MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bee8ffd8698ff75f8c46b2fad4fba84fecf4baa1b6669128a181055605bbe922. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bee8ffd8698ff75f8c46b2fad4fba84fecf4baa1b6669128a181055605bbe922
SHA3-384 hash: 9dbfd8e63f60c1f8cf5accbf75f70b886b68935bfb3519307e727def2e183b45036fbcad98043dd9ad3bf341a902e312
SHA1 hash: 8ba1e614712f1d36e68a9e7a1c5ed2defb974e50
MD5 hash: 3d5dd0377d67ac5b82f4fb976757f8bb
humanhash: enemy-florida-jig-apart
File name:Stub.exe
Download: download sample
File size:482'816 bytes
First seen:2024-05-17 10:16:34 UTC
Last seen:2024-05-17 11:24:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f9cf62eea9f5fd35903bee8e9ad7e6a
ssdeep 12288:Ct8YAesm47kueWUW79lsRqnbTeXZJIj3LvMb4WafphI8tTDOI2u:IsBY49tbGZOqqjIOqI2
TLSH T1AAA4235DEA3F62B7DE89E1F82232712D7E1754ADE2E75463CE49052809781FE6384C23
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter likeastar20
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
348
Origin country :
RO RO
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.11239.32279.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file
Changing a file
Creating a file in the Program Files directory
Creating a file in the Program Files subdirectories
Modifying an executable file
Moving a file to the Program Files directory
Moving a file to the Program Files subdirectory
Moving a recently created file
Replacing files
Modifies multiple files
Searching for synchronization primitives
Launching a service
Launching a process
Replacing executable files
Reading critical registry keys
Creating a file in the mass storage device
Deleting volume shadow copies
Preventing system recovery
Enabling autorun by creating a file
Encrypting user's files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint lolbin packed packed packed shell32 upx
Link:
https://www.filescan.io/uploads/66472ea6d7fb0506c93b10ab/reports/e6b5f3d4-917f-42c3-a676-85644e5f13e9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/bee8ffd8698ff75f8c46b2fad4fba84fecf4baa1b6669128a181055605bbe922
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69ed9130-9fdd-49ad-b924-45f655856457
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.phis.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1443223
Signature
Deletes shadow drive data (may be related to ransomware)
Disable Windows Defender real time protection (registry)
Disables Windows system restore
Drops PE files to the startup folder
Found potential ransomware demand text
Found ransom note / readme
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Writes many files with high entropy
Yara detected Python Ransomware
Yara detected RansomwareGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1443223 Sample: Stub.exe Startdate: 17/05/2024 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for dropped file 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Found ransom note / readme 2->67 69 5 other signatures 2->69 7 Stub.exe 10 1002 2->7         started        11 notepad.exe 2->11         started        13 BD55EAC887957C72.exe 2->13         started        15 OpenWith.exe 2->15         started        process3 file4 47 C:\program files\...\4W2JfzlOg3.OPIX (copy), DOS 7->47 dropped 49 C:\...\8ExmcWDGdt.OPIX (copy), DOS 7->49 dropped 51 C:\...\kUcOFlXZ9K.OPIX (copy), COM 7->51 dropped 53 133 other files (128 malicious) 7->53 dropped 71 Found potential ransomware demand text 7->71 73 Deletes shadow drive data (may be related to ransomware) 7->73 75 Overwrites Mozilla Firefox settings 7->75 77 7 other signatures 7->77 17 cmd.exe 1 7->17         started        20 cmd.exe 1 7->20         started        22 cmd.exe 1 7->22         started        26 3 other processes 7->26 24 BD55EAC887957C72.exe 13->24         started        signatures5 process6 signatures7 55 May disable shadow drive data (uses vssadmin) 17->55 57 Deletes shadow drive data (may be related to ransomware) 17->57 59 Uses bcdedit to modify the Windows boot settings 17->59 28 vssadmin.exe 1 17->28         started        31 conhost.exe 17->31         started        33 bcdedit.exe 8 1 20->33         started        35 conhost.exe 20->35         started        37 bcdedit.exe 9 1 22->37         started        39 conhost.exe 22->39         started        61 Found potential ransomware demand text 26->61 41 conhost.exe 26->41         started        43 WMIC.exe 26->43         started        45 conhost.exe 26->45         started        process8 signatures9 79 Deletes shadow drive data (may be related to ransomware) 28->79
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bee8ffd8698ff75f8c46b2fad4fba84fecf4baa1b6669128a181055605bbe922
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bee8ffd8698ff75f8c46b2fad4fba84fecf4baa1b6669128a181055605bbe922/
Threat name:
Win64.Ransomware.Akira
Create hunting rule
Status:
Malicious
First seen:
2024-05-17 10:17:05 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x3up7wdjr73v7dcgwl5nj65ij7wpjovbwztjckfbqecvmbn35era._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion evasion execution impact ransomware trojan upx
Link:
https://tria.ge/reports/240517-mbcs1sdf72/
Behaviour
Interacts with shadow copies
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops desktop.ini file(s)
Enumerates connected drives
Checks computer location settings
Deletes itself
Drops startup file
UPX packed file
Disables use of System Restore points
Deletes shadow copies
Modifies boot configuration data using bcdedit
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
2e343f71bc6e378ca85932ffc75c4e64466ada12e6551901abf2c40c92eff803
MD5 hash:
ba20b0c3de532ac2087cb7190c5a60a8
SHA1 hash:
ea6e77958f81372369ae249f6d82a0fbcd2b3db0
Link:
https://www.unpac.me/results/cb85ff1f-3b2e-4c19-8d7d-95d087249cbe/
SH256 hash:
bee8ffd8698ff75f8c46b2fad4fba84fecf4baa1b6669128a181055605bbe922
MD5 hash:
3d5dd0377d67ac5b82f4fb976757f8bb
SHA1 hash:
8ba1e614712f1d36e68a9e7a1c5ed2defb974e50
Link:
https://www.unpac.me/results/cb85ff1f-3b2e-4c19-8d7d-95d087249cbe/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bee8ffd8698f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bee8ffd8698ff75f8c46b2fad4fba84fecf4baa1b6669128a181055605bbe922

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments