MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RagnarLocker

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	cf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8
SHA3-384 hash:	73731f05525a0a924e8713448b9fa616585c41e921cabc6ef6998fea7bd45f06b2bff8e0cfa28c03e3a337060efc9e76
SHA1 hash:	50ae8d51e9bc3fc5264c7ff2d0b18b68e8164f84
MD5 hash:	8d986c2f6a23ad4b1624f6e3ee55d3a2
humanhash:	robin-july-nevada-london
File name:	ragnar_locker_Omniga.de_
Download:	download sample
Signature	RagnarLocker Create hunting rule
File size:	6'187'008 bytes
First seen:	2020-08-03 10:00:30 UTC
Last seen:	2020-08-03 10:36:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ca0cd2d76c9b02bab2507f2a8a60307a (1 x RagnarLocker)
ssdeep	98304:daXT4xKWyHsSZ5O200UpV0XNK5s5DnFkv2+nAvExh+5BedMrY87XDUqJCfpxCtTN:daXMEHsgOUgViLAhAv6hO5bzhJCRxCN3
Threatray	30 similar samples on MalwareBazaar
TLSH	7A56127312784149D1E7CC3D9933FDE071F5522B8F81B8FAA59A6DD528225F8E223A13
Reporter	JAMESWT_WT
Tags:	Omniga RagnarLocker Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

2'580

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ragnarlocker

Link:

https://www.capesandbox.com/analysis/37706/

Detection(s):

SecuriteInfo.com.Generic.Ransom.Ragnar.195BD0FE.7354.8431.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a process with a hidden window

Launching a process

Moving a file to the Program Files subdirectory

Deleting volume shadow copies

Creating a file in the mass storage device

Encrypting user's files

Result

Threat name:

RagnarLocker

Detection:

malicious

Classification:

rans.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/407758

Signature

Deletes shadow drive data (may be related to ransomware)

Detected VMProtect packer

Found Tor onion address

Hides threads from debuggers

Machine Learning detection for sample

May disable shadow drive data (uses vssadmin)

Modifies existing user documents (likely ransomware behavior)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Delete shadow copy via WMIC

Tries to detect debuggers by setting the trap flag for special instructions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes many files with high entropy

Yara detected RagnarLocker ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8/

Threat name:

Win32.Ransomware.Ragnar

Status:

Malicious

First seen:

2020-08-02 12:37:58 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

41 of 48 (85.42%)

Threat level:

5/5

Verdict:

suspicious

RagnarLocker

1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64

RagnarLocker

22a49fd2468178e5b33cad08985adde50f0530a33260affc58bee6b2401005a9

RagnarLocker

3e5bbf9fcae918011ec4eee75ac6402fddf20d09fef95b362d0e226d56b80f1d

RagnarLocker

57cf4470348e3b5da0fa3152be84a81a5e2ce5d794976387be290f528fa419fd

RagnarLocker

6285cf98c96fdfa826a2d5e4de045bb84dfc7e05d21b561c54a5b63ad2c298e1

RagnarLocker

84783081ade87f5a4a1902a275eb66c7fe8ebef9e43cdd2d4527bdb1a5a51f04

RagnarLocker

89d5d6a0436ed5e2e27c0f9cd1f7fa5b05fa342a082fc5d7ad2439ac75c7bf33

RagnarLocker

a3c2207806f9be710f3a1d1cbf1149a708bb080946e2368c8e826f5cef2293e4

RagnarLocker

eeff7bc679bb93407730373e791ecfcb9669be2b6dcfafa3a00aed5d4e953b4e

RagnarLocker

+ 20 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

vmprotect

Link:

https://tria.ge/reports/200803-b9r4hl2gba/

Behaviour

VMProtect packed file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Ransomware

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cf5ec678a2f836f859eb983eb633d529c25771b3b7505e74aa695b7ca00f9fa8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/37706/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample