MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926
SHA3-384 hash:	34398752b54a5f0890167cac09ded9c5920c0fd5c61a9613b5139715857ab68cd7e2ee7dcdca7e7a4ccdd16eb2e15bca
SHA1 hash:	04028a0a1d44f81709040c31af026785209d4343
MD5 hash:	afd5d656a42a746e95926ef07933f054
humanhash:	shade-oscar-nitrogen-sweet
File name:	9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926
Download:	download sample
File size:	3'085'312 bytes
First seen:	2022-10-04 16:29:43 UTC
Last seen:	2022-10-13 09:34:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	150bdf1f53f6260c91ec3fcff5867019 (1 x Royal)
ssdeep	49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzk+5c:wm+GaNqqJJ12vlZol8cJ7rcl
Threatray	3 similar samples on MalwareBazaar
TLSH	T1D5E58D6AF6A800D8D56AC13CC5564227E3B1FC2517B287CB1AB4AA790F73AD55F3E700
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	petikvx
Tags:	exe Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

542

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

220929-fm2g7amsyz_pw_infected.zip

Verdict:

No threats detected

Analysis date:

2022-09-29 07:47:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1ec7a729-1b09-402f-9035-ac9ad6d674b0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/316587/

Detection(s):

SecuriteInfo.com.Trojan.DelShadows.21.16918.30482.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a service

Searching for the window

Sending a custom TCP request

Deleting volume shadow copies

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/41120/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

CallSleep

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

explorer.exe filecoder greyware royal

Link:

https://www.filescan.io/uploads/633c5f8b78d4acb349f4b183/reports/d8b543df-1461-4ec9-812f-b883fbb97f9d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ed4ef662-4479-42d7-bf2d-23e4134860bf

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1083415

Signature

Antivirus / Scanner detection for submitted sample

Deletes shadow drive data (may be related to ransomware)

Found Tor onion address

May disable shadow drive data (uses vssadmin)

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926/

Threat name:

Win64.Trojan.DelShad

Status:

Malicious

First seen:

2022-09-21 17:48:35 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

25 of 41 (60.98%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tw4vrpc3jiqtidho5ogdnbz2u26qfjda42en4vwmxouukocldeta._file

Verdict:

malicious

2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f

7b7e104ca9e6eff6351c60c93a1054cb70c7744f5736b980b363a577be2d732d

Result

Malware family:

n/a

Score:

9/10

Tags:

ransomware

Link:

https://tria.ge/reports/221004-tzsygabghp/

Behaviour

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Deletes shadow copies

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/44e7871d-1499-4242-b7c2-c3e9f2a9d539

Unpacked files

SH256 hash:

9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926

MD5 hash:

afd5d656a42a746e95926ef07933f054

SHA1 hash:

04028a0a1d44f81709040c31af026785209d4343

Link:

https://www.unpac.me/results/f18e4c76-b66c-4e39-8d4e-acc2ffc486d3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	RansomwareTest8 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/316587/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample