MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7018ff4aaaaebda06615da54ab7d3dcfe06ffda501254eb9654aa27152629bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mallox


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7018ff4aaaaebda06615da54ab7d3dcfe06ffda501254eb9654aa27152629bb
SHA3-384 hash: 398f6d4c326e495890a432b35b57c20171817457678d932077cf62a26d9b57b6084a7c55a48093b4067c4115e31ceb28
SHA1 hash: c275084d65f845b4d957c05b874fade071193468
MD5 hash: 22367699e131a9d98f842a1003fd193a
humanhash: vermont-july-cardinal-video
File name:InternalCrossContextDelega.exe
Download: download sample
Signature Mallox
Create hunting rule
File size:439'808 bytes
First seen:2022-01-14 06:01:39 UTC
Last seen:2022-01-14 07:39:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:aMA8K777777777777oPAIBeqRJ620hP9EWyuJsP9ZUN:aEK777777777777o3BeqRJiUjuJ
Threatray 1'762 similar samples on MalwareBazaar
TLSH T18694BE99790172DFC857CD3299A46C20AA606CBB170BD243A44B36DE997D6D7CF022F3
File icon (PE):PE icon
dhash icon f0f0cce8cce8e8d4 (1 x Mallox)
Reporter fbgwls245
Tags:exe Mallox Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
513
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
InternalCrossContextDelega.exe
Verdict:
Malicious activity
Analysis date:
2022-01-14 06:02:26 UTC
Tags:
trojan ransomware
Link:
https://app.any.run/tasks/74791efe-d4f9-451f-a443-a8999ccc2a06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219226/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.12281.10498.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Unauthorized injection to a recently created process
Creating a file
Creating a process with a hidden window
Launching a process
Moving a file to the Program Files subdirectory
Deleting volume shadow copies
Creating a file in the mass storage device
Launching the process to interact with network services
Preventing system recovery
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe fareit nanocore obfuscated packed
Link:
https://www.filescan.io/uploads/61e111ddf2e8ec86fefb7368/reports/33ae8fa6-8189-4595-988f-8167c3054e7d/overview
Malware family:
TargetCompany Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2908a8f9-7bc1-4f48-8b1e-03c9161f7e82
Result
Threat name:
Targeted Ransomware
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920560
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables security and backup related services
Found ransom note / readme
Injects a PE file into a foreign processes
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Opens network shares
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to open files direct via NTFS file id
Uses bcdedit to modify the Windows boot settings
Writes many files with high entropy
Yara detected AntiVM3
Yara detected Targeted Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553038 Sample: InternalCrossContextDelega.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 91 Antivirus detection for URL or domain 2->91 93 Antivirus / Scanner detection for submitted sample 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 8 other signatures 2->97 9 InternalCrossContextDelega.exe 15 5 2->9         started        process3 dnsIp4 75 91.243.44.32, 49745, 80 SHOCK-1US Russian Federation 9->75 63 C:\Users\user\AppData\Local\Temp\F.bat, ASCII 9->63 dropped 65 C:\...\InternalCrossContextDelega.exe.log, ASCII 9->65 dropped 99 Detected unpacking (changes PE section rights) 9->99 101 Detected unpacking (overwrites its own PE header) 9->101 103 May disable shadow drive data (uses vssadmin) 9->103 105 4 other signatures 9->105 14 InternalCrossContextDelega.exe 103 9->14         started        19 cmd.exe 1 9->19         started        file5 signatures6 process7 dnsIp8 77 192.168.2.1, 135, 274, 49755 unknown unknown 14->77 79 192.168.2.2 unknown unknown 14->79 67 C:\Users\user\Desktop\...\PWCCAWLGRE.docx, data 14->67 dropped 69 C:\Users\user\Desktop\...\PIVFAGEAAV.pdf, data 14->69 dropped 71 C:\Users\user\Desktop\BNAGMGSPLO.jpg, data 14->71 dropped 73 43 other files (39 malicious) 14->73 dropped 81 May disable shadow drive data (uses vssadmin) 14->81 83 Creates files in the recycle bin to hide itself 14->83 85 Deletes shadow drive data (may be related to ransomware) 14->85 89 4 other signatures 14->89 21 vssadmin.exe 14->21         started        23 cmd.exe 14->23         started        25 cmd.exe 14->25         started        87 Disables security and backup related services 19->87 27 cmd.exe 1 19->27         started        29 cmd.exe 1 19->29         started        31 cmd.exe 1 19->31         started        33 8 other processes 19->33 file9 signatures10 process11 process12 35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 net.exe 1 27->39         started        41 net.exe 27->41         started        45 2 other processes 27->45 47 6 other processes 29->47 49 6 other processes 31->49 43 net.exe 33->43         started        51 15 other processes 33->51 process13 53 net1.exe 1 39->53         started        55 net1.exe 41->55         started        57 net1.exe 43->57         started        59 net1.exe 45->59         started        61 net1.exe 51->61         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7018ff4aaaaebda06615da54ab7d3dcfe06ffda501254eb9654aa27152629bb/
Threat name:
ByteCode-MSIL.Trojan.Stosek
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 02:41:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u4ay75fkvlv5ubtblwsuvn6t3t7an762kajfj24wksvcofjgfg5q._file
Verdict:
malicious
Similar samples:
080e155065338954032cfbd27b1aa26668e65e44193c30cb86a88ba0bb229815
Mallox
243bf6298e6d09d6b1defc371150fa5e0b34942eb6f2d616c187fa3fd7f44fbb
Mallox
5bd07db2eed6c7e67e3f3947b5336c6ba986cfbd03bd406c13eda1999a64fc70
Mallox
5c3579c7b2c142c402b4956cb0ce490a3933a3b1ea4d5f937037b117fbc1497d
Mallox
800b4455105a08833332092017909f9dd47bd4ebfb1cbddbe0b95658d03b8d64
Mallox
9e2502b3945f31482623e8e61dcb85b9ebb7d9a4244d9074fa289596c9da513e
Mallox
aced60ae902ad2acddb74c078406a2f9d669609f6571505754d4b78e3b439305
Mallox
e9eaf870b7dc67f068a0e00b8bf7cc5b95bb6f071bbd7d95034268b40ec61649
Mallox
f0711e7499ee1ad5e52c7e11db0b6881eab2445f5f50e5fc90efba03a9bf299b
Mallox
+ 1'752 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion ransomware
Link:
https://tria.ge/reports/220114-grf8gsefc9/
Behaviour
Discovers systems in the same network
Interacts with shadow copies
Kills process with taskkill
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Suspicious use of SetThreadContext
Enumerates connected drives
Modifies extensions of user files
Modifies service settings
Stops running service(s)
Deletes shadow copies
Modifies boot configuration data using bcdedit
Unpacked files
SH256 hash:
98a0fe90ef04c3a7503f2b700415a50e62395853bd1bab9e75fbe75999c0769e
MD5 hash:
c731cbf04c68430f31ff0ab1b0b1f054
SHA1 hash:
f3c14e25584475f01f417e3ec45474aa8de4400d
Link:
https://www.unpac.me/results/c221a6e4-ffbe-4a4e-bfd2-d8e67be2a9af/
SH256 hash:
ae54ca5c5f330220986366c2a85a75a3260698660e8681d7049e252380666b92
MD5 hash:
00af6b56440b6f9eb5b8a3143f516067
SHA1 hash:
c70442ef1fe58c11429d30cffd2d464ba6d73d40
Link:
https://www.unpac.me/results/c221a6e4-ffbe-4a4e-bfd2-d8e67be2a9af/
SH256 hash:
095e2de6c666228aba73921a95bc0376216785df6e4d5aff0926335ee76bf5e0
MD5 hash:
ca1f1920d6601051b3132564791b99d3
SHA1 hash:
c000edeb530cc67a1513f6e92333c15c4031495b
Link:
https://www.unpac.me/results/c221a6e4-ffbe-4a4e-bfd2-d8e67be2a9af/
SH256 hash:
a7018ff4aaaaebda06615da54ab7d3dcfe06ffda501254eb9654aa27152629bb
MD5 hash:
22367699e131a9d98f842a1003fd193a
SHA1 hash:
c275084d65f845b4d957c05b874fade071193468
Link:
https://www.unpac.me/results/c221a6e4-ffbe-4a4e-bfd2-d8e67be2a9af/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a7018ff4aaaa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/a7018ff4aaaaebda06615da54ab7d3dcfe06ffda501254eb9654aa27152629bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/Boanbird/status/1481777739170746371
Cape
Cape
https://www.capesandbox.com/analysis/219226/

Comments