MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce309a2f5d17fa9dc0957947d401699492ca6f9d63206486d947aea54c65c589. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiskWriter


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce309a2f5d17fa9dc0957947d401699492ca6f9d63206486d947aea54c65c589
SHA3-384 hash: c255deeab0d45999db6b10c31c9b284fbc8d154e3eab5477748265822ef6c0031fd86d84805bcce6d5845fe34991980c
SHA1 hash: c7fbba7fbe57a5f9103f64e97b18b0cc65937fba
MD5 hash: e46f140b1dd5c5525006dbac67bf9726
humanhash: iowa-fifteen-asparagus-virginia
File name:E46F140B1DD5C5525006DBAC67BF9726.exe
Download: download sample
Signature DiskWriter
Create hunting rule
File size:927'232 bytes
First seen:2022-06-19 14:35:53 UTC
Last seen:2022-06-19 15:47:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b3dbe062465635812b5d850c8abcdfe9 (1 x DiskWriter)
ssdeep 12288:Prp6Euwoa4le7VEDUEmLut77L6bn+mFvMdY:gEaaP7VbEmLut77sMS
Threatray 1'911 similar samples on MalwareBazaar
TLSH T11B153A1BF76744EEC67BC170425B9372BA70F8650630AA3E2E55DB351F21E605A2EB30
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter obfusor
Tags:DiskWriter exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281307/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop20.11333.3613.19600.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Launching a process
Searching for the window
Windows shutdown
Rewriting of the hard drive's master boot record
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21975/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug
Link:
https://www.filescan.io/uploads/62af3498497c3126befcf336/reports/947c4fe6-f426-4455-a436-08c924fee569/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ca78603-2cca-4b20-ab14-88502bda90bb
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1015923
Signature
Infects the VBR (Volume Boot Record) of the hard disk
Multi AV Scanner detection for submitted file
Uses shutdown.exe to shutdown or reboot the system
Writes directly to the primary disk partition (DR0)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 648419 Sample: VQGFaKBWLb.exe Startdate: 19/06/2022 Architecture: WINDOWS Score: 60 20 Multi AV Scanner detection for submitted file 2->20 7 VQGFaKBWLb.exe 2->7         started        process3 file4 18 \Device\Harddisk0\DR0, DOS/MBR 7->18 dropped 22 Writes directly to the primary disk partition (DR0) 7->22 24 Infects the VBR (Volume Boot Record) of the hard disk 7->24 11 cmd.exe 1 7->11         started        signatures5 process6 signatures7 26 Uses shutdown.exe to shutdown or reboot the system 11->26 14 conhost.exe 11->14         started        16 shutdown.exe 1 11->16         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce309a2f5d17fa9dc0957947d401699492ca6f9d63206486d947aea54c65c589/
Threat name:
Win64.Trojan.DiskWriter
Create hunting rule
Status:
Malicious
First seen:
2022-06-13 00:35:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zyyjul25c75j3qevpfd5ialjssjmu345mmqgjbwzi6xkktdfyweq._file
Verdict:
malicious
Similar samples:
067e76900265c87d66a44f765bb720bd310e52181badf19efd63f30210f62001
DiskWriter
280925849cd341c089c250b6609a0cab91026578f98bc2c45cb924dc9c8967a5
DiskWriter
2e0aa995df9b6a99e37601b1d7dea6fb85f6c7130980a8c2a275370efb6f0236
DiskWriter
36e08c2df39cd84d8969a95de6a6882fbc954e7ca31a5a5d4be8ec33cfa84649
DiskWriter
914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c
DiskWriter
ce07b1122ef0305ce0dd1588394295073545df0b5a91c63f6ab6eaf5b7f74091
DiskWriter
d17133253e57854119a62729965ace0d1e4201561b6f313d5e72a14186e445e6
DiskWriter
de85e7754cdb6c18d93f074d58406b4b4e91466cb53e82f962535452ebc2b9d9
DiskWriter
ec86b00b3f187f93e86711f82043af2ec359861bd60497b53998b0a28bc20d3e
DiskWriter
f273edc1367f3b4031946254ff4f2d32c2c82f6a7aabbeab86153d5728e0766e
DiskWriter
+ 1'901 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220619-rykjlaehcj/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
ce309a2f5d17fa9dc0957947d401699492ca6f9d63206486d947aea54c65c589
MD5 hash:
e46f140b1dd5c5525006dbac67bf9726
SHA1 hash:
c7fbba7fbe57a5f9103f64e97b18b0cc65937fba
Link:
https://www.unpac.me/results/9bc23afd-0817-4361-897d-45c2f7f77855/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce309a2f5d17/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce309a2f5d17fa9dc0957947d401699492ca6f9d63206486d947aea54c65c589

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Shutdown
Create hunting rule
Author:adm1n_usa32
Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/281307/

Comments