MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc7a8a1a103aba8623b7cb73a8c32d5a3a9a8550d1a0fabbb1a01a48497ad0fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LockBit

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	bc7a8a1a103aba8623b7cb73a8c32d5a3a9a8550d1a0fabbb1a01a48497ad0fb
SHA3-384 hash:	6d30fe1f683fcc070457b87c749442380b73f5c37a109ab201013a351c32c89bbc053dfd4c68b2b345752ae139b11c69
SHA1 hash:	ee4ffd48637959a5fb999608e22eb4a0487d6dff
MD5 hash:	e01007b2ff8fcb64c2ce71d7c54d29be
humanhash:	equal-december-finch-hawaii
File name:	bc7a8a1a103aba8623b7cb73a8c32d5a3a9a8550d1a0fabbb1a01a48497ad0fb
Download:	download sample
Signature	LockBit Create hunting rule
File size:	567'296 bytes
First seen:	2021-09-06 06:44:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b7ebe503aba8ff6fce4b2b89581116dd (4 x ArkeiStealer, 3 x Stop, 2 x RedLineStealer)
ssdeep	12288:2ft8j6SzcsMO4hWEfp+YwWEmlKg7CyduX2Btu:KC6SbMO4hNf02ldJ
Threatray	9 similar samples on MalwareBazaar
TLSH	T16EC412A136C0C473C9E5D6B20A6ACD98152FBD350A6581CAF9B43F1B1D712A48D3636F
dhash icon	4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter	JAMESWT_WT
Tags:	exe lockbit

Intelligence

File Origin

# of uploads :

# of downloads :

1'181

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

bc7a8a1a103aba8623b7cb73a8c32d5a3a9a8550d1a0fabbb1a01a48497ad0fb

Verdict:

Malicious activity

Analysis date:

2021-09-06 06:58:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/27f5bae0-6403-4335-bba7-d812001c0c6c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LockBit

Link:

https://www.capesandbox.com/analysis/185591/

Detection(s):

Win.Malware.Generic-9890416-0

Win.Malware.Generic-9890549-0

Win.Malware.Generic-9890550-0

Win.Packed.Generic-9890583-0

Win.Dropper.Fragtor-9890588-0

Win.Packed.Generic-9890589-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Adding an access-denied ACE

Creating a file in the Windows subdirectories

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Sending a UDP request

Creating a window

Changing a file

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Creating a file

Modifying an executable file

Replacing files

Reading critical registry keys

Running batch commands

Creating a process with a hidden window

Creating a file in the system32 subdirectories

Launching a service

Launching a process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Creating a file in the mass storage device

Stealing user critical data

Deleting volume shadow copies

Preventing system recovery

Encrypting user's files

Malware family:

LockBit Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ef4bc91e-78e2-4670-8c8d-e1fca6ca46b5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bc7a8a1a103aba8623b7cb73a8c32d5a3a9a8550d1a0fabbb1a01a48497ad0fb/

Threat name:

Win32.Trojan.DelShad

Status:

Malicious

First seen:

2021-09-06 06:45:19 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 42 (59.52%)

Threat level:

5/5

Verdict:

malicious

LockBit

4bb152c96ba9e25f293bbc03c607918a4452231087053a8cb1a8accb1acc92fd

LockBit

73406e0e7882addf0f810d3bc0e386fd5fd2dd441c895095f4125bb236ae7345

LockBit

acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c

LockBit

dd8fe3966ab4d2d6215c63b3ac7abf4673d9c19f2d9f35a6bf247922c642ec2d

LockBit

Result

Malware family:

lockbit

Score:

10/10

Tags:

family:lockbit evasion persistence ransomware

Link:

https://tria.ge/reports/210906-hh6mfsafa6/

Behaviour

Interacts with shadow copies

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Enumerates connected drives

Modifies extensions of user files

Deletes shadow copies

Modifies boot configuration data using bcdedit

Lockbit

Unpacked files

SH256 hash:

dcae12cc90f4ba4d06bf1c9375814c749b7aa9e6d85cea4d763de958d4d3ac9c

MD5 hash:

78f6a2adcf2482741ca675a86605fbe0

SHA1 hash:

1fe14decabe65ac58b50a9eff63b303a9770f72f

Link:

https://www.unpac.me/results/5938ec89-68c2-4606-9777-292c4d5eb294/

SH256 hash:

bc7a8a1a103aba8623b7cb73a8c32d5a3a9a8550d1a0fabbb1a01a48497ad0fb

MD5 hash:

e01007b2ff8fcb64c2ce71d7c54d29be

SHA1 hash:

ee4ffd48637959a5fb999608e22eb4a0487d6dff

Link:

https://www.unpac.me/results/5938ec89-68c2-4606-9777-292c4d5eb294/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/bc7a8a1a103a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bc7a8a1a103aba8623b7cb73a8c32d5a3a9a8550d1a0fabbb1a01a48497ad0fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/185591/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

MalwareBazaar Database

Database Entry

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Signature

Behaviour

Result

Behaviour

Unpacked files

File information

Comments

Login required