MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a42ccf420298ede753f0b4da8e04c3b0dd963fa627efd5c2994b1e3f4093d797. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a42ccf420298ede753f0b4da8e04c3b0dd963fa627efd5c2994b1e3f4093d797
SHA3-384 hash: fb98037772869fafc5e78eaf5d346ef70c37eeec8c85eabac635f664dde56bb7b27955659b02f7585855c94ae535a54a
SHA1 hash: bdf6a3febc6045dd8a3615b5863ea6af2d388e45
MD5 hash: eb24b325b62e457e6fac78958edda95c
humanhash: muppet-don-august-hydrogen
File name:a42ccf420298ede753f0b4da8e04c3b0dd963fa627efd5c2994b1e3f4093d797
Download: download sample
File size:193'024 bytes
First seen:2021-02-05 12:36:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3b0ac204f050b3ed5f8d3dfa6a213c01
ssdeep 3072:s/qz3are+rV2AYcdrW40+m/0YyB8mDe87aEfluZywzUI:s/qm6+B2GNWR7C8We0KkgU
Threatray 18 similar samples on MalwareBazaar
TLSH 53141963B9845D76F26DBD349A9D8362B2B678300D2C7077ACE63E0FA96D2C1412C5D3
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a42ccf420298ede753f0b4da8e04c3b0dd963fa627efd5c2994b1e3f4093d797
Verdict:
Suspicious activity
Analysis date:
2021-02-05 12:37:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dad6ee99-a2b7-41dc-833b-1f14c89f5215

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115735/
Detection(s):
Win.Ransomware.Scarab-6336012-1
Create hunting rule

Win.Ransomware.Deepscan-6975721-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Deleting a recently created file
Replacing files
Launching a process
Creating a window
Searching for the window
Creating a file
Changing a file
Creating a file in the Program Files directory
Moving a file to the Program Files directory
Modifying an executable file
Sending a UDP request
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Setting a single autorun event
Deleting volume shadow copies
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/600221
Signature
Antivirus / Scanner detection for submitted sample
Delayed program exit found
Deletes shadow drive data (may be related to ransomware)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: WannaCry Ransomware
Uses bcdedit to modify the Windows boot settings
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 349134 Sample: l4zCNKjxVh Startdate: 05/02/2021 Architecture: WINDOWS Score: 100 71 Sigma detected: WannaCry Ransomware 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 5 other signatures 2->77 10 l4zCNKjxVh.exe 1 2->10         started        13 osk.exe 2->13         started        15 osk.exe 2->15         started        process3 signatures4 89 Delayed program exit found 10->89 17 l4zCNKjxVh.exe 1 10->17         started        19 cmd.exe 3 10->19         started        process5 process6 21 osk.exe 2 94 17->21         started        25 cmd.exe 3 17->25         started        27 conhost.exe 19->27         started        file7 59 C:\...\HOW TO RECOVER ENCRYPTED FILES.TXT, ASCII 21->59 dropped 61 C:\Program Filesbehaviorgraphoogle\...\chrome_proxy.exe, data 21->61 dropped 63 C:\Program Filesbehaviorgraphoogle\Chrome\...\chrome.exe, data 21->63 dropped 69 47 other malicious files 21->69 dropped 81 Multi AV Scanner detection for dropped file 21->81 83 Writes a notice file (html or txt) to demand a ransom 21->83 85 Writes many files with high entropy 21->85 87 2 other signatures 21->87 29 mshta.exe 1 21->29         started        32 mshta.exe 1 21->32         started        65 C:\Users\user\AppData\Roaming\osk.exe, PE32 25->65 dropped 67 C:\Users\user\...\osk.exe:Zone.Identifier, ASCII 25->67 dropped 34 conhost.exe 25->34         started        signatures8 process9 signatures10 91 Deletes shadow drive data (may be related to ransomware) 29->91 93 Uses bcdedit to modify the Windows boot settings 29->93 36 cmd.exe 29->36         started        39 cmd.exe 29->39         started        41 cmd.exe 29->41         started        43 2 other processes 29->43 process11 signatures12 79 Deletes shadow drive data (may be related to ransomware) 36->79 45 conhost.exe 36->45         started        47 WMIC.exe 36->47         started        49 conhost.exe 39->49         started        51 vssadmin.exe 39->51         started        53 conhost.exe 41->53         started        55 conhost.exe 43->55         started        57 conhost.exe 43->57         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a42ccf420298ede753f0b4da8e04c3b0dd963fa627efd5c2994b1e3f4093d797/
Threat name:
Win32.Ransomware.Kitoles
Create hunting rule
Status:
Malicious
First seen:
2021-02-02 10:04:00 UTC
File Type:
PE (Exe)
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0f81f4eb37083c821598ffd57cff12a082f19ca2de57c86faff65755ef332686
15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50
24ed6ee6c21b01723299773311912048f6a4a782de9496c6e479c22d6fceb085
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e
4b7a2dff949a14956a679adb981bbec0aec0e198c04a454f54c5e9dcf5854b54
4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
7d809e8c9b98c16647bbfac49854c28ecc3fe6d4345410deeaa79445cc50cf51
dac7b64601ffa3176296bc0647aa7cd30c50b95ea5002410000439ce506b5b9e
f40b9e6f7cfed63bba3b6eae6b0403ab26906caa77830027ed39a05918c4b877
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/210205-wztbhhmpr6/
Behaviour
Interacts with shadow copies
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Enumerates physical storage devices
Adds Run key to start application
Drops desktop.ini file(s)
Loads dropped DLL
Executes dropped EXE
Deletes shadow copies
Unpacked files
SH256 hash:
a42ccf420298ede753f0b4da8e04c3b0dd963fa627efd5c2994b1e3f4093d797
MD5 hash:
eb24b325b62e457e6fac78958edda95c
SHA1 hash:
bdf6a3febc6045dd8a3615b5863ea6af2d388e45
Link:
https://www.unpac.me/results/f9363ab2-c83e-4ee4-bf55-c2ddfcde4f87/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a42ccf420298ede753f0b4da8e04c3b0dd963fa627efd5c2994b1e3f4093d797

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/115735/

Comments