MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BianLian

Vendor detections: 19

Intelligence 19 IOCs YARA 42 File information Comments

SHA256 hash:	a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09
SHA3-384 hash:	cbc28eee86f6fa9d029157c5b1c2d5897c56d1679c156dc12c60b8eff82f2239c7f9ca53dea03a575bad033871be885e
SHA1 hash:	855974dab3bfe20f03e1d6317addc0c3711a15a5
MD5 hash:	1d9feae452cf392ca417d6f3617848bc
humanhash:	grey-utah-neptune-sixteen
File name:	a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09
Download:	download sample
Signature	BianLian Create hunting rule
File size:	6'663'794 bytes
First seen:	2025-06-24 07:11:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	aa466c044f0d2d2f6270070fe1bddf7b (3 x Azov, 2 x BianLian, 1 x Mirai)
ssdeep	49152:6TTdRqeR4nTazFKbFr5sGZpsRO+Pwwtvvm0RgONt7FpYhzHQjx6jLuSh3i+Ftvkt:aRqeZPPm0Rgmt7M17Lu1zdfj7zyg5oY
TLSH	T10A668D43B99280B9C06ED13086669267B631BC590F2257D33BD0FB692F76BD05F393A1
TrID	56.8% (.EXE) InstallShield setup (43053/19/16) 13.8% (.EXE) Win64 Executable (generic) (10522/11/4) 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	TheRavenFile
Tags:	BianLian exe mirai Ransomware

RakeshKrish12

Source: https://github.com/TheRavenFile/Daily-Hunt/blob/main/BianLian%20Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

545

Origin country :

Vendor Threat Intelligence

Malware family:

wiper

ID:

File name:

a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09.exe

Verdict:

Malicious activity

Analysis date:

2025-05-09 11:42:08 UTC

Tags:

azov ransomware wiper

Link:

https://app.any.run/tasks/d4c342a2-35db-417a-bde7-f67560ad5b49

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Chaos

Link:

https://www.capesandbox.com/analysis/10861/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685a4fabb06783b9ebd6cdc7

Tags:

ransomware shellcode vmdetect virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Modifying an executable file

Creating a file in the Program Files directory

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Modifies multiple files

Searching for the window

Сreating synchronization primitives

Creating a file

Creating a window

Changing a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Creating a file in the mass storage device

Infecting executable files

Encrypting user's files

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09

Malware family:

Maui Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/73aae698-c8d2-43d2-98a8-a2047cc64514

Result

Threat name:

Azov, Babuk, BianLian, BlackCat, Chaos,

Detection:

malicious

Classification:

rans.spre.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1721667

Signature

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates files in the recycle bin to hide itself

Deletes shadow drive data (may be related to ransomware)

Drops a file containing file decryption instructions (likely related to ransomware)

Drops executable to a common third party application directory

Found ransom note / readme

Found Tor onion address

Infects executable files (exe, dll, sys, html)

Malicious sample detected (through community Yara rule)

May drop file containing decryption instructions (likely related to ransomware)

Multi AV Scanner detection for submitted file

Yara detected Azov Ransomware

Yara detected Babuk Ransomware

Yara detected BianLian Ransomware

Yara detected BlackCat Ransomware

Yara detected Chaos Ransomware

Yara detected Covid19 Ransomware

Yara detected Cryptolocker ransomware

Yara detected EveRed Ransomware

Yara detected Gocoder ransomware

Yara detected GoGoogle ransomware

Yara detected Maui Ransomware

Yara detected NominatusCrypto Ransomware

Yara detected Python Ransomware

Yara detected TrojanRansom

Behaviour

Behavior Graph:

Download SVG

Score:

94%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09

Verdict:

Lumma Stealer

YARA:

10 match(es)

Tags:

Executable Html Lumma Stealer PE (Portable Executable) Stealer Win 64 Exe x64

Link:

https://app.malva.re/file/1d9feae452cf392ca417d6f3617848bc

Detection:

mirai

Link:

https://mwdb.cert.pl/sample/a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09/

Threat name:

Win64.Ransomware.Azov

Status:

Malicious

First seen:

2024-04-09 17:40:17 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vguz2r4al5brct4ez2y4qterjc6l53dvdkkmctfzyh3wtb55dqeq._file

Result

Malware family:

pandastealer

Score:

10/10

Tags:

family:azov family:blackcat family:chaos family:maui family:pandastealer credential_access discovery persistence ransomware spyware stealer wiper

Link:

https://tria.ge/reports/250624-hz6c1syjz5/

Behaviour

Suspicious use of WriteProcessMemory

Browser Information Discovery

Drops file in Program Files directory

Adds Run key to start application

Enumerates connected drives

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Renames multiple (11765) files with added filename extension

Azov

Azov family

Verdict:

Malicious

Tags:

ransomware blackcat maui_ransomware chaos Win.Ransomware.BlackCat-9974801-0

YARA:

MauiRansomware Multi_Ransomware_BlackCat_c4b043e6 Multi_Ransomware_BlackCat_e066d802 RAN_Maui_Jul_2022_1 ransomware_ZZ_azov_wiper Windows_Ransomware_Maui_266dea64 BlackCat MALWARE_Win_Chaos ELF_RANSOMWARE_BLACKCAT

Link:

https://app.threat.zone/submission/ea5c728e-f67c-4b34-a602-2b4e67268e3e

Unpacked files

SH256 hash:

a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09

MD5 hash:

1d9feae452cf392ca417d6f3617848bc

SHA1 hash:

855974dab3bfe20f03e1d6317addc0c3711a15a5

Detections:

elf_blackcat_auto

ChaosRansomware

NominatusStormPEOverwriter

Link:

https://www.unpac.me/results/d32cc4c4-4a70-4e7f-8f97-56e21d809756/

SH256 hash:

73fe8f1851654e60d42877231c633843269883b02d8ac62d9f62b8e220a49713

MD5 hash:

a18e8fc23d3ce325911674d7e9cac2cb

SHA1 hash:

2954212d87dc8f3220266315ac33885d7444cf27

Detections:

win_maui_auto

Link:

https://www.unpac.me/results/d32cc4c4-4a70-4e7f-8f97-56e21d809756/

Parent samples :

a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09
af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6

SH256 hash:

45b93dc9cc01909bc2277c0c98022af81ea88aeb0957e8e7fa9bd194bcb172e4

MD5 hash:

c54977e64b5f8156a9ddad0e2c34d798

SHA1 hash:

a618620a2795af9dc27a0283910b0c79bf1714bc

Detections:

ChaosRansomware

Destructive_Ransomware_Gen1

INDICATOR_SUSPICIOUS_GENRansomware

MALWARE_Win_Chaos

Link:

https://www.unpac.me/results/d32cc4c4-4a70-4e7f-8f97-56e21d809756/

Parent samples :

a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09
af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6

SH256 hash:

bd5f8cce89b4a424c35d5cb56863cddb29d83ab7e0ab6801fa7101746415b948

MD5 hash:

49880d00f6c09ded6261620866041a1c

SHA1 hash:

3ac76611143e36cf859de4adf2ee8eef06a79063

Detections:

NominatusStormPEOverwriter

Destructive_Ransomware_Gen1

INDICATOR_SUSPICIOUS_GENRansomware

Link:

https://www.unpac.me/results/d32cc4c4-4a70-4e7f-8f97-56e21d809756/

Parent samples :

a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09
af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6

Malware family:

BianLian

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a9a99d47805f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	Detect_Go_GOMAXPROCS Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	elf_blackcat_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects elf.blackcat.

Rule name:	ELF_RANSOMWARE_BLACKCAT Create hunting rule
Author:	Jesper Mikkelsen
Description:	Detect Linux version of BlackCat Ransomware
Reference:	https://www.virustotal.com/gui/file/056d28621dca8990caf159f8e14069a2343b48146473d2ac586ca9a51dfbbba7

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	Detects command variations typically used by ransomware

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	MALWARE_Win_Chaos Create hunting rule
Author:	ditekSHen
Description:	Detects Chaos ransomware

Rule name:	MauiRansomware Create hunting rule
Author:	Silas Cutler (Silas@Stairwell.com)
Description:	Detection for Maui Ransomware

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	Multi_Ransomware_BlackCat_c4b043e6 Create hunting rule
Author:	Elastic Security

Rule name:	Multi_Ransomware_BlackCat_e066d802 Create hunting rule
Author:	Elastic Security

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RAN_Maui_Jul_2022_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect Maui ransomware

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Ransomware_Maui_266dea64 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/10861/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileMappingA KERNEL32.dll::DeleteFileA KERNEL32.dll::GetFileAttributesA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegQueryValueA ADVAPI32.dll::RegSetValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::PeekMessageA USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample