MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf5f4d7b6ef1fdb903677e4ede04fb49952e08cee79822b9b53642bb5d1e6f02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Snatch


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf5f4d7b6ef1fdb903677e4ede04fb49952e08cee79822b9b53642bb5d1e6f02
SHA3-384 hash: 832abf8cfcdc162d2bdc26dc1459e3753a21d32d4f6b478366bb6f6768476847d3864d2a9adeccb8a6686f3e56060daa
SHA1 hash: 74c615ca54aaff3c5e6734efef04259290c357ba
MD5 hash: cfd31737ccacf6e9a0e2ac18cf3445ac
humanhash: august-eighteen-network-glucose
File name:bf5f4d7b6ef1fdb903677e4ede04fb49952e08cee79822b9b53642bb5d1e6f02
Download: download sample
Signature Snatch
Create hunting rule
File size:4'813'824 bytes
First seen:2022-10-12 09:57:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1cd364a9e949d5ecebd6c614e64bc545 (16 x Glupteba, 10 x Snatch, 6 x CobaltStrike)
ssdeep 98304:OOTXCHbq9evuviwF+Mc42HfPt5Sqg9pkJ9:3LCHbqwvuvi40HN5Tgi9
Threatray 2'783 similar samples on MalwareBazaar
TLSH T128268D12FCA615FAC6FDF03085A597227672786903327B835F954ABA2A16FD07E3D304
gimphash 8c7b6abc2df09a42b4b56bfa8ed80144a8c74354066e3c4d3a083e9d39bcd49e
TrID 48.6% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter petikvx
Tags:Snatch

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rrrr.exe
Verdict:
No threats detected
Analysis date:
2022-10-12 02:02:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cb85a8f1-42fa-4ecf-bb6f-460494e0186c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319300/
Detection(s):
PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Win.Ransomware.Generic-9806352-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Launching a process
Searching for the window
Creating a file in the Program Files subdirectories
Changing a file
Moving a file to the Program Files subdirectory
Modifying an executable file
Sending a custom TCP request
Creating a file in the Program Files directory
Creating a file in the mass storage device
Encrypting user's files
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42641/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
golang greyware packed
Link:
https://www.filescan.io/uploads/63468fad316b332dfca8e070/reports/79f9fd37-d092-4bfc-b767-4d0d1f9c277c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snatch Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f8544c6-32b4-4922-821f-546a81533468
Result
Threat name:
Babuk, Gocoder, Snatch Ransomware
Create hunting rule
Detection:
malicious
Classification:
rans
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089418
Signature
Antivirus / Scanner detection for submitted sample
Deletes shadow drive data (may be related to ransomware)
Found ransom note / readme
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Gocoder ransomware
Yara detected RansomwareGeneric
Yara detected Snatch Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 722015 Sample: IbCl84xUMi.exe Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 7 other signatures 2->37 7 IbCl84xUMi.exe 124 2->7         started        process3 file4 23 C:\Users\user\...\vdjmpkpbjfhundhmcl.bat, DOS 7->23 dropped 25 C:\...\HOW TO RESTORE YOUR FILES.TXT, ASCII 7->25 dropped 27 C:\Program Files\...\resources.pak.tkoinprz, data 7->27 dropped 29 26 other malicious files 7->29 dropped 39 Writes many files with high entropy 7->39 11 cmd.exe 1 7->11         started        13 cmd.exe 1 7->13         started        signatures5 process6 process7 15 conhost.exe 11->15         started        17 sc.exe 1 11->17         started        19 findstr.exe 1 11->19         started        21 conhost.exe 13->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf5f4d7b6ef1fdb903677e4ede04fb49952e08cee79822b9b53642bb5d1e6f02/
Threat name:
Win64.Ransomware.GoRansom
Create hunting rule
Status:
Malicious
First seen:
2022-10-12 05:00:53 UTC
File Type:
PE+ (Exe)
AV detection:
28 of 42 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x5pu263o6h63sa3hpzhn4bh3jgks4cgo46mcfonvgzblwxi6n4ba._file
Verdict:
malicious
Similar samples:
1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593
Snatch
2339489be44f93b61688ee3b65d0bd2fede5f6dd494588a6268602d2f006bd16
Snatch
40a2ace8bb6e3d7d50bb346344789c2fafd25490fdaa982134aaacce6f971995
Snatch
602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9
Snatch
690be9e806f882774ab1347302bd92236a16499f160f37e59992c220466493c0
Snatch
8a99a4c58ef5e27d112f0efb4719abe01bcddb5e516114711ee4991f7922ab5f
Snatch
bd5ebf9632ad17e9a39393ab94ef055307ec053486fe703e2a614de391bc4a65
Snatch
d2c47b1c94e6beadbc222771e788e9dafe194c462760b0d16cd25cbc0a572a00
Snatch
e50d52fbac295a37f0ed0b724d4ddafca8c86bcd2391b4c481d51d5e279afd20
Snatch
fefb3c7053a1332b03a4c0523862e8e387a5065b263cf10cb0d7f33f02afc646
Snatch
+ 2'773 additional samples on MalwareBazaar
Result
Malware family:
snatch
Create hunting rule
Score:
  10/10
Tags:
family:snatch ransomware spyware stealer
Link:
https://tria.ge/reports/221012-lzhhqsdcaq/
Behaviour
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Launches sc.exe
Drops startup file
Reads user/profile data of web browsers
Modifies extensions of user files
Deletes shadow copies
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/80099931-f3f1-4e2c-962c-9d850dbb8445
Unpacked files
SH256 hash:
bf5f4d7b6ef1fdb903677e4ede04fb49952e08cee79822b9b53642bb5d1e6f02
MD5 hash:
cfd31737ccacf6e9a0e2ac18cf3445ac
SHA1 hash:
74c615ca54aaff3c5e6734efef04259290c357ba
Link:
https://www.unpac.me/results/228f77c0-b15f-4047-a4fd-3b2cf68e0440/
Malware family:
GoRansom
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf5f4d7b6ef1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/bf5f4d7b6ef1fdb903677e4ede04fb49952e08cee79822b9b53642bb5d1e6f02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:MALWARE_Win_Snatch
Create hunting rule
Author:ditekSHen
Description:Detects Snatch / GoRansome / MauriGo ransomware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/319300/

Comments