MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mydoom


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64
SHA3-384 hash: 24cbaba68219c998a3ad7946034fd77936b8e9303864ae6fcdf6de9d0c25d4f350073b77a7b2a5d003023f58972cbf74
SHA1 hash: ec2b7eebfcbf263424ae194817060eac44c380c7
MD5 hash: f09a781eeb97acf68c8c1783e76c29e6
humanhash: table-mountain-uncle-september
File name:cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64
Download: download sample
Signature Mydoom
Create hunting rule
File size:1'983'488 bytes
First seen:2022-10-04 09:53:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c076d24783fd9634f12818a5dbbf134 (1 x Mydoom)
ssdeep 49152:jL7kITp6hTJEfHdQ2+Sd3KmkZt1EOS09VE8zbRfc7id4oPg:YITpmafy2+S5KmkZt1EOSP8zdfc7i5P
Threatray 50 similar samples on MalwareBazaar
TLSH T17B958E31F790D476D32336309A49AFB9B3F6E6302979924715D01E3E2F305935A2C6AB
TrID 26.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
22.6% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 00116909486a698d (1 x Mydoom)
Reporter petikvx
Tags:exe Mydoom Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
553
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316419/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
DNS request
Creating a file in the system32 directory
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Searching for synchronization primitives
Enabling the 'hidden' option for recently created files
Changing a file
Creating a file in the Program Files directory
Creating a file in the Program Files subdirectories
Modifying an executable file
Replacing executable files
Moving a file to the Program Files subdirectory
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Deleting volume shadow copies
Enabling autorun by creating a file
Infecting executable files
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41036/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger shell32.dll
Link:
https://www.filescan.io/uploads/633c02bfc9e2f343543293f8/reports/59370cc2-72f3-460a-9bea-a6b5ce495a84/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/913eb3fa-4d2c-497f-a613-caf050448c56
Result
Threat name:
Crysis
Create hunting rule
Detection:
malicious
Classification:
rans.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083118
Signature
Antivirus / Scanner detection for submitted sample
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Yara detected Crysis Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
dharma
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64/
Threat name:
Win32.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2022-09-21 06:03:57 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zq5vod5i7bzvj4dkedmiopcfbb3ijqqx6g2djm5qasfm3fx6hzsa._file
Verdict:
malicious
Similar samples:
0a40acb8ddbc2ed8f8b703681fadf9fcb2672fdb75d93c150b45c6465cc9b1b4
Mydoom
4d8ffa30554984f32eabbcb7a99699dd833ea85a8483db8753cc40bde7cee923
Mydoom
553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d
Mydoom
90c54543aaf085e00879d4fe98a6dfb8148548f374828d50b6e3ac44668138b2
Mydoom
94ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6
Mydoom
9a4e6b6a25332f21e4e15bd5c67ea1613db78bf02fa3cef2eba47f27723f8d58
Mydoom
9e5f370201251e8dc138678f8e0d4f0bdd75e1353edcc77d41c8401621c2c671
Mydoom
b23eb66e588b47a73b393c87467b0b2b0431d9d346368efeaa36a76c7877cd27
Mydoom
dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584
Mydoom
ea6bafd96818930f83200987d64c970ad03afcae9d69fbde9dd18f2ace154a99
Mydoom
+ 40 additional samples on MalwareBazaar
Result
Malware family:
dharma
Create hunting rule
Score:
  10/10
Tags:
family:dharma persistence ransomware spyware stealer upx
Link:
https://tria.ge/reports/221004-lw7nfsagem/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
Drops desktop.ini file(s)
Drops startup file
Reads user/profile data of web browsers
UPX packed file
Deletes shadow copies
Dharma
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/18fd8f80-1d33-4f57-9f02-33a9574ef1a3
Unpacked files
SH256 hash:
e0d1bc534899364c71d48fe6b3983da34223688831ad8336369f81e3536d4ab2
MD5 hash:
3a81e8f22e239c4ced0ddfa50eacdfa4
SHA1 hash:
daeb0b71b48e51ad9fb70719ac7ee831626b21c3
Link:
https://www.unpac.me/results/05bf5fed-087c-4d0e-bb11-768c6e081f89/
SH256 hash:
0a4c1cecaf06b28f7783e24510305508b7a0ad7bc23224ccb903ac19940507bb
MD5 hash:
7ae1faba852e6d463d579e56567af99e
SHA1 hash:
f1291da0bde20686bb9f624ad605963dea02ca03
Link:
https://www.unpac.me/results/05bf5fed-087c-4d0e-bb11-768c6e081f89/
SH256 hash:
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64
MD5 hash:
f09a781eeb97acf68c8c1783e76c29e6
SHA1 hash:
ec2b7eebfcbf263424ae194817060eac44c380c7
Link:
https://www.unpac.me/results/05bf5fed-087c-4d0e-bb11-768c6e081f89/
Malware family:
Dharma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc3b570fa8f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316419/

Comments