MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6
SHA3-384 hash: 331c33449aa3170cf478d7d66b6e3033204cec4b34fd5363629745a82b01b383b3231824e112a7ee3ac85fc9fbebe130
SHA1 hash: 5529175952d3fa0697124260e46ec1dbd0c63ae7
MD5 hash: d197fad90535fb974db139537a091a5b
humanhash: quiet-illinois-iowa-louisiana
File name:UDS-Virus.Win32.PolyRansom.a-a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6.exe
Download: download sample
File size:152'064 bytes
First seen:2022-09-29 12:37:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:Gs6dE9I6+dZXlX1sZhuJHxleadYgJcuFsdazXflJv:GYpC16C6adXcFcz
Threatray 1'886 similar samples on MalwareBazaar
TLSH T15EE312066D5DDD27EDE901FEA003E2119714EBA1A3D3EBDD2C8EA0542F137B21907A57
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter petikvx
Tags:exe Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
535
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
cerber
Create hunting rule
ID:
1
File name:
d.exe
Verdict:
Malicious activity
Analysis date:
2021-02-06 22:06:30 UTC
Tags:
trojan ransomware cerber infinitylock derialock
Link:
https://app.any.run/tasks/cde0273b-14ba-4b4c-9df3-d8c5f0bc1609

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314822/
Detection(s):
PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Creating a window
Searching for the window
Changing a file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Running batch commands
Moving a file to the %temp% directory
Launching cmd.exe command interpreter
Launching the process to change network settings
Unauthorized injection to a recently created process
Changing settings of the browser security zones
Changing critical settings of the Internet Explorer browser
Launching a tool to kill processes
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633591b578d4acb349f36fba/reports/42939992-76f6-47c2-b7e4-2a12876a4a96/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ccef6e05-77f6-4888-8741-b9c09a515e79
Result
Threat name:
Babuk, Cerber, DeriaLock, InfinityLock,
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1080057
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Contains functionality to create processes via WMI
Contains functionality to enumerate network shares of other devices
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Deletes keys related to Windows Defender
Deletes keys which are related to windows safe boot (disables safe mode boot)
Disables security and backup related services
Disables the Windows registry editor (regedit)
Disables the windows security center
Disables the Windows task manager (taskmgr)
Disables Windows system restore
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking mutex)
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Execute DLL with spoofed extension
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Cerber ransomware
Yara detected DeriaLock Ransomware
Yara detected InfinityLock Ransomware
Yara detected Mimikatz
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 712613 Sample: bpkAAJptGv.exe Startdate: 29/09/2022 Architecture: WINDOWS Score: 100 135 yandex.ru 2->135 137 www.vikingwebscanner.com 2->137 139 9 other IPs or domains 2->139 157 Snort IDS alert for network traffic 2->157 159 Malicious sample detected (through community Yara rule) 2->159 161 Antivirus detection for URL or domain 2->161 163 16 other signatures 2->163 10 bpkAAJptGv.exe 14 72 2->10         started        15 svchost.exe 2->15         started        17 cmd.exe 2->17         started        19 8 other processes 2->19 signatures3 process4 dnsIp5 141 raw.githubusercontent.com 10->141 143 github.com 10->143 119 C:\Users\user\Desktop\Fantom.exe, PE32 10->119 dropped 121 C:\Users\user\Desktopndermanch@Xyeta.exe, PE32 10->121 dropped 123 C:\...ndermanch@WinlockerVB6Blacksod.exe, PE32 10->123 dropped 125 65 other malicious files 10->125 dropped 201 Writes many files with high entropy 10->201 21 Endermanch@BadRabbit.exe 10->21         started        25 Endermanch@AntivirusPlatinum.exe 1 13 10->25         started        27 Endermanch@Birele.exe 10->27         started        33 9 other processes 10->33 29 MpCmdRun.exe 15->29         started        31 conhost.exe 17->31         started        file6 signatures7 process8 dnsIp9 101 C:\Windows\infpub.dat, data 21->101 dropped 177 Antivirus detection for dropped file 21->177 179 Multi AV Scanner detection for dropped file 21->179 181 Machine Learning detection for dropped file 21->181 36 rundll32.exe 21->36         started        40 conhost.exe 21->40         started        103 C:\Windows\antivirus-platinum.exe, PE32 25->103 dropped 105 C:\Windows\302746537.exe, PE32 25->105 dropped 107 C:\Windows\MSCOMCTL.OCX, PE32 25->107 dropped 109 C:\Windows\COMCTL32.OCX, PE32 25->109 dropped 183 Drops executables to the windows directory (C:\Windows) and starts them 25->183 42 302746537.exe 25->42         started        185 Creates an undocumented autostart registry key 27->185 187 Creates multiple autostart registry keys 27->187 189 Deletes keys related to Windows Defender 27->189 191 Deletes keys which are related to windows safe boot (disables safe mode boot) 27->191 44 taskkill.exe 27->44         started        46 conhost.exe 29->46         started        129 93.107.12.20 VODAFONE-IRELAND-ASNIE Ireland 33->129 131 93.107.12.21 VODAFONE-IRELAND-ASNIE Ireland 33->131 133 104 other IPs or domains 33->133 111 C:\Users\user\...\ATJBEMHSSB.jpg.deria, COM 33->111 dropped 113 C:\Users\user\Desktop\ATJBEMHSSB.pdf.deria, DOS 33->113 dropped 115 C:\Users\user\AppData\Local\6AdwCleaner.exe, PE32 33->115 dropped 117 9 other files (7 malicious) 33->117 dropped 193 Uses netsh to modify the Windows network and firewall settings 33->193 195 Modifies the windows firewall 33->195 197 Disables security and backup related services 33->197 199 3 other signatures 33->199 48 6AdwCleaner.exe 33->48         started        51 netsh.exe 33->51         started        53 netsh.exe 33->53         started        55 5 other processes 33->55 file10 signatures11 process12 dnsIp13 95 C:\Windows\dispci.exe, PE32 36->95 dropped 97 C:\Windows\cscc.dat, PE32+ 36->97 dropped 99 C:\Windows\870F.tmp, data 36->99 dropped 165 System process connects to network (likely due to code injection or exploit) 36->165 167 Connects to many different private IPs via SMB (likely to spread or exploit) 36->167 169 Connects to many different private IPs (likely to spread or exploit) 36->169 175 5 other signatures 36->175 57 cmd.exe 36->57         started        59 cmd.exe 36->59         started        61 cmd.exe 36->61         started        63 870F.tmp 36->63         started        171 Multi AV Scanner detection for dropped file 42->171 65 cmd.exe 42->65         started        68 conhost.exe 44->68         started        127 www.vikingwebscanner.com 48->127 173 Antivirus detection for dropped file 48->173 70 conhost.exe 51->70         started        72 conhost.exe 53->72         started        74 3 other processes 55->74 file14 signatures15 process16 signatures17 76 conhost.exe 57->76         started        78 schtasks.exe 57->78         started        89 2 other processes 59->89 91 2 other processes 61->91 80 conhost.exe 63->80         started        145 Drops executables to the windows directory (C:\Windows) and starts them 65->145 147 Uses schtasks.exe or at.exe to add and modify task schedules 65->147 82 antivirus-platinum.exe 65->82         started        85 conhost.exe 65->85         started        87 regsvr32.exe 65->87         started        93 2 other processes 65->93 process18 signatures19 149 Multi AV Scanner detection for dropped file 82->149 151 Changes security center settings (notifications, updates, antivirus, firewall) 82->151 153 Disables the Windows task manager (taskmgr) 82->153 155 2 other signatures 82->155
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-07 08:33:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ujc3winpgudvplqo5o6t5cqtgmxuribdsphvbdrgncbvzsmonxda._file
Verdict:
malicious
Similar samples:
36ed7e4e8dfce10773b1b1f1b7302e80d38bfd75d7c35bc5da2abf9a8a0b99e3
56c26a2b13759364f9cc066e2d876bcca463ea1c699b0fe63774686922029f72
6ba57cb21a12212bb988ccfc64bfadb07bc25b332905f3db1b84665c3a5ca5ce
792b258b63cc60abacdcc9218b04152805081b3cf8d11de875969c7f07bb0738
a1d99da15a8902431ab728f50cc47294cdb18fa204d4343f42e49fc84d44bed6
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d
cbc3b5b5bb5bb659f000bf19de99582e19df5f5fbd721e0951d2d2fa93780808
e5748b9c18c3e264c771b8abe50805fe070719b459493d37eec86f972fd1d5ac
+ 1'876 additional samples on MalwareBazaar
Result
Malware family:
mimikatz
Create hunting rule
Score:
  10/10
Tags:
family:mimikatz bootkit discovery evasion persistence themida upx
Link:
https://tria.ge/reports/220929-pt4essaha6/
Behaviour
Runs net.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Creates scheduled task(s)
Kills process with taskkill
Modifies registry key
Modifies system certificate store
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Writes to the Master Boot Record (MBR)
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Themida packer
Unexpected DNS network traffic destination
Contacts a large (1133) amount of remote hosts
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Stops running service(s)
UPX packed file
mimikatz is an open source tool to dump credentials on Windows
Mimikatz
Malware Config
Dropper Extraction:
http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=GBQHURCC&2=i-s&3=61&4=9200&5=6&6=2&7=919041&8=1033
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5d6fc673-3c21-4d84-9a33-643c91f2dccc
Unpacked files
SH256 hash:
c26e67f93294ef08f6f45bc0dd03e3d6bc66a23dc44de6e9f557e991caa5da69
MD5 hash:
9c534f10d1201a193d9bccc7ae9d86e4
SHA1 hash:
8b63ebfe77f60ff977dc12b31b73fc975be95110
Link:
https://www.unpac.me/results/4ef50b30-7be1-4be6-8d72-bfaa7cb40b39/
SH256 hash:
a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6
MD5 hash:
d197fad90535fb974db139537a091a5b
SHA1 hash:
5529175952d3fa0697124260e46ec1dbd0c63ae7
Link:
https://www.unpac.me/results/4ef50b30-7be1-4be6-8d72-bfaa7cb40b39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a245bb21af350757ae0eebbd3e8a13332f48a02393cf508e2668835cc98e6dc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/314822/

Comments