MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afec2b2af3ace2c478382f9366f6cbc9b9579f2c9a4273150fc33a2ccd59284c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Locky

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	afec2b2af3ace2c478382f9366f6cbc9b9579f2c9a4273150fc33a2ccd59284c
SHA3-384 hash:	13400311f72207171971184a3696bb718cf1845c7680228bb3f712c7e2240efc709ce8ec9733e00a134aeee7da706407
SHA1 hash:	850eeffd94d700a58c313f23a60c01ff8ec46da1
MD5 hash:	c209817538e86f5ea49fa6bd180dbf01
humanhash:	eight-jupiter-twenty-colorado
File name:	SecuriteInfo.com.Trojan.Encoder.3976.32157.17259
Download:	download sample
Signature	Locky Create hunting rule
File size:	259'072 bytes
First seen:	2024-10-23 15:55:58 UTC
Last seen:	2024-10-23 16:48:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	44c13d1912c2d0b6529bfa86eec4ee8c (1 x Locky)
ssdeep	6144:JiOdsHt79nK1SXXncX1Q8EdpTu3dDPeSruOk9FS:J9sH1dKSXXMWrSCTY
Threatray	6 similar samples on MalwareBazaar
TLSH	T12E44E00074E486B0E1F75A728A64D9A1463FEE320B119EDBB75916BE0F750C09F36D63
TrID	32.2% (.EXE) Win64 Executable (generic) (10522/11/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe Locky Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

918

Origin country :

Vendor Threat Intelligence

Malware family:

locky

ID:

File name:

SecuriteInfo.com.Trojan.Encoder.3976.32157.17259

Verdict:

Malicious activity

Analysis date:

2024-10-23 15:57:30 UTC

Tags:

locky ransomware

Link:

https://app.any.run/tasks/8a928c5f-9e34-47d6-9dd3-fad259d85034

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.Encoder.3976.32157.17259.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67191d9271be60a5fd48dfa7

Tags:

Locky

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

Connection attempt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

locky microsoft_visual_cc packed packed packer_detected ransomware

Link:

https://www.filescan.io/uploads/67191c95d875ce8b57d7760f/reports/a2d3308b-9703-42cd-a577-52363c7e3f5a/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/afec2b2af3ace2c478382f9366f6cbc9b9579f2c9a4273150fc33a2ccd59284c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Locky

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9c19c870-9fe1-4c56-bfdd-18cda7b078a0

Result

Threat name:

Locky

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1540386

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Contains functionality to encrypt and move a file in one function

Contains functionality to inject code into remote processes

Contains functionalty to change the wallpaper

Deletes shadow drive data (may be related to ransomware)

Detected Locky Ransomware

Detected unpacking (changes PE section rights)

Found stalling execution ending in API Sleep call

Found string related to ransomware

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May drop file containing decryption instructions (likely related to ransomware)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Suricata IDS alerts for network traffic

Yara detected Locky ransomware

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/afec2b2af3ace2c478382f9366f6cbc9b9579f2c9a4273150fc33a2ccd59284c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/afec2b2af3ace2c478382f9366f6cbc9b9579f2c9a4273150fc33a2ccd59284c/

Threat name:

Win32.Trojan.Symmi

Status:

Malicious

First seen:

2016-06-29 15:27:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

34 of 38 (89.47%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v7wcwkxtvtrmi6byf6jwn5wlzg4vphzmtjbhgfipym5cztkzfbga._file

Verdict:

malicious

Label(s):

locky

Locky

afec2b2af3ace2c478382f9366f6cbc9b9579f2c9a4273150fc33a2ccd59284c

Locky

e1de0531f3954d365af908d2789d453fb12480199fd9bd06a58651f90d926afe

Locky

e3670bfc1db6fb7223bb6b231ef4c3afd9d34de1d8f87b7a8e7a4cb27cfaa37d

Locky

error

Locky

f2c9ae3735430b930a81148c0bb470fcb733e456a2a942f859a1b59c4a7b2150

Locky

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/241023-tdb3tsyclh/

Behaviour

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Malicious

Tags:

locky

YARA:

n/a

Link:

https://app.threat.zone/submission/a4b8524f-731b-4cf2-95e4-f23763a14916

Unpacked files

SH256 hash:

7e1c37d69a054f7138283e6fb92ec3a366d7056bd4c6ec0fa960fe900833bf56

MD5 hash:

639538684ecdf773f0aa910c70a59af0

SHA1 hash:

8ef919a544aa5ae8405405a2123d1077fd97cfde

Detections:

win_locky_g1

win_locky_auto

win_locky_g0

Link:

https://www.unpac.me/results/9481640b-a4ac-44e7-8c3c-7460f34370a2/

SH256 hash:

0f0958651053d782422f18e1a52081dc24f97886f2c14ba4ec691d7b736c2c20

MD5 hash:

4cf8b4622b824f186fb8ac101b7d00b8

SHA1 hash:

f318b9e9e01a01263b4697c5bc653184820ad871

Link:

https://www.unpac.me/results/9481640b-a4ac-44e7-8c3c-7460f34370a2/

SH256 hash:

afec2b2af3ace2c478382f9366f6cbc9b9579f2c9a4273150fc33a2ccd59284c

MD5 hash:

c209817538e86f5ea49fa6bd180dbf01

SHA1 hash:

850eeffd94d700a58c313f23a60c01ff8ec46da1

Detections:

win_coldseal_auto

Link:

https://www.unpac.me/results/9481640b-a4ac-44e7-8c3c-7460f34370a2/

Parent samples :

afec2b2af3ace2c478382f9366f6cbc9b9579f2c9a4273150fc33a2ccd59284c
c34af1f1f238747d6839ce6857138e97d722443c4e2a794c072c236228ceaa07

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/afec2b2af3ace2c478382f9366f6cbc9b9579f2c9a4273150fc33a2ccd59284c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	win_coldseal_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.coldseal.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetVolumeInformationA KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample