MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1e3ddf0a588950372e8ff5d5b1d7bd4d690e7fb3deb193c7950306e9b9a23cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1e3ddf0a588950372e8ff5d5b1d7bd4d690e7fb3deb193c7950306e9b9a23cd
SHA3-384 hash: 7be0659a519926125331901fde78d43d2fdd1035072271378319064ece043ef963957d6333abd94944c32d058251c4c8
SHA1 hash: 20ec7e5f10e6f56bac7e10fd66a05f2bfd2fe210
MD5 hash: b965ec2b45bfb93c9cd9c35c823ec88c
humanhash: steak-speaker-oven-neptune
File name:b965ec2b_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:637'440 bytes
First seen:2021-05-05 09:04:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7498d4ab69e818c68ab3f8fabdcda91b (1 x VirLock)
ssdeep 12288:GVxjN11RRUef+lV7ONtnmLm0Nce/FCiBTm:2xj1RRUvH+0Lm0EMTm
Threatray 115 similar samples on MalwareBazaar
TLSH 8ED49C6CF622C3C2D7271D7BDCD8287A34F5C420A30DFA166D86714588A668F7E6F648
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150146/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6804475-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a service
Launching a service
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
DNS request
Running batch commands
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1e3ddf0a588950372e8ff5d5b1d7bd4d690e7fb3deb193c7950306e9b9a23cd/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 00:13:03 UTC
AV detection:
46 of 48 (95.83%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
006a6bed71198de86f59e003a891e431d75e47c3a6ead1b612af6c2f896f6e0b
VirLock
02c295951551d06d573f8631d699d5ce0a1170591fe4e2700754c2bdf8556be7
VirLock
659b76788cccfc9c993dd9047e86844c7183957478fabe32455dc2a2ddea49fb
VirLock
701838d130437cec1c4b7c2a829a3baadc53de03bdc1e97e4f2abec61e988aa6
VirLock
81129e5c3a3cd0a68afcb092c579676d04bb75a3a27aad561078504a13531b38
VirLock
bb610c8d918c1d4b8e8d9a6d7b6a47b2c0af2364c5462cc5362724773ae4ab9f
VirLock
c4b04e6c7905b34bf6768fd32296246b89b2d3457c49b99c05b5e6068cbb99ff
VirLock
caf288c7727111312ba3c836928ff0c82de727d1a89bab05d31823bfddb756f5
VirLock
ce110be24e6986a96b43b83b15c1d8d6a20274e47e677fccb47b97c8818a268c
VirLock
eccea2a8934f0b0c39fdbde0f312e881028122a9f41db0d3a2279ef055ff3d16
VirLock
+ 105 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/210505-sj23w9k89n/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
f77f2b411402be7c86f55540fac3d34b32cad1c0531d31a6ecba879c5339f0eb
MD5 hash:
b6d816a9f21774609335a8d43b578b08
SHA1 hash:
2ab3c974de3796484e20df08c77a6a41764793c0
Link:
https://www.unpac.me/results/f2f67407-d381-451a-9113-16597a7b4b93/
SH256 hash:
841b1fd13fa45b8f376549026add0615e0b33a05804f43741391cc1ac35d7192
MD5 hash:
d842f49ff9cb1cb6cb760d0b37c3bf68
SHA1 hash:
a4e17e9745644578068e4427fc0ba443c161e448
Link:
https://www.unpac.me/results/f2f67407-d381-451a-9113-16597a7b4b93/
SH256 hash:
2415b1f6c569d0dadb8316218bbd2a29123fd3cb876b5961eff97493df056fd0
MD5 hash:
267fb8abd46a8e36acf431db7dd13411
SHA1 hash:
9cdda39de4d219c582ed50b9456560339527dbdb
Link:
https://www.unpac.me/results/f2f67407-d381-451a-9113-16597a7b4b93/
SH256 hash:
a1e3ddf0a588950372e8ff5d5b1d7bd4d690e7fb3deb193c7950306e9b9a23cd
MD5 hash:
b965ec2b45bfb93c9cd9c35c823ec88c
SHA1 hash:
20ec7e5f10e6f56bac7e10fd66a05f2bfd2fe210
Link:
https://www.unpac.me/results/f2f67407-d381-451a-9113-16597a7b4b93/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
VirLock
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1e3ddf0a588950372e8ff5d5b1d7bd4d690e7fb3deb193c7950306e9b9a23cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150146/

Comments