MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb91ab5b5db4ac2b50ff6ee4309b304d9e41e00c1d162a0daa8071bed04dd2ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Teslarvng


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb91ab5b5db4ac2b50ff6ee4309b304d9e41e00c1d162a0daa8071bed04dd2ba
SHA3-384 hash: 4979f1268e2e0fa915de993b28939a50c082fdfbf954f0183c2870191fcf07e4f2c78a05f3a13bf2b07562bdc549f3ce
SHA1 hash: 972640f6dbba1ca70a36eeddabdb1fffadd3d4db
MD5 hash: c8dbe7b77d9cc662188f47f0948b0f6e
humanhash: purple-whiskey-carbon-bacon
File name:3.41x64.exe
Download: download sample
Signature Teslarvng
Create hunting rule
File size:1'131'520 bytes
First seen:2022-01-01 09:09:36 UTC
Last seen:2022-01-01 10:36:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6c166bc7ff66fae0c8f7f314b0fb1797 (1 x Teslarvng)
ssdeep 24576:4TzFV0yb6/XgL4F8TlPUV/h0Tzpn1uo1Ic:4/FVrLPTY/Gzx1X
Threatray 185 similar samples on MalwareBazaar
TLSH T19E358E16AAD801B9F0B3D13886665E02E6767C160731DAEF17D1465A3F33BE09E3D722
Reporter fbgwls245
Tags:exe Ransomware Teslarvng

Intelligence

File Origin
# of uploads :
2
# of downloads :
422
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3.41x64.exe
Verdict:
No threats detected
Analysis date:
2022-01-01 09:13:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3f9fc9fb-6bf2-44b0-af57-c6619fc4249f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216991/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.34854.22843.16672.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a service
Creating a file
Creating a file in the Windows directory
Running batch commands
Сreating synchronization primitives
Launching a service
Creating a window
Searching for the window
Searching for synchronization primitives
Sending a custom TCP request
Changing a file
Modifying an executable file
Enabling autorun for a service
Deleting volume shadow copies
Sending a TCP request to an infection source
Creating a file in the mass storage device
Encrypting user's files
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3613/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive filecoder fingerprint greyware packed
Link:
https://www.filescan.io/uploads/61d01a6fec6c6c14a902c047/reports/f3410140-cd8d-4d91-acfc-0c847b6bd17d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Tesla Revenge Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/125cd112-023e-4f0a-9ad0-b8d70c369014
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.expl.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/914429
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Deletes shadow drive data (may be related to ransomware)
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Suspicious Eventlog Clear or Configuration Using Wevtutil
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546907 Sample: 3.41x64.exe Startdate: 01/01/2022 Architecture: WINDOWS Score: 92 57 Multi AV Scanner detection for submitted file 2->57 59 Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities 2->59 61 Deletes shadow drive data (may be related to ransomware) 2->61 63 2 other signatures 2->63 8 3.41x64.exe 26 2->8         started        13 svchost.exe 2->13         started        15 cmd.exe 2 2->15         started        17 10 other processes 2->17 process3 dnsIp4 51 192.168.2.100 unknown unknown 8->51 53 192.168.2.101 unknown unknown 8->53 55 98 other IPs or domains 8->55 43 C:\Users\Default\...\DefaultLayouts.xml, PGP\011Secret 8->43 dropped 45 C:\System Volume Information\tracking.log, PGP\011Secret 8->45 dropped 47 C:\ProgramData\Oracle\Java\...\baseimagefam8, PGP\011Secret 8->47 dropped 49 92 other malicious files 8->49 dropped 65 Connects to many different private IPs via SMB (likely to spread or exploit) 8->65 67 Connects to many different private IPs (likely to spread or exploit) 8->67 69 Protects its processes via BreakOnTermination flag 8->69 73 3 other signatures 8->73 19 cmd.exe 1 8->19         started        21 vssadmin.exe 1 8->21         started        71 Changes security center settings (notifications, updates, antivirus, firewall) 13->71 23 conhost.exe 15->23         started        25 sc.exe 1 15->25         started        27 conhost.exe 17->27         started        29 sc.exe 1 17->29         started        file5 signatures6 process7 process8 31 cmd.exe 1 19->31         started        33 conhost.exe 19->33         started        35 wevtutil.exe 1 19->35         started        39 20 other processes 19->39 37 conhost.exe 21->37         started        process9 41 wevtutil.exe 1 31->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb91ab5b5db4ac2b50ff6ee4309b304d9e41e00c1d162a0daa8071bed04dd2ba/
Threat name:
Win64.Ransomware.Teslarvng
Create hunting rule
Status:
Malicious
First seen:
2022-01-01 09:10:12 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xoi2ww25wswcwuh7n3sdbgzqjwpedyamdulcudnkqby35ucn2k5a._file
Verdict:
malicious
Similar samples:
1d075c1ea60ea19ed8e5456e89715fafaf9daf614113e71f2e81dafd4a903a5d
Teslarvng
1f7d9439b10487d32039fc54b625bf9345e3b3c674d2dd6e80bdaac163f7b35d
Teslarvng
312dd4928a437b87501969ec82e89d12e1a26b945f8a12e3877477fa4366f6c5
Teslarvng
43f70516f8474945837667dfb53901e87635dcb48b5ffd4bb24697cdf303409b
Teslarvng
4d041237f6dbd08e6d88a1a526fa2dc3f1e4ce19348200105a0fa749195bce36
Teslarvng
b35c381f72ad20257546d065ab03760712eecc1067e855f2b535a11ffa9cd861
Teslarvng
b8aad384f38710b87c310e7f815673fb2342c28a494550113dc41b83c3522aa2
Teslarvng
f63561d5a1e218408d76c24a79ea9053cb0f5a1dddf386c795c587c2c8acd6cf
Teslarvng
f9c6e9012636edc259ebe3e49834d3b41b9def46f7b9833399d95bbfa4068648
Teslarvng
+ 175 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/220101-k4279shef2/
Behaviour
Checks processor information in registry
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Reads user/profile data of web browsers
Creates new service(s)
Stops running service(s)
Clears Windows event logs
Deletes shadow copies
Unpacked files
SH256 hash:
bb91ab5b5db4ac2b50ff6ee4309b304d9e41e00c1d162a0daa8071bed04dd2ba
MD5 hash:
c8dbe7b77d9cc662188f47f0948b0f6e
SHA1 hash:
972640f6dbba1ca70a36eeddabdb1fffadd3d4db
Link:
https://www.unpac.me/results/095cb7e9-5f1f-419e-93d4-2c5d3644e942/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb91ab5b5db4ac2b50ff6ee4309b304d9e41e00c1d162a0daa8071bed04dd2ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216991/

Comments