MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d21c71a090cd6759efc1f258b4d087e82c281ce65a9d76f20a24857901e694fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Conti


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1

SHA256 hash: d21c71a090cd6759efc1f258b4d087e82c281ce65a9d76f20a24857901e694fc
SHA3-384 hash: 4a3c6863a5afc521b1026580804324901b6c10dc90439c1f4852ebf8fd87db4e2c1d70de60dfd85aadd3f0e3587e46c8
SHA1 hash: ab0c3361bf3ab8b7c40883b2d3107aa7f1d7428b
MD5 hash: 9152cb45994adab4dc27c33ee72a66e1
humanhash: london-mobile-rugby-high
File name:9152cb45_by_Libranalysis
Download: download sample
Signature Conti
File size:330'240 bytes
First seen:2021-05-14 19:12:23 UTC
Last seen:2021-05-14 19:51:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6c4dc31c1626e6ea434bd07db7c2bc89 (1 x Conti)
ssdeep 6144:kbIcqOrL3sxz5nq0d2Uyr7COWDzO2beJf/kCeg4ZRD:5cqOHEVnqnUy/COWDzneJW
Threatray 5 similar samples on MalwareBazaar
TLSH 18649D30BA90C036E0B71DF445B6C3B8692B7DB2972451CBE2D42BEA56346E5DC31B87
Reporter Libranalysis
Tags:conti


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence


File Origin
# of uploads :
2
# of downloads :
415
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://hosting.caveosystems.com/sample.zip
Verdict:
No threats detected
Analysis date:
2021-05-14 16:24:06 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a service
Launching a process
Connection attempt
Creating a file
Changing a file
Creating a file in the Program Files directory
Moving a file to the Program Files directory
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Modifying an executable file
Creating a file in the mass storage device
Encrypting user's files
Result
Threat name:
Detection:
malicious
Classification:
rans.evad
Score:
96 / 100
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found potential dummy code loops (likely to delay analysis)
Found ransom note / readme
Found Tor onion address
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Yara detected Conti ransomware
Behaviour
Behavior Graph:
Threat name:
Win32.Ransomware.Conti
Status:
Malicious
First seen:
2021-05-14 19:14:19 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:conti ransomware spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops desktop.ini file(s)
Reads user/profile data of web browsers
Modifies extensions of user files
Conti Ransomware
Suspicious use of NtCreateProcessExOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Conti
Author:kevoreilly
Description:Conti Ransomware

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments



Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-14 20:02:42 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0045] File System Micro-objective::Copy File
4) [C0049] File System Micro-objective::Get File Attributes
5) [C0051] File System Micro-objective::Read File
6) [C0052] File System Micro-objective::Writes File
7) [C0040] Process Micro-objective::Allocate Thread Local Storage
8) [C0043] Process Micro-objective::Check Mutex
9) [C0041] Process Micro-objective::Set Thread Local Storage Value
10) [C0018] Process Micro-objective::Terminate Process