MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f
SHA3-384 hash: fd7ced67ade9e5df464f26a75d84a60771bbf4deaac65b62278c2f18a0af857e5aa2bf2e560cf4b1ac9606cb4f36bc71
SHA1 hash: c5c672a4a8ebae04cf7471c56136dce58ccd88f0
MD5 hash: 0e64acab6fb3d50aaebc17e6dfb2d289
humanhash: low-fillet-island-speaker
File name:0e64acab_by_Libranalysis
Download: download sample
File size:1'342'464 bytes
First seen:2021-04-29 12:19:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fada6cba5bb68b74e893b0c75c1220be (2 x Voidcrypt)
ssdeep 24576:p8R+ujOYkwJvXsqYvFeq0AfTDiV55RDGchi/NL6jwBdQ+esusMyAuGGFAuIri0+o:gjwwVrBQ/t6VUPbFAuIOjfA
Threatray 5 similar samples on MalwareBazaar
TLSH F855AE617A43C1B2D55100F049BDAB7B4A3CAF294B308AD7E3C86E3E59305D16E3769B
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/146660/
Detection(s):
Win.Ransomware.Vipasana-9783618-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Launching a process
Sending a UDP request
Launching the process to change network settings
Launching a service
Launching the process to change the firewall settings
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Connection attempt
Changing a file
Modifying an executable file
Creating a file in the Program Files subdirectories
Deleting a recently created file
Moving a recently created file
Moving a file to the Program Files subdirectory
Creating a file in the Program Files directory
Creating a window
Launching the process to interact with network services
Enabling autorun for a service
Creating a file in the mass storage device
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.adwa.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/702507
Signature
Creates files in the recycle bin to hide itself
Disables security and backup related services
Disables the windows firewall (over ALG)
Drops PE files to the startup folder
Infects executable files (exe, dll, sys, html)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 400182 Sample: 0e64acab_by_Libranalysis Startdate: 29/04/2021 Architecture: WINDOWS Score: 96 59 r3.o.lencr.org 2->59 67 Multi AV Scanner detection for dropped file 2->67 69 Multi AV Scanner detection for submitted file 2->69 9 0e64acab_by_Libranalysis.exe 227 2->9         started        signatures3 process4 dnsIp5 61 94.130.46.250, 80 HETZNER-ASDE Germany 9->61 63 api.my-ip.io 157.245.5.40, 443, 49719 DIGITALOCEAN-ASNUS United States 9->63 65 127.0.0.1 unknown unknown 9->65 51 IEEE2006OfficeOnli...AY9754083261].poker, Encore 9->51 dropped 53 C:\Users\user\AppData\Local\...\angular.js, DOS 9->53 dropped 55 C:\...\0e64acab_by_Libranalysis.exe, PE32 9->55 dropped 57 98 other files (94 malicious) 9->57 dropped 71 Creates files in the recycle bin to hide itself 9->71 73 Drops PE files to the startup folder 9->73 75 Uses bcdedit to modify the Windows boot settings 9->75 77 6 other signatures 9->77 14 cmd.exe 1 9->14         started        17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        21 9 other processes 9->21 file6 signatures7 process8 signatures9 79 Uses netsh to modify the Windows network and firewall settings 14->79 23 net.exe 1 14->23         started        25 conhost.exe 14->25         started        27 net.exe 1 17->27         started        29 conhost.exe 17->29         started        31 net.exe 1 19->31         started        33 conhost.exe 19->33         started        35 net.exe 1 21->35         started        37 net.exe 21->37         started        39 11 other processes 21->39 process10 process11 41 net1.exe 1 23->41         started        43 net1.exe 1 27->43         started        45 net1.exe 1 31->45         started        47 net1.exe 1 35->47         started        49 net1.exe 37->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f/
Threat name:
Win32.Ransomware.Ouroboros
Create hunting rule
Status:
Malicious
First seen:
2021-04-06 16:40:25 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4
318c6717d3881cbc9b1f24325a85e79d5c5768a03387dfb2cf605638a4b45056
353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f
581122114ad28f404b2cc4f8df5d77b6ed447f8f26f862960bb0181776bfacd9
a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner ransomware spyware stealer
Link:
https://tria.ge/reports/210429-hb3qeq68dj/
Behaviour
NTFS ADS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Drops desktop.ini file(s)
Drops startup file
Reads user/profile data of web browsers
Drops file in Drivers directory
Modifies Windows Firewall
Modifies extensions of user files
xmrig
Unpacked files
SH256 hash:
cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f
MD5 hash:
0e64acab6fb3d50aaebc17e6dfb2d289
SHA1 hash:
c5c672a4a8ebae04cf7471c56136dce58ccd88f0
Link:
https://www.unpac.me/results/1ce294bd-0f8f-4fe8-bc18-e80b1941658a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/146660/

Comments