MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bae73eacfbc2ced0d12dee97f31c186be0b8080c3471ce497b058081ccaeeb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

WannaCry

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	9bae73eacfbc2ced0d12dee97f31c186be0b8080c3471ce497b058081ccaeeb6
SHA3-384 hash:	8da2564d7063cc8a66a8a7a1b0514a2047c81f638c50c05e103aab0131a970a4c6907f121b403ffcff07a3ca5b49aadf
SHA1 hash:	24e960b51b156502b81c0e0deaeabca09b160a4e
MD5 hash:	1379c8d2a7758958c5f2ad789feef48e
humanhash:	california-carolina-sixteen-wolfram
File name:	2023-02-15_1379c8d2a7758958c5f2ad789feef48e_wannacry
Download:	download sample
Signature	WannaCry Create hunting rule
File size:	108'544 bytes
First seen:	2023-02-15 05:28:30 UTC
Last seen:	2023-02-18 16:31:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	3072:xomjKNtr9Xtn2NLUIvM/qZpgMe/YuRcrIgQ:gr9Xtg5Lepqkg
Threatray	4'262 similar samples on MalwareBazaar
TLSH	T126B31D382AFE9029F373EE755BD475DF8AAFB7633A0694582091034A0623D41DE9173E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	petikvx
Tags:	WannaCry

Intelligence

File Origin

# of uploads :

# of downloads :

256

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2023-02-15_1379c8d2a7758958c5f2ad789feef48e_wannacry

Verdict:

Malicious activity

Analysis date:

2023-02-15 05:31:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/76f36bc4-83f0-4beb-af6c-9ff8aae65f46

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Chaos

Link:

https://www.capesandbox.com/analysis/366373/

Detection(s):

Win.Ransomware.Hydracrypt-9878672-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Sending a custom TCP request

Moving a recently created file

Changing a file

Modifying an executable file

Reading critical registry keys

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Unauthorized injection to a recently created process

Creating a file in the mass storage device

Stealing user critical data

Enabling autorun by creating a file

Encrypting user's files

Gathering data

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/9bae73eacfbc2ced0d12dee97f31c186be0b8080c3471ce497b058081ccaeeb6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

CHAOS Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/15a7feb2-80a1-425a-846d-56cc9e579458

Result

Threat name:

Chaos, TrojanRansom

Detection:

malicious

Classification:

rans.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1175310

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9bae73eacfbc2ced0d12dee97f31c186be0b8080c3471ce497b058081ccaeeb6/

Threat name:

ByteCode-MSIL.Ransomware.FileCoder

Status:

Malicious

First seen:

2023-02-15 00:50:43 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

36 of 39 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=toxhh2wpxqwo2dis33ux6mobq27axaeayndrzzexwbmaqhgk523a._file

Verdict:

malicious

WannaCry

0a00b6668696bf62e14ea1acaa855397730e24bd66b594d9602bee37c2de2e6e

WannaCry

1f57dcbcb1684ee5f037249fe8f48b48776ecb3c67bd726485cccc6bf1347541

WannaCry

7826978642c568f975e2b65d1575fdf92e634f7c80db2c86c9d7c8066e8955b8

WannaCry

c797991107d261423bebab5f3cd3b44b5a63e3925baaf53ed8b0ba77f5c7fb7b

WannaCry

ca3e078052da372b3238b78d311eca0dee9e82bb75d62773be05bc033ab0ea82

WannaCry

e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14

WannaCry

f871efc0cdf5446908e436de9ed821ff0ec5e217c50c16e69e3d0e83f6257f0f

WannaCry

+ 4'252 additional samples on MalwareBazaar

Result

Malware family:

chaos

Score:

10/10

Tags:

family:chaos evasion ransomware spyware stealer

Link:

https://tria.ge/reports/230215-f6kc1shh8v/

Behaviour

Checks SCSI registry key(s)

Interacts with shadow copies

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Sets desktop wallpaper using registry

Drops desktop.ini file(s)

Checks computer location settings

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Deletes backup catalog

Modifies extensions of user files

Deletes shadow copies

Modifies boot configuration data using bcdedit

Chaos

Chaos Ransomware

Unpacked files

SH256 hash:

9bae73eacfbc2ced0d12dee97f31c186be0b8080c3471ce497b058081ccaeeb6

MD5 hash:

1379c8d2a7758958c5f2ad789feef48e

SHA1 hash:

24e960b51b156502b81c0e0deaeabca09b160a4e

Link:

https://www.unpac.me/results/549f5972-9d67-4031-8aec-d7c06651239f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9bae73eacfbc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/9bae73eacfbc2ced0d12dee97f31c186be0b8080c3471ce497b058081ccaeeb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	detects command variations typically used by ransomware

Rule name:	MALWARE_Win_Chaos Create hunting rule
Author:	ditekSHen
Description:	Detects Chaos ransomware

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/366373/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample