MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5eeafb62d5b0fce524e12ad5a94f7e221636dc1bfc8622c8d7e0e61bc0950f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WannaCry


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5eeafb62d5b0fce524e12ad5a94f7e221636dc1bfc8622c8d7e0e61bc0950f8
SHA3-384 hash: 42ab73e3e0b0878e0bb4cc20fd3d42ae7dc4525d79fc5a7897a07f55b93661e88352486f2b6aef91285be241cf84be71
SHA1 hash: ebc7f59387f5b121795b3c3bc37bc77c566baf7b
MD5 hash: 775930a062cfe16caf9a56513d142262
humanhash: maryland-leopard-sweet-maine
File name:775930a062cfe16caf9a56513d142262
Download: download sample
Signature WannaCry
Create hunting rule
File size:5'267'459 bytes
First seen:2025-01-15 14:38:26 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 2e5708ae5fed0403e8117c645fb23e5b (1'108 x WannaCry, 7 x Worm.Virut, 2 x Expiro)
ssdeep 49152:RnnMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhHE:1nPoBhz1aRxcSUDk36SAEdhk
TLSH T1A8361266AA18C6B6C11A1731C4F74FF2B6B27CA8D3E616075FA07D2A3D337516E60B01
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter mentality
Tags:dll exe WannaCry

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
CA CA
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Agent-6574389-0
Create hunting rule

Win.Ransomware.Wanna-9769986-0
Create hunting rule

Win.Ransomware.Wanacryptor-9942127-1
Create hunting rule

Win.Ransomware.Wannacry-9982112-0
Create hunting rule

Win.Ransomware.WannaCry-10011460-0
Create hunting rule

Win.Ransomware.WannaCry-6313787-0
Create hunting rule

Win.Malware.Djwy-6775897-0
Create hunting rule

Win.Ransomware.Wanna-6888027-0
Create hunting rule

Win.Ransomware.Wanna-6888334-0
Create hunting rule

Win.Malware.Djwy-6923377-0
Create hunting rule

Win.Exploit.Doublepulsar-7427328-0
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6787c888aa9c8e7858dee41b
Tags:
ransomware shellcode eqtonex madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd crypto lolbin microsoft_visual_cc overlay packed packed ransomware smb wannacry wannacrypt
Link:
https://www.filescan.io/uploads/6787c88acbb98c55961e0c02/reports/1fe666b8-beaa-43ca-8fde-5582b04a770e/overview
Verdict:
Malicious
Labled as:
CVE-2017-0147
Link:
https://www.hybrid-analysis.com/sample/c5eeafb62d5b0fce524e12ad5a94f7e221636dc1bfc8622c8d7e0e61bc0950f8
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce3749f5-336c-45ca-9b85-8e0128cb944b
Result
Threat name:
Wannacry
Create hunting rule
Detection:
malicious
Classification:
rans.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1591899
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Wannacry ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591899 Sample: mLm1d1GV4R.dll Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 37 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->37 39 ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->39 41 77026.bodis.com 2->41 51 Suricata IDS alerts for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 8 other signatures 2->57 8 loaddll32.exe 1 2->8         started        10 mssecsvr.exe 12 2->10         started        signatures3 process4 dnsIp5 14 rundll32.exe 8->14         started        16 rundll32.exe 8->16         started        19 cmd.exe 1 8->19         started        21 conhost.exe 8->21         started        43 192.168.2.102 unknown unknown 10->43 45 192.168.2.103 unknown unknown 10->45 47 98 other IPs or domains 10->47 65 Connects to many different private IPs via SMB (likely to spread or exploit) 10->65 67 Connects to many different private IPs (likely to spread or exploit) 10->67 signatures6 process7 signatures8 23 mssecsvr.exe 13 14->23         started        49 Drops executables to the windows directory (C:\Windows) and starts them 16->49 27 mssecsvr.exe 13 16->27         started        29 rundll32.exe 1 19->29         started        process9 file10 31 C:\Windows\tasksche.exe, PE32 23->31 dropped 59 Antivirus detection for dropped file 23->59 61 Multi AV Scanner detection for dropped file 23->61 63 Machine Learning detection for dropped file 23->63 33 C:\WINDOWS\qeriuwjhrf (copy), PE32 27->33 dropped 35 C:\Windows\mssecsvr.exe, PE32 29->35 dropped signatures11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c5eeafb62d5b0fce524e12ad5a94f7e221636dc1bfc8622c8d7e0e61bc0950f8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5eeafb62d5b0fce524e12ad5a94f7e221636dc1bfc8622c8d7e0e61bc0950f8/
Threat name:
Win32.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2018-02-21 01:50:11 UTC
File Type:
PE (Dll)
Extracted files:
3
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yxxk7nrnlmh44usockwvvfhx4iqwg3obx7egelenpyhgdpajkd4a._file
Result
Malware family:
wannacry
Create hunting rule
Score:
  10/10
Tags:
family:wannacry discovery ransomware worm
Link:
https://tria.ge/reports/250115-rz96msvqf1/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Creates a large amount of network flows
Executes dropped EXE
Contacts a large (3313) amount of remote hosts
Wannacry
Wannacry family
Unpacked files
SH256 hash:
0148dbfdc337ff5e2336d30ff70a7773654d4ee35abae07cb1fbf8e535bc1880
MD5 hash:
c7d08f76b56c9c49cecd83e3ab46c0de
SHA1 hash:
5e96b2a29fc1e813529d8bbd87f744afbca2134e
Detections:
WannaCry
Create hunting rule
ransomware_windows_wannacry
Create hunting rule
WannaCry_Ransomware
Create hunting rule
Link:
https://www.unpac.me/results/8dd0d476-ba1e-47a8-9fab-46e63829e448/
Parent samples :
62c9a15ea404a7c537028bcabcb5753c0e6c535981c38eef417e6db0611f3eb7
8d0c9d2e438f33dd7806ed8017baa1f114b6157f9f0eb1fb5d3b59351609120c
c5eeafb62d5b0fce524e12ad5a94f7e221636dc1bfc8622c8d7e0e61bc0950f8
89f0d1195df4ff42f0d0ff7726474b2ad6a135cbc78f255ff89b19903459bc67
1fc5e4c8809b39d79324848bceac749000ea572d050c81275ae3053a83ba7d12
40916f54c402abf22b13fa86ffc65a9a88ebc005ab10421fcdd39d9750e75b8d
2bfb9742d15e8c2d1e01defd46d2f09e1d758e68e49a7c1c5dc1a4557b311c7d
SH256 hash:
a4898683bf1b7149e3b99e8af5152b8b1c4858107c9d099f0ac3e5a5b1922c1f
MD5 hash:
9339650cd6dd99e39e06df349899f762
SHA1 hash:
282e8ffc0bb8e4d10c784c4080f78d3a7d16e3f7
Detections:
WannaCry
Create hunting rule
ransomware_windows_wannacry
Create hunting rule
WannaCry_Ransomware
Create hunting rule
WannaCry_Ransomware_Gen
Create hunting rule
Link:
https://www.unpac.me/results/8dd0d476-ba1e-47a8-9fab-46e63829e448/
SH256 hash:
c5eeafb62d5b0fce524e12ad5a94f7e221636dc1bfc8622c8d7e0e61bc0950f8
MD5 hash:
775930a062cfe16caf9a56513d142262
SHA1 hash:
ebc7f59387f5b121795b3c3bc37bc77c566baf7b
Detections:
WannaCry
Create hunting rule
Link:
https://www.unpac.me/results/8dd0d476-ba1e-47a8-9fab-46e63829e448/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5eeafb62d5b0fce524e12ad5a94f7e221636dc1bfc8622c8d7e0e61bc0950f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:WannaCry_Ransomware
Create hunting rule
Author:Florian Roth (Nextron Systems) (with the help of binar.ly)
Description:Detects WannaCry Ransomware
Reference:https://goo.gl/HG2j5T

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA

Comments