MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DECAF


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850
SHA3-384 hash: 88aa73ccad0a259ed33ee42303c193a831bd258de1e8dd08ce83a86d30b116ecdecc828894a412a674a0650f0e19d837
SHA1 hash: e7acd40a42130efc72b3ec0920381f86d9dfd8e2
MD5 hash: f2cb24bfbd11a22c235f2f492b95c28d
humanhash: yellow-burger-grey-indigo
File name:a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850
Download: download sample
Signature DECAF
Create hunting rule
File size:851'264 bytes
First seen:2021-11-25 14:34:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (227 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 24576:+uyyAplx8JlIZ96SodfWZCjDj85ZG0ajI5ffz7B:+uyyOT8S96SoUCg5bLd
Threatray 7 similar samples on MalwareBazaar
TLSH T17F0533826E6CA11EC97DA0B1885BB5F35D5DDAE3271CF2AF1C81DB070476AC5FC41A24
Reporter 0xhido
Tags:DECAF exe Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850
Verdict:
No threats detected
Analysis date:
2021-11-25 14:48:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6137d907-2bac-42cc-9f86-372194044f17

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file
Reading critical registry keys
Creating a window
Sending a custom TCP request
DNS request
Launching a process
Creating a process with a hidden window
Creating a file in the mass storage device
Stealing user critical data
Encrypting user's files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/619f9f19f36138de3f3c8b74/reports/371af16a-575a-4e19-b851-f0eb65536f85/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DECAF Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d70bbf0-455b-4344-959a-63bc2fec8ca4
Result
Threat name:
Decaf
Create hunting rule
Detection:
malicious
Classification:
rans
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/896171
Signature
Found ransom note / readme
Multi AV Scanner detection for submitted file
Yara detected Decaf Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528651 Sample: qvyWhT8zmw Startdate: 25/11/2021 Architecture: WINDOWS Score: 64 16 Multi AV Scanner detection for submitted file 2->16 18 Found ransom note / readme 2->18 20 Yara detected Decaf Ransomware 2->20 7 qvyWhT8zmw.exe 120 2->7         started        process3 file4 14 C:\Users\user\Documents\README.txt, ASCII 7->14 dropped 10 cipher.exe 3 7->10         started        process5 process6 12 conhost.exe 10->12         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850/
Threat name:
Win64.Ransomware.Encoder
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 02:53:00 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
3a7e260aec294903b08eb34f2b9a985bd38bd66a409bbb7e58bd8f4e5c3a7806
DECAF
47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35
DECAF
8b10986bf59cc6c50698fd9a3de7522cc0767da1655f4c5c51601187eebbdac8
DECAF
98272cada9caf84c31d70fdc3705e95ef73cb4a5c507e2cf3caee1893a7a6f63
DECAF
Result
Malware family:
darkside
Create hunting rule
Score:
  10/10
Tags:
family:darkside ransomware upx
Link:
https://tria.ge/reports/211125-rx1t7aagg8/
Behaviour
Suspicious use of WriteProcessMemory
Modifies extensions of user files
DarkSide
Unpacked files
SH256 hash:
a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850
MD5 hash:
f2cb24bfbd11a22c235f2f492b95c28d
SHA1 hash:
e7acd40a42130efc72b3ec0920381f86d9dfd8e2
Link:
https://www.unpac.me/results/1d2d2155-d7e7-434e-a09d-4f8602d88a1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a471fdf6b137a6035b2a2746703cd696089940698fd533860d34e71cc6586850

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_KB_ID_Ransomware_DECAF
Create hunting rule
Author:ditekShen
Description:Detects files referencing identities associated with DECAF ransomware
Rule name:RAN_Decaf_Nov_2021_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect Decaf ransomware (unpacked UPX)
Reference:https://blog.morphisec.com/decaf-ransomware-a-new-golang-threat-makes-its-appearance

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://blog.morphisec.com/decaf-ransomware-a-new-golang-threat-makes-its-appearance
  
X
https://twitter.com/0xhido/status/1453740168234483720
  
Delivery method
Multiple
Cape
Cape
https://www.capesandbox.com/analysis/209386/

Comments