MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VoidCrypt


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461
SHA3-384 hash: 410c4de5688585aa60b11a02c7a2d154a75175e0a130f329759df35a813bef32e40424ad1d6511d49674af912976b7e5
SHA1 hash: 90049acd442225de16124a89835eed61f4202a8b
MD5 hash: 62ae12ef05bb6ad38cf30d8c35efd416
humanhash: south-spaghetti-seventeen-gee
File name:a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461.exe
Download: download sample
Signature VoidCrypt
Create hunting rule
File size:1'017'856 bytes
First seen:2020-09-11 05:45:31 UTC
Last seen:2020-09-11 06:43:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e0163f18068f24424ba312e38f61f2e (2 x VoidCrypt)
ssdeep 24576:WV5cfb0e1sXbNM6JMwgbXzGq3Cx3YJLfhv/wKvl:WVtPbO6qXGhpgLfh3wKv
Threatray 1 similar samples on MalwareBazaar
TLSH 05257C203643E477D9A146B14E2CEFAF106EBD150B755ADBB3C82F2E59701C21A33A5B
Reporter snowdarkz
Tags:Ransomware VoidCrypt

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Deepscan
Create hunting rule
Link:
https://www.capesandbox.com/analysis/58584/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.32312.9362.9938.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Sending a UDP request
Launching the process to change network settings
Launching a service
Launching the process to change the firewall settings
Creating a file
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Changing a file
Modifying an executable file
Creating a file in the Program Files subdirectories
Creating a file in the Program Files directory
Moving a file to the Program Files subdirectory
Launching the process to interact with network services
Enabling autorun for a service
Creating a file in the mass storage device
Encrypting user's files
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/463847
Signature
Antivirus / Scanner detection for submitted sample
Detected suspicious e-Mail address in disassembly
Disables security and backup related services
Multi AV Scanner detection for submitted file
Sigma detected: WannaCry Ransomware
Uses bcdedit to modify the Windows boot settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 284323 Sample: rUE5Zv5n73.exe Startdate: 11/09/2020 Architecture: WINDOWS Score: 76 47 Sigma detected: WannaCry Ransomware 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 2 other signatures 2->53 8 rUE5Zv5n73.exe 1 2->8         started        process3 signatures4 55 Uses bcdedit to modify the Windows boot settings 8->55 57 Disables security and backup related services 8->57 59 Detected suspicious e-Mail address in disassembly 8->59 11 cmd.exe 1 8->11         started        13 cmd.exe 1 8->13         started        15 cmd.exe 1 8->15         started        17 6 other processes 8->17 process5 process6 19 net.exe 1 11->19         started        21 conhost.exe 11->21         started        23 net.exe 1 13->23         started        25 conhost.exe 13->25         started        27 net.exe 1 15->27         started        29 conhost.exe 15->29         started        31 net.exe 1 17->31         started        33 net.exe 1 17->33         started        35 5 other processes 17->35 process7 37 net1.exe 1 19->37         started        39 net1.exe 1 23->39         started        41 net1.exe 1 27->41         started        43 net1.exe 1 31->43         started        45 net1.exe 1 33->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461/
Threat name:
Win32.Ransomware.Ouroboros
Create hunting rule
Status:
Malicious
First seen:
2020-08-10 17:44:58 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
581122114ad28f404b2cc4f8df5d77b6ed447f8f26f862960bb0181776bfacd9
VoidCrypt
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion
Link:
https://tria.ge/reports/200911-3wb7tfrw2j/
Behaviour
NTFS ADS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
NTFS ADS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in Program Files directory
Drops file in System32 directory
Modifies service
Drops desktop.ini file(s)
Drops desktop.ini file(s)
Drops startup file
Reads user/profile data of web browsers
Drops file in Drivers directory
Modifies Windows Firewall
Modifies extensions of user files
Modifies Windows Firewall
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_void_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://hybrid-analysis.com/sample/a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461
Cape
Cape
https://www.capesandbox.com/analysis/58584/

Comments


Avatar
อ๊งๆ commented on 2020-09-11 06:30:57 UTC

https://app.any.run/tasks/b42c6a2c-bd33-4f56-b79a-8703e9f423d2