MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BlueSky

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec
SHA3-384 hash:	0606129ae62201e4fa3b3365de9f59e73d77c910397847f58c1acaa73f50fdafb5c217bb27977b18fdbad28dd62a1780
SHA1 hash:	59e756e0da6a82a0f9046a3538d507c75eb95252
MD5 hash:	0bbb9b0d573a9c6027ca7e0b1f5478bf
humanhash:	tango-diet-aspen-fish
File name:	b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec.bin
Download:	download sample
Signature	BlueSky Create hunting rule
File size:	72'704 bytes
First seen:	2022-08-12 00:41:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	1536:G+5geBR2Q+a8M124Zl2i5SADBDg8trv4t9MBY5yMv:GDeBgQ+a8M12Y2i59hrvWMBIv
Threatray	6 similar samples on MalwareBazaar
TLSH	T1FA63D64AB749EA30F59794B996FC2A17688E8938835F85C3EBD0C05A7651CC6B834F13
TrID	42.7% (.EXE) Win32 Executable (generic) (4505/5/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter	Arkbird_SOLG
Tags:	BlueSky exe Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

412

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec.bin

Verdict:

Malicious activity

Analysis date:

2022-08-12 00:43:36 UTC

Tags:

ransomware

Link:

https://app.any.run/tasks/64aec78d-556b-48d6-ab54-b1d024d0ba9f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/298113/

Detection(s):

SecuriteInfo.com.Trojan.Encoder.35508.26021.4366.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file

Changing a file

Moving a recently created file

Searching for synchronization primitives

Reading critical registry keys

Running batch commands

Creating a process with a hidden window

Launching a process

Creating a file in the mass storage device

Stealing user critical data

Encrypting user's files

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/28737/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62f5a1dd810e2831b73b3d61/reports/124df002-3621-49b3-9870-83479e00dd1c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BlueSky Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9e888ab7-11c5-483c-9dc1-8d4f90f2a5f3

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1050296

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Contains functionality to hide a thread from the debugger

Found Tor onion address

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May encrypt documents and pictures (Ransomware)

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec/

Threat name:

Win32.Ransomware.Conti

Status:

Malicious

First seen:

2022-06-30 12:16:43 UTC

File Type:

PE (Exe)

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wwyqk5i2fp4wljvxr3x7cah6jr2sqkww6n7zronnzuk5rrscqpwa._file

Verdict:

malicious

BlueSky

3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb

BlueSky

6b0d42e53e09e8e294cdc18c507dac165293e73b2390f9185fae69583b85da2c

BlueSky

840af927adbfdeb7070e1cf73ed195cf48c8d5f35b6de12f58b73898d7056d3d

BlueSky

b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec

BlueSky

c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df

BlueSky

Result

Malware family:

n/a

Score:

10/10

Tags:

ransomware

Link:

https://tria.ge/reports/220812-a2b8ysggg3/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Deletes itself

Modifies extensions of user files

Unpacked files

SH256 hash:

a0600faa00442fa1829b6126afa4d2704127485f6e4b09e0d6edc4f301ccdab6

MD5 hash:

0d6eb56650e4938cc8942ff9b92deb54

SHA1 hash:

6852bec5d9436368e0a323156ba7e3b3fd3270ea

Link:

https://www.unpac.me/results/96093100-2875-4719-9c27-035744b0d9de/

SH256 hash:

c5fffca50d6d26851dd2f5acb3079083cf8b5abd2ec54d101575f8f729489b68

MD5 hash:

eddba0f2560119842318bff82db185df

SHA1 hash:

95b7190e78fb32fcc865fcbc771350995d833d54

Link:

https://www.unpac.me/results/96093100-2875-4719-9c27-035744b0d9de/

SH256 hash:

9a5ab5a1568264240e02656b4026047d13d0a4d79d35d5af2ddd6798d6201ac8

MD5 hash:

907ae7d9497f1a8034c294e4bc9f5a78

SHA1 hash:

4b208b34aa66faf2da3389fcca01f7206c6a6a18

Link:

https://www.unpac.me/results/96093100-2875-4719-9c27-035744b0d9de/

SH256 hash:

8ee5e86f16afdc6e95ba656b1bbe00e7b6f07f290e7f58ef86eb1e11330eaf26

MD5 hash:

aab487c9478a938a8550f83d94b257ee

SHA1 hash:

fc9a0551d841ac933b7e2446df2aa8fc7f00fba1

Link:

https://www.unpac.me/results/96093100-2875-4719-9c27-035744b0d9de/

SH256 hash:

3f10933e78d63f072f64ccca3745dce884bc6365e351dcd24171963cfc8b3aad

MD5 hash:

92ffa6265b0cf868561d21d986227282

SHA1 hash:

a922a9dee38ba371edb3d983c026ffba92341ef4

Link:

https://www.unpac.me/results/96093100-2875-4719-9c27-035744b0d9de/

SH256 hash:

f708e01ab9161b8fd348c3d0698af1cf6a77803fef9cd1826434c83474ef1824

MD5 hash:

5899bb4b194b51a63b0cf4ba32441ce1

SHA1 hash:

28d426b76ecb7e79dfb47b3d54d5c972dc7adfca

Link:

https://www.unpac.me/results/96093100-2875-4719-9c27-035744b0d9de/

SH256 hash:

aa55b0170c8dcab46f8d811ac296d5d9b24ac1f91454627a44af433584ca7682

MD5 hash:

87b179f6d80ba2aba4fceb2a422e0f84

SHA1 hash:

27b9e2e0fb9ec1742f12609139c9168f100ba8cd

Link:

https://www.unpac.me/results/96093100-2875-4719-9c27-035744b0d9de/

SH256 hash:

0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4

MD5 hash:

13d3997b43c3d5cbafb0ff10b6f0dee1

SHA1 hash:

e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd

Link:

https://www.unpac.me/results/96093100-2875-4719-9c27-035744b0d9de/

SH256 hash:

00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb

MD5 hash:

bd1f243ee2140f2f6118a7754ea02a63

SHA1 hash:

cdf7dd7dd1771edcc473037af80afd7e449e30d9

Link:

https://www.unpac.me/results/96093100-2875-4719-9c27-035744b0d9de/

SH256 hash:

b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec

MD5 hash:

0bbb9b0d573a9c6027ca7e0b1f5478bf

SHA1 hash:

59e756e0da6a82a0f9046a3538d507c75eb95252

Link:

https://www.unpac.me/results/96093100-2875-4719-9c27-035744b0d9de/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b5b105751a2b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b5b105751a2bf965a6b78eeff100fe4c75282ad6f37f98b9adcd15d8c64283ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Conti Create hunting rule
Author:	kevoreilly
Description:	Conti Ransomware

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://unit42.paloaltonetworks.com/bluesky-ransomware/

Cape

https://www.capesandbox.com/analysis/298113/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample