MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94b76ce34e5493bb59586b41f41b23baa07a55f2397e80775573714b1311103c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94b76ce34e5493bb59586b41f41b23baa07a55f2397e80775573714b1311103c
SHA3-384 hash: 8a8c3b247e41cfa4edcb0d1cb0aff1ae98ee060b6e81325b1a87f567910909f2e89fd029b94f6027fcc5baef81be572c
SHA1 hash: 2b44afeb746cef483929fb04f15479083ce71323
MD5 hash: 34f8228a3f12fa9542f1a4181f96edec
humanhash: north-high-sodium-delta
File name:94b76ce34e5493bb59586b41f41b23baa07a55f2397e80775573714b1311103c
Download: download sample
File size:329'552 bytes
First seen:2020-11-24 12:47:28 UTC
Last seen:2020-11-25 06:38:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a8d43cec47e770a2c5a02d48e7360c87
ssdeep 6144:AAwkhugyWtbAL+eyVxw4WBh4grxdkCO0TNCeA/Ge86K:AARugyi8+eybw4WC0MJ/K
Threatray 6 similar samples on MalwareBazaar
TLSH 6A64CF2132D1C433E8B311FE9599C7699AA278309B65988737D50FED5A382E2D73270B
Reporter JAMESWT_WT
Tags:Insta Software Solution Inc. Ransomware signed

Code Signing Certificate

Organisation:AAA Certificate Services
Issuer:AAA Certificate Services
Algorithm:sha1WithRSAEncryption
Valid from:Jan 1 00:00:00 2004 GMT
Valid to:Dec 31 23:59:59 2028 GMT
Serial number: 01
Intelligence: 383 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/545986
Signature
Contains functionality to clear event logs
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (changes PE section rights)
Found Tor onion address
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322090 Sample: UrC8OHHpeu.exe Startdate: 24/11/2020 Architecture: WINDOWS Score: 72 56 Multi AV Scanner detection for submitted file 2->56 58 Machine Learning detection for sample 2->58 60 Found Tor onion address 2->60 62 Deletes shadow drive data (may be related to ransomware) 2->62 7 UrC8OHHpeu.exe 142 51 2->7         started        11 cmd.exe 2 2->11         started        13 cmd.exe 2 2->13         started        15 VSSVC.exe 2->15         started        process3 dnsIp4 52 192.168.2.1 unknown unknown 7->52 64 Detected unpacking (changes PE section rights) 7->64 66 Contains functionality to clear event logs 7->66 17 cmd.exe 1 7->17         started        20 cmd.exe 1 7->20         started        22 cmd.exe 1 7->22         started        32 9 other processes 7->32 24 conhost.exe 11->24         started        26 sc.exe 1 11->26         started        28 conhost.exe 13->28         started        30 sc.exe 1 13->30         started        signatures5 process6 signatures7 54 Deletes shadow drive data (may be related to ransomware) 17->54 34 conhost.exe 17->34         started        36 vssadmin.exe 1 17->36         started        38 conhost.exe 20->38         started        40 vssadmin.exe 1 20->40         started        42 conhost.exe 22->42         started        44 vssadmin.exe 1 22->44         started        46 vssadmin.exe 1 32->46         started        48 conhost.exe 32->48         started        50 12 other processes 32->50 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94b76ce34e5493bb59586b41f41b23baa07a55f2397e80775573714b1311103c/
Threat name:
Win32.Ransomware.HydraCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-11-02 02:18:34 UTC
File Type:
PE (Exe)
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
308c427638d7aa1a48809ce6dc4125bbccc3f5730a602174baf886e61699ef4d
389e03b1a1fd1c527d48df74d3c26a0483a5b105f36841193172f1ee80e62c1b
3d94c4a92382c5c45062d8ea0517be4011be8ba42e9c9a614a99327d0ebdf05b
5c05707de780f92a6d29dd9610e5f23cdc3a4f9fba9ef5902fac72abc56bd26c
6a15e26804644d8c13c19260e449186899050e513b6be6ae5ef65ed799906dca
b61d3d1fbd98a10bd0f050173ca38941fb11b859872894b88bca7cfdd5cd2597
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201124-2hpwwl78gn/
Unpacked files
SH256 hash:
94b76ce34e5493bb59586b41f41b23baa07a55f2397e80775573714b1311103c
MD5 hash:
34f8228a3f12fa9542f1a4181f96edec
SHA1 hash:
2b44afeb746cef483929fb04f15479083ce71323
Link:
https://www.unpac.me/results/99e4b65c-df8f-4fb3-a085-36124e7aadc6/
SH256 hash:
90befa0ff645e3d333fd21a91d9837d797adbd8e30bd9fcc10c3ae1c5d6df00d
MD5 hash:
ba481e3dd59fe6f093e8f9c2dc1a82ee
SHA1 hash:
a34f7eebf9d028c6a78e9c3260cfa32563685b83
Link:
https://www.unpac.me/results/99e4b65c-df8f-4fb3-a085-36124e7aadc6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ransomware
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94b76ce34e5493bb59586b41f41b23baa07a55f2397e80775573714b1311103c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments