MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Troldesh


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6
SHA3-384 hash: f3aa40cb4cbf67c47f64a7b6ccc6aedfa8d58f2b947af04d99e22f4fc3bbf0daa14f16a0555c112bc4040310c44472ec
SHA1 hash: 76440c8a557e7c1c032f7ccb69f6f133686e8fe4
MD5 hash: f7fad376e883d2bab82fbae91e5874f5
humanhash: summer-hot-mike-mockingbird
File name:Trojan-Ransom.Win32.PolyRansom.cwlk-a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6.exe
Download: download sample
Signature Troldesh
Create hunting rule
File size:151'552 bytes
First seen:2022-09-29 12:37:19 UTC
Last seen:2024-07-24 19:48:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:YzS2qulKP62/xAZS6Rt3T4awbhdEyvM3ylfXTkpisd7LT8EB:CS2qaKP62mZS6RZ4aw1dd0ClfD+isd7c
Threatray 4 similar samples on MalwareBazaar
TLSH T190E31254DF0C3BA7DE99C7B50CE4C3454FD08121296EDFAB398495FA66427B2A0432B7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter petikvx
Tags:exe Ransomware Troldesh

Intelligence

File Origin
# of uploads :
2
# of downloads :
607
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
cerber
Create hunting rule
ID:
1
File name:
d.exe
Verdict:
Malicious activity
Analysis date:
2021-02-06 21:51:34 UTC
Tags:
trojan ransomware cerber troldesh shade infinitylock derialock
Link:
https://app.any.run/tasks/f6abe335-9e8e-4983-bc01-5a0f70f2279f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314818/
Detection(s):
PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Creating a window
Running batch commands
Launching a process
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Changing a file
Unauthorized injection to a recently created process
Launching a tool to kill processes
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633591b00d3d21420cc96cae/reports/d98ed7bc-a2d2-4deb-84b7-57f65ee2ab9d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Shade
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27ab139c-2b9f-49c4-b4ff-8dd824e6f584
Result
Threat name:
Babuk, Cerber, DeriaLock, InfinityLock,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1080062
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Clears the journal log
Clears the windows event log
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Deletes keys related to Windows Defender
Deletes keys which are related to windows safe boot (disables safe mode boot)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables security and backup related services
Disables the Windows registry editor (regedit)
Disables the windows security center
Disables the Windows task manager (taskmgr)
Disables Windows system restore
Drops executables to the windows directory (C:\Windows) and starts them
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Execute DLL with spoofed extension
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Cerber ransomware
Yara detected DeriaLock Ransomware
Yara detected InfinityLock Ransomware
Yara detected Mimikatz
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 712620 Sample: 4d44bed6.exe Startdate: 29/09/2022 Architecture: WINDOWS Score: 100 125 www5.internet-security-guard.com 2->125 127 secure1.safe-scanerwas.com 2->127 129 7 other IPs or domains 2->129 155 Snort IDS alert for network traffic 2->155 157 Malicious sample detected (through community Yara rule) 2->157 159 Antivirus detection for URL or domain 2->159 161 16 other signatures 2->161 10 4d44bed6.exe 14 72 2->10         started        15 cmd.exe 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 143 raw.githubusercontent.com 10->143 145 google.ru 10->145 147 2 other IPs or domains 10->147 117 C:\Users\user\Desktop\Fantom.exe, PE32 10->117 dropped 119 C:\Users\user\Desktopndermanch@Xyeta.exe, PE32 10->119 dropped 121 C:\...ndermanch@WinlockerVB6Blacksod.exe, PE32 10->121 dropped 123 65 other malicious files 10->123 dropped 201 Writes many files with high entropy 10->201 19 Endermanch@BadRabbit.exe 10->19         started        23 Endermanch@AntivirusPlatinum.exe 1 13 10->23         started        25 Endermanch@Cerber5.exe 10->25         started        32 10 other processes 10->32 28 conhost.exe 15->28         started        30 WerFault.exe 17->30         started        file6 signatures7 process8 dnsIp9 99 C:\Windows\infpub.dat, data 19->99 dropped 177 Antivirus detection for dropped file 19->177 179 Multi AV Scanner detection for dropped file 19->179 181 Machine Learning detection for dropped file 19->181 34 rundll32.exe 19->34         started        38 conhost.exe 19->38         started        101 C:\Windows\antivirus-platinum.exe, PE32 23->101 dropped 103 C:\Windows\302746537.exe, PE32 23->103 dropped 113 2 other files (none is malicious) 23->113 dropped 183 Drops executables to the windows directory (C:\Windows) and starts them 23->183 40 302746537.exe 23->40         started        131 93.107.12.20 VODAFONE-IRELAND-ASNIE Ireland 25->131 133 93.107.12.21 VODAFONE-IRELAND-ASNIE Ireland 25->133 139 98 other IPs or domains 25->139 105 C:\Users\user\AppData\Local\Temp\...\68f6.tmp, b.out 25->105 dropped 185 Detected unpacking (changes PE section rights) 25->185 187 Detected unpacking (overwrites its own PE header) 25->187 189 Uses netsh to modify the Windows network and firewall settings 25->189 191 Modifies the windows firewall 25->191 42 netsh.exe 25->42         started        44 netsh.exe 25->44         started        135 searchdusty.com 32->135 137 raw.githubusercontent.com 32->137 141 4 other IPs or domains 32->141 107 C:\Users\user\AppData\Local\6AdwCleaner.exe, PE32 32->107 dropped 109 C:\Program Files (x86)\...\libltdl3.dll, PE32 32->109 dropped 111 C:\Program Files (x86)\...\avpc2009.exe, PE32 32->111 dropped 115 2 other files (none is malicious) 32->115 dropped 193 Creates an undocumented autostart registry key 32->193 195 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->195 197 Creates multiple autostart registry keys 32->197 199 5 other signatures 32->199 46 6AdwCleaner.exe 32->46         started        49 avpc2009.exe 32->49         started        51 net.exe 32->51         started        53 5 other processes 32->53 file10 signatures11 process12 dnsIp13 93 C:\Windows\dispci.exe, PE32 34->93 dropped 95 C:\Windows\cscc.dat, PE32+ 34->95 dropped 97 C:\Windows\3F22.tmp, data 34->97 dropped 163 System process connects to network (likely due to code injection or exploit) 34->163 165 Connects to many different private IPs via SMB (likely to spread or exploit) 34->165 167 Connects to many different private IPs (likely to spread or exploit) 34->167 175 4 other signatures 34->175 55 cmd.exe 34->55         started        57 cmd.exe 34->57         started        59 cmd.exe 34->59         started        68 3 other processes 34->68 61 cmd.exe 40->61         started        64 conhost.exe 42->64         started        66 conhost.exe 44->66         started        149 www.vikingwebscanner.com 46->149 169 Antivirus detection for dropped file 46->169 171 Multi AV Scanner detection for dropped file 46->171 173 Creates multiple autostart registry keys 46->173 151 yandex.ru 49->151 153 google.ru 49->153 70 2 other processes 51->70 72 4 other processes 53->72 file14 signatures15 process16 signatures17 85 3 other processes 55->85 74 conhost.exe 57->74         started        76 schtasks.exe 57->76         started        87 2 other processes 59->87 203 Drops executables to the windows directory (C:\Windows) and starts them 61->203 205 Uses schtasks.exe or at.exe to add and modify task schedules 61->205 78 antivirus-platinum.exe 61->78         started        81 conhost.exe 61->81         started        83 regsvr32.exe 61->83         started        89 2 other processes 61->89 91 5 other processes 68->91 process18 signatures19 207 Changes security center settings (notifications, updates, antivirus, firewall) 78->207 209 Disables the Windows task manager (taskmgr) 78->209 211 Disables Windows system restore 78->211 213 Disables the Windows registry editor (regedit) 78->213
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6/
Threat name:
ByteCode-MSIL.Ransomware.PolyRansom
Create hunting rule
Status:
Malicious
First seen:
2021-02-07 08:01:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uhmz3ik2rebeggvxfd2qzrdsstg3dd5catkdip2c4sp4qtkex3la._file
Verdict:
malicious
Similar samples:
261728fc1400289488ed7168916b8752a2633c638724cb1653f671568437545c
Troldesh
509c74c3d16a29b3a16b03273f3c9681335f0b8324e3ac2f8e7c6ebc48116ede
Troldesh
792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738
Troldesh
a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6
Troldesh
Result
Malware family:
troldesh
Create hunting rule
Score:
  10/10
Tags:
family:badrabbit family:mimikatz family:troldesh bootkit discovery evasion persistence ransomware themida trojan upx
Link:
https://tria.ge/reports/220929-pt4essbhbq/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies Control Panel
Modifies Internet Explorer settings
Modifies Internet Explorer start page
Modifies registry class
Modifies registry key
Modifies system certificate store
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System policy modification
Views/modifies file attributes
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Modifies WinLogon
Writes to the Master Boot Record (MBR)
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Themida packer
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Stops running service(s)
UPX packed file
Checks for common network interception software
Enumerates VirtualBox registry keys
mimikatz is an open source tool to dump credentials on Windows
BadRabbit
Mimikatz
Modifies WinLogon for persistence
Troldesh, Shade, Encoder.858
Malware Config
Dropper Extraction:
http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=GBQHURCC&2=i-s&3=61&4=9200&5=6&6=2&7=919041&8=1033
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8387eeb6-26a5-442c-a51d-3cdf24a09aee
Unpacked files
SH256 hash:
c26e67f93294ef08f6f45bc0dd03e3d6bc66a23dc44de6e9f557e991caa5da69
MD5 hash:
9c534f10d1201a193d9bccc7ae9d86e4
SHA1 hash:
8b63ebfe77f60ff977dc12b31b73fc975be95110
Link:
https://www.unpac.me/results/4aa1e9fa-a646-40ca-a114-c900c904dc43/
SH256 hash:
a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6
MD5 hash:
f7fad376e883d2bab82fbae91e5874f5
SHA1 hash:
76440c8a557e7c1c032f7ccb69f6f133686e8fe4
Link:
https://www.unpac.me/results/4aa1e9fa-a646-40ca-a114-c900c904dc43/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/314818/

Comments