MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hive


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153
SHA3-384 hash: f50a1df24ec24a20b13aa82d6911ae3f6b573bdab76f1cfe0cd51bec6bed5e12fd7059b2fb6e0f8afa784001ba0b42d2
SHA1 hash: 00e5e0e05a18bd01498f247145ae591a654e07f4
MD5 hash: 0c18bc83e838deec24af20d139b411d7
humanhash: bulldog-carbon-september-edward
File name:aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153
Download: download sample
Signature Hive
Create hunting rule
File size:1'881'600 bytes
First seen:2022-04-14 15:03:19 UTC
Last seen:2022-04-20 10:22:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (46 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 49152:1bwLVCMQpguIBQAkqI8D1PqrNnjeaXNo:1QVCMdJt4r
Threatray 12 similar samples on MalwareBazaar
TLSH T1B3955B41FC9790F2D503553108ABA2BF6730A9055B36CA8FDB80AF6AFD376E20D36615
gimphash baafe353a3732b9a749536c3cece53c3fd4cba82a49886e0c8842058e45b6df2
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Arkbird_SOLG
Tags:exe Hive Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
533
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sample.exe
Verdict:
Malicious activity
Analysis date:
2022-04-13 06:49:38 UTC
Tags:
ransomware stealer
Link:
https://app.any.run/tasks/308ae2a3-850b-4e48-9784-8e05038e6344

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BasilisqueLocker
Create hunting rule
Link:
https://www.capesandbox.com/analysis/263789/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39489809.1507.19884.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Launching a service
Creating a file
Changing a file
Moving a file to the %AppData% subdirectory
Creating a file in the %AppData% subdirectories
Launching a process
Creating a window
Moving a file to the %temp% directory
Deleting volume shadow copies
Creating a file in the mass storage device
Forced shutdown of a browser
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug control.exe filecoder greyware
Link:
https://www.filescan.io/uploads/625837e7ffe27d5119cf5ee3/reports/5390c6b6-ad64-40a1-aeb6-85de75b2a0fd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Hive
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30d08501-f6c4-464f-bb2d-9a6689abba5e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/976995
Signature
Antivirus detection for URL or domain
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
May encrypt documents and pictures (Ransomware)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Maze Ransomware
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-13 21:25:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vj4htals5bz5rd2cx6f3lbj25t5xji57rgafid3l4zxyac7r6fjq._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
206de75058a7dfa0b96784965baab63a137f2e89a97e623842e7d0bb3f12c2fc
Hive
382da46b770736639b495071c4c5a0b139eb486583b7b9548274ce6e4f663cb8
Hive
545a22b900104571ca0718336c6dfe37574263f1670d55835859b30f9776b028
Hive
5b6a9081d7742747a08d04a8f3dff31de71c4811b3b892e4b0f282780e60d741
Hive
8b8814921dc2b2cb6ea3cfc7295803c72088092418527c09b680332c92c33f1f
Hive
a464ae4b0a75d8673cc95ea93c56f0ee11120f71726cc891f9c7e8d4bec53625
Hive
bd7f4d6a3f224536879cca70b940b16251c56707124d52fb09ad828a889648cd
Hive
c931c14c4932cb7155bd9b6d5afc29a244f98a25f989ffd12db2850324606941
Hive
+ 2 additional samples on MalwareBazaar
Result
Malware family:
hive
Create hunting rule
Score:
  10/10
Tags:
family:hive ransomware spyware stealer
Link:
https://tria.ge/reports/220414-sfkx3sdbdr/
Behaviour
Interacts with shadow copies
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates connected drives
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
Detects Rust x86 variant of Hive Ransomware
Hive
Unpacked files
SH256 hash:
aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153
MD5 hash:
0c18bc83e838deec24af20d139b411d7
SHA1 hash:
00e5e0e05a18bd01498f247145ae591a654e07f4
Link:
https://www.unpac.me/results/19ce7426-f680-40b3-bee0-d8f0d354f7eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/aa78798172e873d88f42bf8bb5853aecfb74a3bf8980540f6be66f800bf1f153

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/rivitna2/status/1514552342519107584
Cape
Cape
https://www.capesandbox.com/analysis/263789/

Comments