MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BianLian


Vendor detections: 19


Intelligence 19 IOCs YARA 52 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6
SHA3-384 hash: 69c8fe350e621d4c177125bd94e5dae40d8520430c251ed20413920bf1fc591c03d249693a7ee58010de6f64088e3173
SHA1 hash: d4789b83e411732bb36b67deab7bcf80a1656bbe
MD5 hash: b77e3902bd93e320e01d8df1d3a858fb
humanhash: harry-nebraska-fourteen-nineteen
File name:af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6
Download: download sample
Signature BianLian
Create hunting rule
File size:8'335'127 bytes
First seen:2025-06-24 07:10:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash aa466c044f0d2d2f6270070fe1bddf7b (3 x Azov, 2 x BianLian, 1 x Mirai)
ssdeep 98304:aRqeZPPm0Rgmt7M17Lu1zdfj7zyg5oo5AZx8U8qPoZ:aMygJ9edfbhSo5Kp8qPQ
TLSH T17E869C03F99280B9C06EC13486669267B631BC590B2267D73BC4FB792E76BD05F39361
TrID 29.5% (.EXE) InstallShield setup (43053/19/16)
18.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
18.2% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
11.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.2% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika pebin
Reporter TheRavenFile
Tags:BianLian exe mirai Ransomware


Avatar
RakeshKrish12
Source: https://github.com/TheRavenFile/Daily-Hunt/blob/main/BianLian%20Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
528
Origin country :
IN IN
Vendor Threat Intelligence
Malware family:
wiper
Create hunting rule
ID:
1
File name:
af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6.exe
Verdict:
Malicious activity
Analysis date:
2025-05-09 12:38:18 UTC
Tags:
azov ransomware wiper upx wannacry chaos golang crypto-regex rust
Link:
https://app.any.run/tasks/300f6857-4404-4e87-ae13-6954faa3c3b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Chaos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10860/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685a4fa632ed47a3a8d6aded
Tags:
ransomware shellcode vmdetect dropper
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a window
Changing a file
Modifying an executable file
Creating a file in the Program Files directory
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Modifies multiple files
Replacing files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Infecting executable files
Encrypting user's files
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6
Malware family:
7ev3n
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33a40b5e-a6b9-4256-90bf-9658156dac0f
Result
Threat name:
Annabelle, Azov, Babuk, BianLian, BlackC, BlackCat, Cha
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1721663
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to disable the Task Manager (.Net Source)
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Drops a file containing file decryption instructions (likely related to ransomware)
Drops executable to a common third party application directory
Found ransom note / readme
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
May drop file containing decryption instructions (likely related to ransomware)
Multi AV Scanner detection for submitted file
Writes a notice file (html or txt) to demand a ransom
Yara detected Annabelle Ransomware
Yara detected Azov Ransomware
Yara detected Babuk Ransomware
Yara detected BianLian Ransomware
Yara detected BlackCat Ransomware
Yara detected Chaos Ransomware
Yara detected Covid19 Ransomware
Yara detected Cryptolocker ransomware
Yara detected EveRed Ransomware
Yara detected Gocoder ransomware
Yara detected GoGoogle ransomware
Yara detected Kfuald Ransomware
Yara detected Maui Ransomware
Yara detected NOKOYAWA Ransomware
Yara detected NominatusCrypto Ransomware
Yara detected Python Ransomware
Yara detected SevenCrypt ransomware
Yara detected TrojanRansom
Yara detected Wannacry ransomware
Behaviour
Behavior Graph:
Download SVG
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6
Verdict:
Lumma Stealer
YARA:
10 match(es)
Tags:
Executable Html Lumma Stealer PE (Portable Executable) Stealer Win 64 Exe x64
Link:
https://app.malva.re/file/b77e3902bd93e320e01d8df1d3a858fb
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6/
Threat name:
Win64.Ransomware.Azov
Create hunting rule
Status:
Malicious
First seen:
2024-04-09 17:36:29 UTC
File Type:
PE+ (Exe)
Extracted files:
29
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v44urerjnw36lcmq7m2bynkneuzeg3uv4z3cq725ap35vpdcs6ta._file
Result
Malware family:
pandastealer
Create hunting rule
Score:
  10/10
Tags:
family:azov family:blackcat family:chaos family:mafiaware666 family:maui family:pandastealer credential_access discovery persistence ransomware spyware stealer wiper
Link:
https://tria.ge/reports/250624-hzrvmayzby/
Behaviour
Suspicious use of WriteProcessMemory
Browser Information Discovery
Drops file in Program Files directory
Adds Run key to start application
Enumerates connected drives
Credentials from Password Stores: Windows Credential Manager
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Renames multiple (12329) files with added filename extension
Azov
Azov family
Verdict:
Malicious
Tags:
ransomware wannacryptor nokoyawa_ransomware chaos cryptomix blackcat maui_ransomware Win.Ransomware.BlackCat-9974801-0
YARA:
Wanna_Cry_Ransomware_Generic MauiRansomware Multi_Ransomware_BlackCat_c4b043e6 Multi_Ransomware_BlackCat_e066d802 Nokoyawa_ransomware RAN_Maui_Jul_2022_1 RAN_Nokoyawa_Dec_2022_1 MS17_010_WanaCry_worm WannaDecryptor wannacry_static_ransom worm_ms17_010 ransomware_windows_wannacry ransomware_ZZ_azov_wiper Windows_Ransomware_Maui_266dea64 BlackCat WannaCry_Ransomware MALWARE_Win_Chaos cryptomix_payload ELF_RANSOMWARE_BLACKCAT
Link:
https://app.threat.zone/submission/3555a614-c657-469b-bec2-7636d5a467f5
Unpacked files
SH256 hash:
af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6
MD5 hash:
b77e3902bd93e320e01d8df1d3a858fb
SHA1 hash:
d4789b83e411732bb36b67deab7bcf80a1656bbe
Detections:
win_agent_tesla_g1
Create hunting rule
ChaosRansomware
Create hunting rule
NominatusStormPEOverwriter
Create hunting rule
WannaCry
Create hunting rule
Link:
https://www.unpac.me/results/d1628959-9917-458c-b098-d03abf6ea72a/
SH256 hash:
73fe8f1851654e60d42877231c633843269883b02d8ac62d9f62b8e220a49713
MD5 hash:
a18e8fc23d3ce325911674d7e9cac2cb
SHA1 hash:
2954212d87dc8f3220266315ac33885d7444cf27
Detections:
win_maui_auto
Create hunting rule
Link:
https://www.unpac.me/results/d1628959-9917-458c-b098-d03abf6ea72a/
Parent samples :
a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09
af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6
SH256 hash:
45b93dc9cc01909bc2277c0c98022af81ea88aeb0957e8e7fa9bd194bcb172e4
MD5 hash:
c54977e64b5f8156a9ddad0e2c34d798
SHA1 hash:
a618620a2795af9dc27a0283910b0c79bf1714bc
Detections:
ChaosRansomware
Create hunting rule
Destructive_Ransomware_Gen1
Create hunting rule
INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
MALWARE_Win_Chaos
Create hunting rule
Link:
https://www.unpac.me/results/d1628959-9917-458c-b098-d03abf6ea72a/
Parent samples :
a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09
af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6
SH256 hash:
bd5f8cce89b4a424c35d5cb56863cddb29d83ab7e0ab6801fa7101746415b948
MD5 hash:
49880d00f6c09ded6261620866041a1c
SHA1 hash:
3ac76611143e36cf859de4adf2ee8eef06a79063
Detections:
NominatusStormPEOverwriter
Create hunting rule
Destructive_Ransomware_Gen1
Create hunting rule
INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Link:
https://www.unpac.me/results/d1628959-9917-458c-b098-d03abf6ea72a/
Parent samples :
a9a99d47805f43114f84ceb1c84c9148bcbeec751a94c14cb9c1f76987bd1c09
af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6
SH256 hash:
46d340eaf6b78207e24b6011422f1a5b4a566e493d72365c6a1cace11c36b28b
MD5 hash:
36171704cde087f839b10c2465d864e1
SHA1 hash:
e3baa1c3ee9aa1d5ae61187be2e20ea9cb57d538
Link:
https://www.unpac.me/results/d1628959-9917-458c-b098-d03abf6ea72a/
SH256 hash:
e4c4582a9260b0c657624c301954a76d420ec506b2b2ce4f92979bba0d1b5238
MD5 hash:
0702d71f7f9785509086d0cbde1dc181
SHA1 hash:
e12b5a9bfc4d8557c722279fe5db5c91d7d1c459
Detections:
win_7ev3n_auto
Create hunting rule
Link:
https://www.unpac.me/results/d1628959-9917-458c-b098-d03abf6ea72a/
SH256 hash:
47c00ac29bbaee921496ef957adaf5f8b031121ef0607937b003b6ab2a895a12
MD5 hash:
d8d221ab1075cf505c8ac0af8752e64e
SHA1 hash:
7f34ce992cd7c59042a982b0db847dda15e06ccc
Detections:
Nokoyawa_ransomware
Create hunting rule
Link:
https://www.unpac.me/results/d1628959-9917-458c-b098-d03abf6ea72a/
SH256 hash:
47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90
MD5 hash:
325229663face78b4494f54eb2c77524
SHA1 hash:
00d64f749b359ec6d304cbd918118755762ddaa5
Detections:
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Link:
https://www.unpac.me/results/d1628959-9917-458c-b098-d03abf6ea72a/
SH256 hash:
aa997a3ac09b0939c05fccb95fb9cb2a20abfbc0174fe0be743fa8caa38bbb66
MD5 hash:
1fba9caa0523cea18396a3bb02c891c3
SHA1 hash:
34cb8d64328d78ec2309db407eb89862206f982c
Detections:
win_nitol_auto
Create hunting rule
ZxShell_Related_Malware_CN_Group_Jul17_2
Create hunting rule
CN_disclosed_20180208_Mal1
Create hunting rule
MAL_Nitol_Malware_Jan19_1
Create hunting rule
GoogleBot_UserAgent
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/d1628959-9917-458c-b098-d03abf6ea72a/
Malware family:
BianLian
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af394892296d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af394892296db7e58990fb341c354d2532436e95e676287f5d03f7dabc6297a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:ELF_RANSOMWARE_BLACKCAT
Create hunting rule
Author:Jesper Mikkelsen
Description:Detect Linux version of BlackCat Ransomware
Reference:https://www.virustotal.com/gui/file/056d28621dca8990caf159f8e14069a2343b48146473d2ac586ca9a51dfbbba7
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:Detects command variations typically used by ransomware
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_Chaos
Create hunting rule
Author:ditekSHen
Description:Detects Chaos ransomware
Rule name:MauiRansomware
Create hunting rule
Author:Silas Cutler (Silas@Stairwell.com)
Description:Detection for Maui Ransomware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:Multi_Ransomware_BlackCat_c4b043e6
Create hunting rule
Author:Elastic Security
Rule name:Multi_Ransomware_BlackCat_e066d802
Create hunting rule
Author:Elastic Security
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Nokoyawa_ransomware
Create hunting rule
Author:@malgamy12
Description:Detect_Nokoyawa_ransomware
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RAN_Maui_Jul_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect Maui ransomware
Rule name:RAN_Nokoyawa_Dec_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect the rust variant of Nokoyawa ransomware (x64)
Reference:https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WannaCry_Ransomware
Create hunting rule
Author:Florian Roth (Nextron Systems) (with the help of binar.ly)
Description:Detects WannaCry Ransomware
Reference:https://goo.gl/HG2j5T
Rule name:Windows_Ransomware_Maui_266dea64
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/10860/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileMappingA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetFileAttributesA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments