VirLock
4f1d30e1092cefc4d31aa257617389dd4498022a51a4766524afe22511f9dfa7
VirLock
728406539dbbb175ad0e0f346d6c9e563c7b95507e91c71af64f220a382525cf
VirLock
7b835cb8bff0857c7f074a631cea1042e106dc68cfa0c83f1bac76108b9b5eea
VirLock
8ee51302e53d652b2c2e5683e9810240bdc903b19b2e3b1aae712d123405e4d0
VirLock
945da374aa24db6d86272bb31e620187897c113bfe9104fb29f0fdc6c77077ac
VirLock
e32e01f3602e769a1b6a7965573648b420035c74fdae200213a992a16044a220
VirLock
ebd15c59cc12d2386b4c839280d0a344b3503dddc64a59ce0d5f019f9bb019cd
VirLock
f0b048899e1db668a59710a885f57d180f26294428d7e3b3b61776385229c7a6
VirLock
ffba1f9ea3ffde1803a9fa84158c9768f9b6a2b017a05687457cb0f4680c5cca
VirLock
+ 198 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210505-ajm8gh5e5a/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
729d140140c3af5b46031f1a7652b159b08721afa80776f17afe73633800afc1
MD5 hash:
f848a48532cbc478c15234e75fc08e16
SHA1 hash:
3a49dc206a31770853e8307cc7d5b9cbe5739dcb
Link:
https://www.unpac.me/results/ed703e4c-d92c-4e73-abf8-de1f52c5fccf/
SH256 hash:
9d47a45d98ab187609c71cc4804be1878fdb69f64ddb43f7d2442cfa7294b56f
MD5 hash:
59b58fff1ee3923585c0e9b821f02ad3
SHA1 hash:
35e3505bf7ceb01eb2b5dd6f46550bfeae2fe136
Link:
https://www.unpac.me/results/ed703e4c-d92c-4e73-abf8-de1f52c5fccf/
SH256 hash:
fbd2d5454988af9d8571ddc67662436cf686ef60edf80bd98c4a298fe2523ae6
MD5 hash:
cfd20073c1d26ce721c03265c4c999ba
SHA1 hash:
2202c39983e7da21bac7ef55d2cb4fa21730c9dd
Link:
https://www.unpac.me/results/ed703e4c-d92c-4e73-abf8-de1f52c5fccf/
SH256 hash:
8fe741671e4f7eff22dead5393a4fcfa06c7ee683649ea352a4787240b7c7a77
MD5 hash:
967a74427ba55b5c20417975bff6b253
SHA1 hash:
e7f1427dd4e041ff5fa4111097b8fec3a5ccb300
Link:
https://www.unpac.me/results/ed703e4c-d92c-4e73-abf8-de1f52c5fccf/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150379/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 11:16:28 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash