MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c64c3ea2bc5e7a94d67a6cea1abad1b646d9bc43bbee7a62c5980a40c9ea5c9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Snatch


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c64c3ea2bc5e7a94d67a6cea1abad1b646d9bc43bbee7a62c5980a40c9ea5c9e
SHA3-384 hash: d936ed36281583c7dd7a021874d34659965773bc7dce8f298fd4402309f0b7b5bf9a812e7d203a7e3fff9992074cb0a3
SHA1 hash: d0be605966a1ac968b8d8c722faf7cebc0bad121
MD5 hash: d467c7c58dd9aa0f13d6d2060eded5ca
humanhash: bravo-victor-crazy-winner
File name:c64c3ea2bc5e7a94d67a6cea1abad1b646d9bc43bbee7a62c5980a40c9ea5c9e
Download: download sample
Signature Snatch
Create hunting rule
File size:2'409'984 bytes
First seen:2021-03-20 11:06:21 UTC
Last seen:2021-04-09 11:25:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 93a138801d9601e4c36e6274c8b9d111 (11 x CobaltStrike, 9 x Snatch, 8 x LaplasClipper)
ssdeep 24576:x4lXsCjaUNGR0c7y7lHhSYPAF5mCjtFuK8NZgRoYBnG8OycLfygZ+kWe8Af4adQX:oVjIyeoAqK8U3iMNg+1s8Mu
Threatray 62 similar samples on MalwareBazaar
TLSH F9B54A51F9AB55B1E5036231C997E3BF13316E059732CAC3C5C07EABFD6AAE20932215
Reporter JAMESWT_WT
Tags:Maurigo NASAcry Ransomware Snatch

Intelligence

File Origin
# of uploads :
3
# of downloads :
1'572
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
build.exe
Verdict:
Malicious activity
Analysis date:
2021-03-14 09:26:26 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/5c306ec1-abe2-4e44-be00-027dbe13e091

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125795/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.33619.27697.2099.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Changing a file
Reading critical registry keys
Creating a file
Creating a file in the Windows subdirectories
Running batch commands
Creating a process with a hidden window
Launching a service
Launching a process
Sending a UDP request
Stealing user critical data
Creating a file in the mass storage device
Deleting volume shadow copies
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99fb6c23-7c35-4ae9-ba19-f8501083b929
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/646865
Signature
Antivirus / Scanner detection for submitted sample
Deletes shadow drive data (may be related to ransomware)
Drops a file containing file decryption instructions (likely related to ransomware)
May drop file containing decryption instructions (likely related to ransomware)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
Writes a notice file (html or txt) to demand a ransom
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372401 Sample: BCcV3NsFNz Startdate: 20/03/2021 Architecture: WINDOWS Score: 84 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Sigma detected: Delete shadow copy via WMIC 2->35 37 2 other signatures 2->37 7 BCcV3NsFNz.exe 116 2->7         started        process3 file4 23 C:\Users\user\ntuser.ini, data 7->23 dropped 25 C:\Users\user\Music\desktop.ini, data 7->25 dropped 27 C:\Users\user\Desktop\SQSJKEBWDT.jpg, data 7->27 dropped 29 4 other malicious files 7->29 dropped 39 Drops a file containing file decryption instructions (likely related to ransomware) 7->39 41 Deletes shadow drive data (may be related to ransomware) 7->41 43 Writes a notice file (html or txt) to demand a ransom 7->43 45 Modifies existing user documents (likely ransomware behavior) 7->45 11 WMIC.exe 1 7->11         started        13 cmd.exe 1 7->13         started        15 vssadmin.exe 1 7->15         started        signatures5 process6 process7 17 conhost.exe 11->17         started        19 conhost.exe 13->19         started        21 conhost.exe 15->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c64c3ea2bc5e7a94d67a6cea1abad1b646d9bc43bbee7a62c5980a40c9ea5c9e/
Threat name:
Win32.Ransomware.Badgopher
Create hunting rule
Status:
Malicious
First seen:
2021-03-14 15:24:28 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
Snatch
25e7a047b79eb049df4b60224a2812a80a7fafc54ff789abc84ee7154a887a3c
Snatch
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Snatch
61c2e524dcc25a59d7f2fe7eff269865a3ed14d6b40e4fea33b3cd3f58c14f19
Snatch
66dc1cd0bcac37c0ddf8d31accc62cdbbdafbb08893f03e01dcc602ec5690a95
Snatch
981363a91d6118c450f063bea6ba0ea0e3855b121ba285baa311702d76375d9d
Snatch
aa9edd5569fc2940680fdec96cbeddd523ffe907acfabaf5db1e9283f7f227d9
Snatch
ad28a67a8f31c9cc363e1dd27ea9e226de97ead72ca696a7911b8d65b4e9a8fc
Snatch
da273c6062c7fe4f69998113d6cabb51998f857194f9bd126343a8603d8200ff
Snatch
db3330f499a07cf449e3e6f4f43428809d57f5b63923342694468cd6a4f4b943
Snatch
+ 52 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
ransomware
Link:
https://tria.ge/reports/210320-4n4g43aekn/
Behaviour
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops desktop.ini file(s)
Modifies extensions of user files
Deletes shadow copies
Unpacked files
SH256 hash:
c64c3ea2bc5e7a94d67a6cea1abad1b646d9bc43bbee7a62c5980a40c9ea5c9e
MD5 hash:
d467c7c58dd9aa0f13d6d2060eded5ca
SHA1 hash:
d0be605966a1ac968b8d8c722faf7cebc0bad121
Link:
https://www.unpac.me/results/2ee9f387-daed-4c56-aad7-7904068bcdaf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c64c3ea2bc5e7a94d67a6cea1abad1b646d9bc43bbee7a62c5980a40c9ea5c9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:QnapCrypt
Create hunting rule
Author:Intezer Labs
Reference:https://www.intezer.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/125795/

Comments