MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9
SHA3-384 hash: 9b9a49db9bde7a8458ef2910b7d53f104f032d3a323314a0fd07b1c41cf9a6ee3fb8e9dcc276ad14312342aa6a5ee5f5
SHA1 hash: 5abf04488e54260fc818edd1d5dc14fc6be26e65
MD5 hash: b14bc6b94c1d7a9e7ca44e6f6663b0ab
humanhash: mountain-maine-item-alabama
File name:91a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9
Download: download sample
File size:1'149'952 bytes
First seen:2021-08-30 06:24:18 UTC
Last seen:2023-04-17 12:44:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 095c27572f34b850f020a7b3af74aa0a
ssdeep 24576:roxzn3auuUz/miymCEr9zVWUyJXfEq964HFhXaU55pK+8rBSL:wzqu9m3mD9zVWjfCGFb55pK+8rwL
Threatray 10 similar samples on MalwareBazaar
TLSH T149359D30B682D073E5A101F04FB8EAAA567DF9255F3546DBA3E40B2E39305D24E32E57
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
91a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9
Verdict:
Malicious activity
Analysis date:
2021-08-30 07:06:28 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/4abeae34-a612-4798-8b9a-56c01adf0f09

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183537/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Searching for the window
Creating a file
Creating a process from a recently created file
Creating a window
Creating a process with a hidden window
DNS request
Creating a file in the Windows directory
Launching a service
Sending a UDP request
Launching the process to change network settings
Launching the process to change the firewall settings
Changing a file
Modifying an executable file
Replacing files
Deleting volume shadow copies
Blocking the User Account Control
Enabling autorun for a service
Launching a tool to kill processes
Creating a file in the mass storage device
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Encrypting user's files
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a3b07b96-8997-4872-9bd4-72bfb40d9cca
Result
Threat name:
FilesRecoverEN RanzyLocker
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842035
Signature
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Disables the windows firewall (over ALG)
Drops executable to a common third party application directory
Drops PE files to the startup folder
Infects executable files (exe, dll, sys, html)
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: CobaltStrike Process Patterns
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: WScript or CScript Dropper
Uses netsh to modify the Windows network and firewall settings
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected FilesRecoverEN Ransomware
Yara detected RansomwareGeneric
Yara detected RanzyLocker Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 474467 Sample: OcEyzBswGm Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 100 Multi AV Scanner detection for dropped file 2->100 102 Multi AV Scanner detection for submitted file 2->102 104 Yara detected FilesRecoverEN Ransomware 2->104 106 7 other signatures 2->106 10 OcEyzBswGm.exe 352 2->10         started        14 cmd.exe 2 2->14         started        process3 file4 66 C:\Users\user\AppData\...\Desktopini.exe, PE32 10->66 dropped 68 C:\$Recycle.Bin\RCRU_64.exe, PE32 10->68 dropped 70 C:\Windows\Pagesfilo.sys, ASCII 10->70 dropped 72 6 other malicious files 10->72 dropped 108 Creates files in the recycle bin to hide itself 10->108 110 Deletes shadow drive data (may be related to ransomware) 10->110 112 Drops PE files to the startup folder 10->112 114 5 other signatures 10->114 16 cmd.exe 1 10->16         started        19 cmd.exe 10->19         started        21 cmd.exe 1 10->21         started        27 8 other processes 10->27 23 wscript.exe 14->23         started        25 conhost.exe 14->25         started        signatures5 process6 signatures7 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->80 82 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->82 84 Deletes shadow drive data (may be related to ransomware) 16->84 88 3 other signatures 16->88 29 tasklist.exe 1 16->29         started        31 findstr.exe 1 16->31         started        33 systeminfo.exe 19->33         started        43 4 other processes 19->43 86 Uses nslookup.exe to query domains 21->86 36 nslookup.exe 1 21->36         started        45 2 other processes 23->45 39 wscript.exe 1 27->39         started        41 schtasks.exe 1 27->41         started        47 13 other processes 27->47 process8 dnsIp9 90 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 33->90 92 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 33->92 94 Writes or reads registry keys via WMI 33->94 74 resolver1.opendns.com 36->74 76 myip.opendns.com 36->76 78 222.222.67.208.in-addr.arpa 36->78 96 May check the online IP address of the machine 36->96 49 cmd.exe 1 39->49         started        52 cmd.exe 1 39->52         started        signatures10 process11 signatures12 98 Deletes shadow drive data (may be related to ransomware) 49->98 54 find.exe 49->54         started        56 tasklist.exe 1 49->56         started        58 conhost.exe 49->58         started        62 2 other processes 49->62 60 conhost.exe 52->60         started        process13 process14 64 conhost.exe 54->64         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9/
Threat name:
Win32.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2021-08-29 22:43:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4
318c6717d3881cbc9b1f24325a85e79d5c5768a03387dfb2cf605638a4b45056
353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f
4444458bf47925c82431843fd147aabbfbee71ca849fc711cb69b0cea01f4747
48643d9ccc694960fb84f505524d0f148a0331a7e2569171ff3999dd60bc7154
49921fa466e1dc65ea6c037726015a69c634fc1631a2e379bfb3d7cf7644bcad
581122114ad28f404b2cc4f8df5d77b6ed447f8f26f862960bb0181776bfacd9
a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461
cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f
efea5e4af45434b028bbb6f0f45e57d74cc37a0d46ba85921f456806d48bc97c
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware trojan
Link:
https://tria.ge/reports/210830-deyj3e5322/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates processes with tasklist
Gathers system information
Interacts with shadow copies
Kills process with taskkill
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Drops startup file
Modifies Windows Firewall
Deletes shadow copies
UAC bypass
Unpacked files
SH256 hash:
38f803929f3400537abce3adb27fb360a562bb58ef6fef5670d8eda1af042cb9
MD5 hash:
901ae11d5e7648350343469a92fad606
SHA1 hash:
29ba6d7d33c1b73033258f5c353e6f3077c45109
Link:
https://www.unpac.me/results/eff69ecf-9488-4d4a-9470-b74739f0989a/
SH256 hash:
f8e26489c2a65a2415463d3858121f62a5b3bde0abc70892ed9a330bd0576cef
MD5 hash:
9f72ac7e9a7d1a06a2f49a8776e69650
SHA1 hash:
64b46793c6ad6ddd7c8dd461d650265a2e956d19
Link:
https://www.unpac.me/results/eff69ecf-9488-4d4a-9470-b74739f0989a/
SH256 hash:
91a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9
MD5 hash:
b14bc6b94c1d7a9e7ca44e6f6663b0ab
SHA1 hash:
5abf04488e54260fc818edd1d5dc14fc6be26e65
Link:
https://www.unpac.me/results/eff69ecf-9488-4d4a-9470-b74739f0989a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/91a66df8eaf8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183537/

Comments