MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BlueSky

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df
SHA3-384 hash:	360585e77e453497c94bf21bd2d1c0aa6e203c452be95022ed8a70f6235a143775658baa42f0b95a7e636ff693846bdd
SHA1 hash:	429237548351288fac00e0909616b1518d5487b9
MD5 hash:	efec04688a493077cea9786243c25656
humanhash:	nebraska-massachusetts-single-stream
File name:	c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df.bin
Download:	download sample
Signature	BlueSky Create hunting rule
File size:	72'704 bytes
First seen:	2022-08-12 00:42:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	1536:G+5geBR2Q+a8M124Zl2i5SADBDg8trv4t9MBY5yqv:GDeBgQ+a8M12Y2i59hrvWMB2v
TLSH	T15F63D64AB749EA30F59694B996FC2A17688E8938835F85C3EBD0C05A7651CC6B834F13
TrID	42.7% (.EXE) Win32 Executable (generic) (4505/5/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter	Arkbird_SOLG
Tags:	BlueSky exe Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

455

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df.bin

Verdict:

Malicious activity

Analysis date:

2022-08-12 00:43:35 UTC

Tags:

ransomware

Link:

https://app.any.run/tasks/8f3bc234-ca91-41c1-bc05-652ed30c3d9f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/298114/

Detection(s):

SecuriteInfo.com.Trojan.Encoder.35508.2505.25588.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Changing a file

Searching for synchronization primitives

Moving a recently created file

Reading critical registry keys

Sending a custom TCP request

Creating a file in the mass storage device

Stealing user critical data

Encrypting user's files

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/28738/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

conti filecoder packed ransomware windows

Link:

https://www.filescan.io/uploads/62f5a26ce4e65a67c4a043e4/reports/930241c7-d211-4114-be60-5aca0f9bc197/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BlueSky Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/005d6034-12a5-4909-8e76-74a82d0bb2a2

Result

Threat name:

BlueSky

Detection:

malicious

Classification:

rans.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1050300

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Contains functionality to hide a thread from the debugger

Found Tor onion address

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May encrypt documents and pictures (Ransomware)

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for submitted file

Yara detected BlueSky Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df/

Threat name:

Win32.Ransomware.Conti

Status:

Malicious

First seen:

2022-06-26 13:38:00 UTC

File Type:

PE (Exe)

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y5lurxcuiyu2rjoqrqgyxj75uniiupx5v3mqllmab765xsgtxdpq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

10/10

Tags:

ransomware

Link:

https://tria.ge/reports/220812-a2w85aggh9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Modifies extensions of user files

Unpacked files

SH256 hash:

609b18c7e7c5e196a05dfd924687bc8b5b195ee167941b2fca1e7e2cad82c622

MD5 hash:

05eed3aa6441fd63f7dea6be2bda86ac

SHA1 hash:

e2e9da56396e2be10e3a1813a1889edfad979ecd

Link:

https://www.unpac.me/results/0098976c-e160-4d35-893a-7eb499adb9a9/

SH256 hash:

799a02932857553525d4bed16d1565579742e0ae3a28dbce32985394dd80bab7

MD5 hash:

9bf24b0a7793b6434e17f676457bdf81

SHA1 hash:

cc21dab4acb0d2cb81ec714b5fa7da0fe2fc9d20

Link:

https://www.unpac.me/results/0098976c-e160-4d35-893a-7eb499adb9a9/

SH256 hash:

9edd3e465a6019229b7ee3fdfe2a73861da920eb2d0e27373004c0a007692217

MD5 hash:

b1d50644443710421bbba3c1006ba551

SHA1 hash:

b32c68db6ccef8759539927b82cc585a79027b22

Link:

https://www.unpac.me/results/0098976c-e160-4d35-893a-7eb499adb9a9/

SH256 hash:

be8c8f93d1f8fba8b08844a8302f40f3039935b9959c37e8829e95d30683cfbf

MD5 hash:

28a20e0c9587196c215d48457454a2be

SHA1 hash:

82faa006489bc86dfb3816ce1d85adabbf139512

Link:

https://www.unpac.me/results/0098976c-e160-4d35-893a-7eb499adb9a9/

SH256 hash:

62dcf8f711a3497ff796681063e1b8dd9e1310bcb2c9774e0f66b1d2ba211e10

MD5 hash:

6db714c4255e631b8e96a58880d09bd0

SHA1 hash:

760a761a1890d462ca91ed77b51849b2c9ac40ef

Link:

https://www.unpac.me/results/0098976c-e160-4d35-893a-7eb499adb9a9/

SH256 hash:

7ec37f4706db660a786b486722c9325f35227099ecdb391a5085c5ed48b8509a

MD5 hash:

56cd5e5354af2a523b997d3e1e2f48b0

SHA1 hash:

02229a22a8874dff9d8e9b1cd15cea66b4d65a9a

Link:

https://www.unpac.me/results/0098976c-e160-4d35-893a-7eb499adb9a9/

SH256 hash:

c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df

MD5 hash:

efec04688a493077cea9786243c25656

SHA1 hash:

429237548351288fac00e0909616b1518d5487b9

Link:

https://www.unpac.me/results/0098976c-e160-4d35-893a-7eb499adb9a9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c75748dc5446/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/c75748dc544629a8a5d08c0d8ba7fda3508a3efdaed905ad800ffddbc8d3b8df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Conti Create hunting rule
Author:	kevoreilly
Description:	Conti Ransomware

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://unit42.paloaltonetworks.com/bluesky-ransomware/

Cape

https://www.capesandbox.com/analysis/298114/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample