MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a55095bce5f28440aeed18e9997322e0b1786208f6029d42a189804dc19738b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a55095bce5f28440aeed18e9997322e0b1786208f6029d42a189804dc19738b
SHA3-384 hash: 121dfb6d83ba2dd4ea1ce9f3a6aa0c531620944cb820332de79e2de745a6f57599b18bd4cc5d16d918a014dbe6ab0a01
SHA1 hash: 39b6c944ed7c0910b6c1425f305aa5c529f62e37
MD5 hash: 5e3d6c7190c6da44298d1a424f48d77a
humanhash: hydrogen-oven-oscar-moon
File name:SecuriteInfo.com.Variant.Barys.7350.27804.5573
Download: download sample
File size:345'600 bytes
First seen:2020-12-18 19:32:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:1vPJIPhuTKSXchJLfdPsYI87kP2Mg/WWVABtmAX4Y6qyUKIIRSQ99utdnj:13K1vZPsYItP57WVUXT4IIsvnj
Threatray 49 similar samples on MalwareBazaar
TLSH 8074E001FB5BEE42C6854DF56628BF6046E9A52506A2E2F3FCC56FFD38093981A071C7
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Barys.7350.27804.5573
Verdict:
Malicious activity
Analysis date:
2020-12-18 19:33:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3984affe-4f33-430a-a856-09ffd51b2313

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108488/
Detection(s):
SecuriteInfo.com.Variant.Barys.7350.27804.5573.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Enabling the 'hidden' option for recently created files
Moving a recently created file
Changing a file
Deleting a recently created file
Forced system process termination
Launching a process
Changing an executable file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Searching for the window
Blocking the Windows Defender launch
Setting a single autorun event
Creating a file in the mass storage device
Launching a tool to kill processes
Launching the process to interact with network services
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
4444_Ransomware Maoloa
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566615
Signature
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Spreads via windows shares (copies files to share folders)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected 4444_Ransomware
Yara detected Maoloa
Yara detected Ransomware_Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332391 Sample: SecuriteInfo.com.Variant.Ba... Startdate: 18/12/2020 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Ransomware_Generic 2->46 48 Yara detected Maoloa 2->48 50 4 other signatures 2->50 8 SecuriteInfo.com.Variant.Barys.7350.27804.exe 5 2->8         started        12 SecuriteInfo.com.Variant.Barys.7350.27804.exe 2->12         started        14 SecuriteInfo.com.Variant.Barys.7350.27804.exe 1 2->14         started        process3 file4 34 C:\Users\user\AppData\...\tmp9321.tmp.exe, PE32 8->34 dropped 52 Injects a PE file into a foreign processes 8->52 16 SecuriteInfo.com.Variant.Barys.7350.27804.exe 501 8->16         started        19 tmp9321.tmp.exe 8 8->19         started        21 SecuriteInfo.com.Variant.Barys.7350.27804.exe 501 12->21         started        36 SecuriteInfo.com.V....7350.27804.exe.log, ASCII 14->36 dropped signatures5 process6 file7 24 cmd.exe 1 16->24         started        38 Multi AV Scanner detection for dropped file 19->38 26 conhost.exe 19->26         started        28 cmd.exe 1 19->28         started        32 C:\$Recycle.Bin\.C4D1664EF40CE18F8D41, data 21->32 dropped 40 Creates files in the recycle bin to hide itself 21->40 42 Spreads via windows shares (copies files to share folders) 21->42 signatures8 process9 process10 30 conhost.exe 24->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a55095bce5f28440aeed18e9997322e0b1786208f6029d42a189804dc19738b/
Threat name:
ByteCode-MSIL.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2020-12-12 15:59:19 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05a8800b05cf0c4293f9dcc297873f36691161746aec7b65e31b0e32c8f0bebb
13540d62324d40e8b15db72f32fdf1eb407f4f4d9c4cac05d5f436c39a000df2
3ae3550b6baf30136ce9b846725c3322f23ee8428c2984750a2cfe02843993e9
3eb825e55857afc9c56dd4357f4223632fb5f5bb96d3acff8e444278e373eefb
5ee56cc6b8fc9118909aa63bb763c0b3cf8a4c6ea45dfae9fad092cacb61a4cd
6b9866969b0dcd61b84d7251526d527c48226564d6681db44bacc9c538538d35
bc9204be92ac0bd373bc0153d02be668ad82d382ebcc112fa8c252e6f9c67080
db6f7b795e59ba384c7bba66f9c4fe4fd68a6cab3c38b7b70a1154dc2319106b
e748f3e105a9370ec194134350c352b1a2c12cdf43be16e5804e4eb12ab39c13
fadcffc72696cb639334be446d2aeb90743b270276f48b730efbb59b73505a85
+ 39 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware trojan upx
Link:
https://tria.ge/reports/201218-btavv4sc3s/
Behaviour
Discovers systems in the same network
Kills process with taskkill
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Modifies extensions of user files
Modifies service settings
Stops running service(s)
UPX packed file
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
9a55095bce5f28440aeed18e9997322e0b1786208f6029d42a189804dc19738b
MD5 hash:
5e3d6c7190c6da44298d1a424f48d77a
SHA1 hash:
39b6c944ed7c0910b6c1425f305aa5c529f62e37
Link:
https://www.unpac.me/results/645b619b-3334-421a-b4f6-7c6da1d7d3d0/
SH256 hash:
01bc6f7113668222a9a41c6a385b3bae9a4c2c3679ec0078cafce7d159ee20d1
MD5 hash:
3117373e2e0658adeb5c1483013672e9
SHA1 hash:
380d7f457f765605c3c5a371f0bf5d16ce8e7c38
Link:
https://www.unpac.me/results/645b619b-3334-421a-b4f6-7c6da1d7d3d0/
SH256 hash:
11d277592379df0a4ae283a4a86c6ec13ae586e21bcb7581370976c23495e0ca
MD5 hash:
ad216a8d93d53d39764c69db3738dbe1
SHA1 hash:
405c19343da75f07c4c2465df28b618a68d39ac2
Link:
https://www.unpac.me/results/645b619b-3334-421a-b4f6-7c6da1d7d3d0/
SH256 hash:
2520ce6e5d00986632fa9c7cd4d776348eb7d64d9daecf0a2b89cc7f8b0c91bc
MD5 hash:
7800fc48e27c690c1533252b4a1e2fbb
SHA1 hash:
8a484c79989922d6516b679fd128c96f336062cb
Link:
https://www.unpac.me/results/645b619b-3334-421a-b4f6-7c6da1d7d3d0/
SH256 hash:
7bd5ee0e139e569a13e9d9ad67ff5e5afd7f6e2e9fa30d066fcb8bda249c5c08
MD5 hash:
d38b65876c339a5cc895ccb294483c65
SHA1 hash:
3e581b2dc38b8fb05dd7c2cbf673e0212d02993d
Link:
https://www.unpac.me/results/645b619b-3334-421a-b4f6-7c6da1d7d3d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Barys
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9a55095bce5f28440aeed18e9997322e0b1786208f6029d42a189804dc19738b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9a55095bce5f28440aeed18e9997322e0b1786208f6029d42a189804dc19738b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/928401/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108488/

Comments