MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c34af1f1f238747d6839ce6857138e97d722443c4e2a794c072c236228ceaa07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WannaCry


Vendor detections: 19


Intelligence 19 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c34af1f1f238747d6839ce6857138e97d722443c4e2a794c072c236228ceaa07
SHA3-384 hash: 637d9bb64d2794370bd860158f4c63f2c515caf93f1f84075d10d4aa5132e766bbf4e2f1f338e376ee54d6e3c979799c
SHA1 hash: 22b77310e703ab819ac1ffd2335a93e8116b3319
MD5 hash: e1c3b51e85583197055cc32270a110e1
humanhash: florida-oxygen-tennis-carolina
File name:Install.exe
Download: download sample
Signature WannaCry
Create hunting rule
File size:4'526'592 bytes
First seen:2026-03-17 18:55:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'843 x AgentTesla, 19'775 x Formbook, 12'297 x SnakeKeylogger)
ssdeep 98304:zK70czp1bzpQ3cVmKdezCrH/0suAAjnswHtRt1tJSHo0:mNbzp2cjOCWAIswHtRt1tJB
Threatray 1 similar samples on MalwareBazaar
TLSH T14C26337C86B8C56DC9270EFBC7F996BFC6017939D146E207A85BAE9636170940843F8C
TrID 70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win64 Executable (generic) (6522/11/2)
4.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter burger
Tags:exe Ransomware WannaCry

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
wannacry
Create hunting rule
ID:
1
File name:
Install.exe
Verdict:
Malicious activity
Analysis date:
2026-03-17 18:53:49 UTC
Tags:
babel yano susp-powershell wannacry ransomware stealer auto cryptolocker arch-exec
Link:
https://app.any.run/tasks/3b429407-e9be-4a57-bb33-9b673e4852da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57800/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b9a39793b644ca466b0f0b
Tags:
autorun xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file in the Windows directory
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
Enabling the 'hidden' option for recently created files
Running batch commands
BSOD occurred
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Low-level writing
Rewriting of the hard drive's master boot record
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
azorult babel obfuscator base64 coinminer confuser dotfuscator obfuscated packed packed yano
Link:
https://www.filescan.io/uploads/69b9a3d42000fc76c3e677bd/reports/0256b21b-701c-4c2e-9c3e-c40986921f75/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c34af1f1f238747d6839ce6857138e97d722443c4e2a794c072c236228ceaa07
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Agent.gen
Link:
https://opentip.kaspersky.com/c34af1f1f238747d6839ce6857138e97d722443c4e2a794c072c236228ceaa07/results?tab=lookup
Malware family:
Petya
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/066631f6-9fca-4a76-a2aa-8b38f47ac789
Result
Threat name:
Petya
Create hunting rule
Detection:
malicious
Classification:
rans.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1885122
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary or sample is protected by dotNetProtector
Bypasses PowerShell execution policy
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Contains functionality to infect the boot sector
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected unpacking (creates a PE file in dynamic memory)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Found Tor onion address
Infects the boot sector of the hard disk
Infects the VBR (Volume Boot Record) of the hard disk
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs an instant shutdown (NtRaiseHardError)
Potential Privilege Escalation using Task Scheduler highest RunLevel
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Writes directly to the primary disk partition (DR0)
Yara detected Petya ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1885122 Sample: Install.exe Startdate: 17/03/2026 Architecture: WINDOWS Score: 100 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for dropped file 2->70 72 Antivirus / Scanner detection for submitted sample 2->72 74 13 other signatures 2->74 8 Install.exe 6 2->8         started        12 System.exe 2->12         started        process3 file4 56 C:\Windows\rar.exe, PE32 8->56 dropped 58 C:\Windows\exploer.exe, PE32 8->58 dropped 60 C:\Users\user\AppData\...\Install.exe.log, CSV 8->60 dropped 86 Encrypted powershell cmdline option found 8->86 88 Drops executables to the windows directory (C:\Windows) and starts them 8->88 14 rar.exe 1 3 8->14         started        18 exploer.exe 1 2 8->18         started        20 powershell.exe 23 8->20         started        signatures5 process6 file7 62 C:\Users\user\AppData\Roaming\...\System.exe, PE32 14->62 dropped 64 C:\Users\user\AppData\Local\...\rar.exe.log, CSV 14->64 dropped 90 Antivirus detection for dropped file 14->90 92 Creates multiple autostart registry keys 14->92 94 Bypasses PowerShell execution policy 14->94 104 4 other signatures 14->104 22 System.exe 14->22         started        26 powershell.exe 23 14->26         started        28 schtasks.exe 14->28         started        66 C:\Users\user\AppData\Roaming\...\?.bat, Unicode 18->66 dropped 96 Drops script or batch files to the startup folder 18->96 98 Creates autostart registry keys with suspicious names 18->98 100 Adds a directory exclusion to Windows Defender 18->100 30 powershell.exe 18->30         started        32 powershell.exe 18->32         started        34 cmd.exe 18->34         started        102 Loading BitLocker PowerShell Module 20->102 36 conhost.exe 20->36         started        signatures8 process9 file10 54 \Device\Harddisk0\DR0, data 22->54 dropped 76 Found Tor onion address 22->76 78 Writes directly to the primary disk partition (DR0) 22->78 80 Infects the VBR (Volume Boot Record) of the hard disk 22->80 84 2 other signatures 22->84 38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        82 Loading BitLocker PowerShell Module 30->82 42 conhost.exe 30->42         started        44 WmiPrvSE.exe 30->44         started        46 conhost.exe 32->46         started        48 conhost.exe 34->48         started        50 fsutil.exe 34->50         started        52 takeown.exe 34->52         started        signatures11 process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c34af1f1f238747d6839ce6857138e97d722443c4e2a794c072c236228ceaa07
Verdict:
inconclusive
YARA:
14 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.41 Win 32 Exe x86
Link:
https://app.malva.re/file/e1c3b51e85583197055cc32270a110e1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c34af1f1f238747d6839ce6857138e97d722443c4e2a794c072c236228ceaa07/
Verdict:
Malicious
Threat:
Family.KILLMBR
Link:
https://tip.neiki.dev/file/c34af1f1f238747d6839ce6857138e97d722443c4e2a794c072c236228ceaa07
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2026-03-17 18:55:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynfpd4pshb2h22bzzzufoe4os7lserb4jyvhstahfqrwekgovidq._file
Verdict:
malicious
Label(s):
petya
Create hunting rule
Similar samples:
c34af1f1f238747d6839ce6857138e97d722443c4e2a794c072c236228ceaa07
WannaCry
error
WannaCry
Result
Malware family:
wannacry
Create hunting rule
Score:
  10/10
Tags:
family:killmbr family:wannacry defense_evasion discovery evasion execution exploit persistence ransomware trojan wiper worm
Link:
https://tria.ge/reports/260317-xlg6lafz9j/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Drops file in Windows directory
Hide Artifacts: Ignore Process Interrupts
Adds Run key to start application
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Obfuscated Files or Information: Command Obfuscation
System Binary Proxy Execution: Verclsid
Checks computer location settings
Drops startup file
Executes dropped EXE
Modifies file permissions
Command and Scripting Interpreter: PowerShell
Possible privilege escalation attempt
Modifies boot configuration data using bcdedit
Killmbr family
Wannacry
Wannacry family
Detects KillMBR
KillMBR
Unpacked files
SH256 hash:
c34af1f1f238747d6839ce6857138e97d722443c4e2a794c072c236228ceaa07
MD5 hash:
e1c3b51e85583197055cc32270a110e1
SHA1 hash:
22b77310e703ab819ac1ffd2335a93e8116b3319
Link:
https://www.unpac.me/results/900c7071-fb35-4a8c-a90f-b8d2fa425303/
SH256 hash:
c888e0f95a61404966d2b63591f23b231291747560fc28cd0614a5b52a7a595a
MD5 hash:
f591ede79d1c48192b3e314f5eda1d05
SHA1 hash:
75d9fee4f9dd18debd50a90a841d22bb571105e7
Link:
https://www.unpac.me/results/900c7071-fb35-4a8c-a90f-b8d2fa425303/
SH256 hash:
ed0acd291141f02ea26cd16a4a5c2e4bb8cb99cbecf4df0ae9181d1b8a60284e
MD5 hash:
42a63e0aa7e449f5a9ba7f167542c01d
SHA1 hash:
eeb1df1ce494a2e2ca6a75c74347deae0fdb1238
Link:
https://www.unpac.me/results/900c7071-fb35-4a8c-a90f-b8d2fa425303/
SH256 hash:
9df28b4b00d68ac5497c53175c9f1f69aca33779f05285c4584e93dd1fdeb9cf
MD5 hash:
5272288aaacec7653098bb44d82a4bb2
SHA1 hash:
cfb115b5bfccce6c863d446816e8914da9d14a82
Link:
https://www.unpac.me/results/900c7071-fb35-4a8c-a90f-b8d2fa425303/
SH256 hash:
afec2b2af3ace2c478382f9366f6cbc9b9579f2c9a4273150fc33a2ccd59284c
MD5 hash:
c209817538e86f5ea49fa6bd180dbf01
SHA1 hash:
850eeffd94d700a58c313f23a60c01ff8ec46da1
Detections:
win_coldseal_auto
Create hunting rule
Link:
https://www.unpac.me/results/900c7071-fb35-4a8c-a90f-b8d2fa425303/
Parent samples :
afec2b2af3ace2c478382f9366f6cbc9b9579f2c9a4273150fc33a2ccd59284c
c34af1f1f238747d6839ce6857138e97d722443c4e2a794c072c236228ceaa07
SH256 hash:
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
MD5 hash:
84c82835a5d21bbcf75a61706d8ab549
SHA1 hash:
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
Detections:
WannaCry
Create hunting rule
Win32_Ransomware_WannaCry
Create hunting rule
ransomware_windows_wannacry
Create hunting rule
WannaCry_Ransomware
Create hunting rule
Link:
https://www.unpac.me/results/900c7071-fb35-4a8c-a90f-b8d2fa425303/
Parent samples :
baf9aefe45396783c52972d5966acfd7915397b84cca15b3fe43823b3e22f610
6434bad20d634f234a51fef43cf45be1b023bc19cdf17918f5bfe6e94c885997
c34af1f1f238747d6839ce6857138e97d722443c4e2a794c072c236228ceaa07
SH256 hash:
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42
MD5 hash:
a7bcf7ea8e9f3f36ebfb85b823e39d91
SHA1 hash:
761168201520c199dba68add3a607922d8d4a86e
Link:
https://www.unpac.me/results/900c7071-fb35-4a8c-a90f-b8d2fa425303/
SH256 hash:
030ad092ccb0330041c378885fdd0d867184d68142bc485324b1438ed8389332
MD5 hash:
0574dc12e096f34ecd914d1c81d71427
SHA1 hash:
1037f25798365200d222d16b6b74f9bbf6603806
Link:
https://www.unpac.me/results/900c7071-fb35-4a8c-a90f-b8d2fa425303/
SH256 hash:
2857269196f820d1cefe17e55a9c9f6cb29fb799550fa57650bc2e8ce0e7d27e
MD5 hash:
06f35aa793d54a8c30233d5e74f55c33
SHA1 hash:
55ed367a8e8116a81b404bcf839381e30bd56af6
Link:
https://www.unpac.me/results/900c7071-fb35-4a8c-a90f-b8d2fa425303/
SH256 hash:
0b0db30f2727dc44b6f6380c9cf2e333346c1b2593e4a943b7017fbe485a87fd
MD5 hash:
0352d047b8133768d2ce02979a309b06
SHA1 hash:
3866acc3e70b9ae35e32eadba947a045afa16638
Detections:
INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
INDICATOR_EXE_Packed_Babel
Create hunting rule
Link:
https://www.unpac.me/results/900c7071-fb35-4a8c-a90f-b8d2fa425303/
SH256 hash:
bfe9cc4b78e7bec101747dbf36a94a91cff5793628a5671dfce078ec32237615
MD5 hash:
5879531604b45e469c0e7ba6d3f51549
SHA1 hash:
52fd76b225f75e52ffdecdd13fbff14949491399
Detections:
INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
INDICATOR_EXE_Packed_Babel
Create hunting rule
Link:
https://www.unpac.me/results/900c7071-fb35-4a8c-a90f-b8d2fa425303/
SH256 hash:
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
MD5 hash:
af2379cc4d607a45ac44d62135fb7015
SHA1 hash:
39b6d40906c7f7f080e6befa93324dddadcbd9fa
Link:
https://www.unpac.me/results/900c7071-fb35-4a8c-a90f-b8d2fa425303/
Malware family:
WannaCry
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c34af1f1f238/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c34af1f1f238747d6839ce6857138e97d722443c4e2a794c072c236228ceaa07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_EXE_Packed_Babel
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Babel
Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57800/

Comments