MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5e57e24a9d5cac8c01746cce2c81d95d6fc0178a3b133985473aad06ba986a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5e57e24a9d5cac8c01746cce2c81d95d6fc0178a3b133985473aad06ba986a9
SHA3-384 hash: 546c952d59da3eb4b076ce3975080b1d96fd615abf60a89a181d80e23d75c0271fb8341dd56067e3c867528a4257146a
SHA1 hash: 728d22ea946a9e69402386faec0d474d065e491d
MD5 hash: a3536543f63045dc8fafe180aa177a7e
humanhash: indigo-zulu-vegan-pizza
File name:WinLocker_UPDATEDharmfulVERSION.exe
Download: download sample
File size:786'820 bytes
First seen:2021-06-16 19:30:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9882eb4035dda06820977e0c5b3ceed0
ssdeep 24576:VWYlc//////QS8iIOfPOerAY29QdkU0nPEzTZ:1lc//////QSrIUPOMGYkpPMN
Threatray 42 similar samples on MalwareBazaar
TLSH BAF48E32F190C037C13376799C1B92D9642ABF212E38688B7BE52E5C5F396923D252D7
Reporter Anonymous
Tags:exe


Avatar
Anonymous
Retrieved from https://padlet-uploads.storage.googleapis.com/500279229/c50683f6d9873b6ef225b6b0d5196def/WinLocker_UPDATEDharmfulVERSION.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WinLocker_UPDATEDharmfulVERSION.exe
Verdict:
No threats detected
Analysis date:
2021-06-16 19:35:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b6f00075-3f1f-4c99-8f53-a5dbec9298d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Win.Trojan.Skillis-56
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Searching for the window
Launching the process to change the firewall settings
Launching a service
Launching a process
Enabling the 'hidden' option for recently created files
Creating a file in the Windows directory
Sending a UDP request
Enabling autorun for a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1ea8002-3c3f-4975-9480-1df28a8b53e4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/803321
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Command shell drops VBS files
Disables the Windows task manager (taskmgr)
Drops batch files with force delete cmd (self deletion)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435732 Sample: WinLocker_UPDATEDharmfulVER... Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 38 Antivirus detection for dropped file 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 3 other signatures 2->44 7 WinLocker_UPDATEDharmfulVERSION.exe 6 2->7         started        11 cmd.exe 1 2->11         started        process3 file4 30 C:\...\WinLocker_UPDATEDharmfulVERSION.exe_, PE32 7->30 dropped 32 WinLocker_UPDATEDh...xe_:Zone.Identifier, ASCII 7->32 dropped 34 C:\Setup.bat, DOS 7->34 dropped 48 Drops batch files with force delete cmd (self deletion) 7->48 13 cmd.exe 3 5 7->13         started        50 Uses ipconfig to lookup or modify the Windows network settings 11->50 17 conhost.exe 11->17         started        19 ipconfig.exe 1 11->19         started        signatures5 process6 file7 36 C:\Windows\msgBox1.vbs, ASCII 13->36 dropped 52 Command shell drops VBS files 13->52 54 Uses cmd line tools excessively to alter registry or file data 13->54 56 Uses netsh to modify the Windows network and firewall settings 13->56 58 Modifies the windows firewall 13->58 21 reg.exe 1 1 13->21         started        24 netsh.exe 1 3 13->24         started        26 wscript.exe 13->26         started        28 5 other processes 13->28 signatures8 process9 signatures10 46 Disables the Windows task manager (taskmgr) 21->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5e57e24a9d5cac8c01746cce2c81d95d6fc0178a3b133985473aad06ba986a9/
Threat name:
Win32.Trojan.Doris
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 19:31:09 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
267adb8b92c06ae53186fc26b40caf4d9e1ae4893475b2d1d8f29b040c67d9b4
36cbc77a5caaf8f805bc7347ee4cd27657fca600ea5e202e633aca7a09d73297
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
ae3974aeea651951c5c5802cf7a556c7626529790db1fd34f29be31c29f58ce2
c0e6f7a4aa809d2b93ba137245380ada0a44ac5576935e13e165d02b1b937583
d1597e584fec8eb356aa5c831045b2ce68531e69fe70436fa3ca0d8dd1d90ca7
d33c5c0efe677cbbe2c7ba65c9327f10d9fc6b8d43bf8130da0d6ae9db99c8f7
d81e62102d9b748aaabf4f06bf0c09a66dfaaac7836374016a5f076b6f7ed418
e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37
f05d76c071555f48ff240556f6d0d3d895493c3c411e182648d256f83ad657e5
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence spyware stealer
Link:
https://tria.ge/reports/210616-w3b7j4g3pe/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Modifies Windows Firewall
Unpacked files
SH256 hash:
a5e57e24a9d5cac8c01746cce2c81d95d6fc0178a3b133985473aad06ba986a9
MD5 hash:
a3536543f63045dc8fafe180aa177a7e
SHA1 hash:
728d22ea946a9e69402386faec0d474d065e491d
Link:
https://www.unpac.me/results/6fdf972f-e22e-4cd9-a168-1da3f68fda4e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5e57e24a9d5cac8c01746cce2c81d95d6fc0178a3b133985473aad06ba986a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a5e57e24a9d5cac8c01746cce2c81d95d6fc0178a3b133985473aad06ba986a9

(this sample)

  
Delivery method
Distributed via web download

Comments