MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98e3304a43402227458a979aad31e2ec1543c0c5d58c118d0a8fa8c70cc78d74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98e3304a43402227458a979aad31e2ec1543c0c5d58c118d0a8fa8c70cc78d74
SHA3-384 hash: 592f7edaa738e0fc325d6b89b6d66cfc822c1ab89f621bf4e3c309fb39effb2fd98886d09be7e5ae3234cf7376f42103
SHA1 hash: 9b28d1e6cbff6b1397712a49c540b2ef999d78bc
MD5 hash: f6587e051ff9bf2e20825470ae5b3775
humanhash: april-friend-music-table
File name:98e3304a43402227458a979aad31e2ec1543c0c5d58c118d0a8fa8c70cc78d74
Download: download sample
File size:395'776 bytes
First seen:2021-04-11 11:20:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5877688b4859ffd051f6be3b8e0cd533 (119 x Babadeda, 2 x DCRat, 2 x RedLineStealer)
ssdeep 6144:xzBkLL2NTBZ56KR7Krw77d6nJqaOtxrMtTZ2W5loDNYPcOvZ1JtqRhMXDFt:xKyNTn5607KrwVMjq1q9j5loJzcFt1t
Threatray 47 similar samples on MalwareBazaar
TLSH 6884B0E375B442FADCF90A721EE2772572B4286C86D35987E7ED26354270E80162C3BD
Reporter fbgwls245
Tags:Onim Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1.exe
Verdict:
Malicious activity
Analysis date:
2021-03-21 14:13:45 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/444279f3-7447-4ac8-924a-1b8159902744

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133566/
Detection(s):
PUA.Win.Packer.Purebasic-2
Create hunting rule

SecuriteInfo.com.BAT.KillWin.dropper.1184.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the Windows subdirectories
Moving a file to the Windows subdirectory
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Creating a file
Sending a UDP request
Deleting volume shadow copies
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/672236
Signature
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Detected unpacking (overwrites its own PE header)
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98e3304a43402227458a979aad31e2ec1543c0c5d58c118d0a8fa8c70cc78d74/
Threat name:
Win32.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2021-03-21 02:01:07 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
12db6f77d235f0af6461a490040f23e1dc902385de317cd19b5478df425f2ec0
385d985b4b30f4e6abe301be1d8d91582a6f8bb9d73f8753721c8f48a1250abb
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
7dfdcd5bc610f3718de9ecd3fc67aba996d3a9c786b5954832ede3cc99d0b0b7
83946c44e144416c6c321a02db9482c7de37073f1a1814a5525504794af402bc
90929f4e6bd28d6a197fef323930502ac1a3dcc9de8d4dba02dc6702fd570e14
b895fbf7b60e9534de3a12e5e6c3b5dbe8a5f6149be49e50beae19e0a9006999
c1eb88cc7f7b43de1ef71fae416c729483d71fa930314c36dfb03b01b8455d31
de7e679cc16da78f63136976deda7c04ca9fc86f31f16989c5e2385011546034
ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3
+ 37 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
ransomware spyware stealer
Link:
https://tria.ge/reports/210411-dfm9jwhhne/
Behaviour
Interacts with shadow copies
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Reads user/profile data of web browsers
Deletes backup catalog
Drops file in Drivers directory
Executes dropped EXE
Deletes shadow copies
Unpacked files
SH256 hash:
6c09ab70a94f88c57746c93c72aff764db9013ec5298b0a7de093a254d8209b0
MD5 hash:
133672b444325c9c7c06949ff9da5f72
SHA1 hash:
58e0edf986d37c0c4a1ffc5e51293ff38e55263e
Link:
https://www.unpac.me/results/597be2fa-b778-458c-9fc4-8f778a0cb7c4/
SH256 hash:
98e3304a43402227458a979aad31e2ec1543c0c5d58c118d0a8fa8c70cc78d74
MD5 hash:
f6587e051ff9bf2e20825470ae5b3775
SHA1 hash:
9b28d1e6cbff6b1397712a49c540b2ef999d78bc
Link:
https://www.unpac.me/results/597be2fa-b778-458c-9fc4-8f778a0cb7c4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/98e3304a43402227458a979aad31e2ec1543c0c5d58c118d0a8fa8c70cc78d74

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/siri_urz/status/1373636910665629703
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/133566/

Comments