MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c62a0ecbabea48ecccbe3cceba50d1145710468bbd8e27ba25479bb710644017. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c62a0ecbabea48ecccbe3cceba50d1145710468bbd8e27ba25479bb710644017
SHA3-384 hash: 02a06e9e6161c6807a21ec54f0e619ccd00264a9775dcb1fb732a47120db63321d069a3c74a44ad72f3141bdf12e99f7
SHA1 hash: 017447e78bde08f954d3a94847d711cf9f40088c
MD5 hash: c42f048da3d027513204563e0a9d5e61
humanhash: social-pip-ceiling-july
File name:c42f048d_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:1'727'488 bytes
First seen:2021-05-05 10:07:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 070eb79661d4a99c78ef836605464295 (1 x VirLock)
ssdeep 24576:J/IkaldFc9hDmmigaQyhQaTg9AkpA7gD8iwozsj368h6:J/Zaa9hP7fjaTg9Ak27g1woQjK88
Threatray 239 similar samples on MalwareBazaar
TLSH 1D85E1AA207E3576E55E7FBE8A51ADBFE2CA76A6143310C217803D0F87413B4ECD9845
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150372/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6803820-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a service
Launching a service
DNS request
Creating a file in the Windows subdirectories
Sending an HTTP GET request
Creating a file in the %temp% directory
Searching for the window
Sending a UDP request
Running batch commands
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.spre
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711835
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Creates an undocumented autostart registry key
Delayed program exit found
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404841 Sample: c42f048d_by_Libranalysis.exe Startdate: 05/05/2021 Architecture: WINDOWS Score: 100 76 Antivirus detection for dropped file 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 2 other signatures 2->82 7 c42f048d_by_Libranalysis.exe 3 15 2->7         started        11 DCkcgYok.exe 21 2->11         started        13 HywMMIAE.exe 4 2->13         started        15 11 other processes 2->15 process3 dnsIp4 56 C:\Users\user\yigwYckg\qMYgcwEs.exe, PE32 7->56 dropped 58 C:\ProgramData\oyQkcUUc\DCkcgYok.exe, PE32 7->58 dropped 60 C:\ProgramData\AEwEgUAI\HywMMIAE.exe, PE32 7->60 dropped 62 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 7->62 dropped 98 Creates an undocumented autostart registry key 7->98 100 Uses cmd line tools excessively to alter registry or file data 7->100 102 Tries to detect virtualization through RDTSC time measurements 7->102 18 DCkcgYok.exe 26 7->18         started        22 qMYgcwEs.exe 17 7->22         started        24 reg.exe 1 7->24         started        26 3 other processes 7->26 64 C:\RCX8106.tmp, PE32 11->64 dropped 66 C:\RCX3B46.tmp, PE32 11->66 dropped 68 C:\RCX39DE.tmp, PE32 11->68 dropped 70 9 other malicious files 11->70 dropped 104 Antivirus detection for dropped file 13->104 106 Machine Learning detection for dropped file 13->106 108 Delayed program exit found 13->108 72 127.0.0.1 unknown unknown 15->72 74 192.168.2.1 unknown unknown 15->74 110 Changes security center settings (notifications, updates, antivirus, firewall) 15->110 file5 signatures6 process7 file8 42 C:\Users\user\Desktop\bYkI.exe, PE32 18->42 dropped 44 C:\Users\user\Desktop\Vcgi.exe, PE32 18->44 dropped 46 C:\Users\user\Desktop\SUom.exe, PE32 18->46 dropped 54 10 other malicious files 18->54 dropped 84 Antivirus detection for dropped file 18->84 86 Machine Learning detection for dropped file 18->86 88 Injects code into the Windows Explorer (explorer.exe) 18->88 96 2 other signatures 18->96 28 explorer.exe 18->28         started        48 C:\RCX140C.tmp, PE32 22->48 dropped 50 C:\ProgramData\Microsoft\...\guest.bmp.exe, PE32 22->50 dropped 52 C:\Users\user\Desktop\hQIe.exe, PE32 22->52 dropped 90 Tries to detect virtualization through RDTSC time measurements 22->90 92 Delayed program exit found 22->92 30 explorer.exe 22->30         started        94 Changes the view of files in windows explorer (hidden files and folders) 24->94 32 conhost.exe 24->32         started        34 setup.exe 1 26->34         started        36 conhost.exe 26->36         started        38 conhost.exe 26->38         started        40 conhost.exe 26->40         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c62a0ecbabea48ecccbe3cceba50d1145710468bbd8e27ba25479bb710644017/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 10:08:28 UTC
AV detection:
45 of 47 (95.74%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
044ce13a80f8cccff294f37d977802a8550cfe52135991fa09769e46aadac8f3
VirLock
1326c4b5f16b37e3474154b0497d09583257a88c050637749e5ee9e91f705b74
VirLock
219e4ba0ba1f5379b52731d88487b23ab66a091ce1542c1c5475058e7c04c0fd
VirLock
5dcbbdb1d5a8b47a50a05b2cf13963139075616f4b6de2db2232aa73bde800c1
VirLock
6dad77171c960f2d7b5f71763d2102499683c904e9af3a41118562261d00a97a
VirLock
7b835cb8bff0857c7f074a631cea1042e106dc68cfa0c83f1bac76108b9b5eea
VirLock
8c6e62cd0eaae55ac50dbcab7eedf60547f47d0126bf6ac96010f7f07c300bb0
VirLock
92f33d787077d6ebe2fb62adf935c32d86cc39424bb3ec5eb066224c3e9da5e4
VirLock
b69aa57f74809a88c35081e066a080f2235608838f5db899f4f888c6ae68da6f
VirLock
daf476c7cf8ab34bef6a21098167597e091739412d53a2cdf8069e5a338b0ad6
VirLock
+ 229 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210505-y8sjn3cxe2/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
674ee222f2b861c329ff0acac80f3e7f1a2c817ff791e27b3f78a5946f208904
MD5 hash:
4f176bfd330c1d84164e6abe6f7abbdf
SHA1 hash:
2b17feaf36589fc4b723254afe3051c0fe87ec5f
Link:
https://www.unpac.me/results/f2735403-31f7-4dd3-8f05-d27de46a796e/
SH256 hash:
1c096ca036322d36a094b35a8d2f9aec1f77b18401f4c0f6208369468f2b7ee5
MD5 hash:
6c65e7ce0596ab48035c40566bc63d78
SHA1 hash:
85c2fd889cc65e1bb1ba3b035e5e9a8906475175
Link:
https://www.unpac.me/results/f2735403-31f7-4dd3-8f05-d27de46a796e/
SH256 hash:
d7ec629bdfaaed5cb4ab732d2adfb6e1164d387a76c4facbeffd04f4c113a989
MD5 hash:
2df98d43c2cf3e289f5d0a53dabcc3c0
SHA1 hash:
cd30a63acb42530c877568c134801f32293ffe66
Link:
https://www.unpac.me/results/f2735403-31f7-4dd3-8f05-d27de46a796e/
SH256 hash:
c62a0ecbabea48ecccbe3cceba50d1145710468bbd8e27ba25479bb710644017
MD5 hash:
c42f048da3d027513204563e0a9d5e61
SHA1 hash:
017447e78bde08f954d3a94847d711cf9f40088c
Link:
https://www.unpac.me/results/f2735403-31f7-4dd3-8f05-d27de46a796e/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150372/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 11:19:55 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash