MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f
SHA3-384 hash:	f583ef4e8f7a17c34b09c23aa431aaadfd6b7dae31dcf53c85f15d30556beb2503da3357011d5ff35bf9ed3276741554
SHA1 hash:	31a45521bc672abcf64e50284ca5d4e6b3687dc8
MD5 hash:	989ae3d195203b323aa2b3adf04e9833
humanhash:	bulldog-bravo-east-one
File name:	NoEscape.exe
Download:	download sample
File size:	682'655 bytes
First seen:	2022-09-02 17:43:51 UTC
Last seen:	2025-03-14 00:54:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f400a8c725e9bcee856360087d72fec3
ssdeep	12288:85J5X487qJUtcWfkVJ6g5s/cD01oKHQyis2AePsr8nP712TB:s487pcZEgwcDpg1L2tbPR2t
TLSH	T174E4230297780DB8E2B619755070A50FE8F4FE1A30781D1A84EC77A139F9689733B6DE
TrID	52.9% (.EXE) Win32 Executable (generic) (4505/5/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
dhash icon	0ebcf8c0c4c0f160 (1 x Babadeda)
Reporter	JaffaCakes118
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

565

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Screen Shot 2022-03-17 at 7.08.04 PM.png

Verdict:

Malicious activity

Analysis date:

2022-03-29 13:37:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c5091a5f-2af3-4230-822a-2e2a0587271a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/307504/

Detection(s):

SecuriteInfo.com.Trojan.KillBoot.1513.8014.29466.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/6312415fd1c2c35e2725a07c/reports/652de17b-1f9c-4338-a7f2-320aa41f27f4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b871aeb6-5a8a-4cbf-bb5e-6b3c24627090

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/567050

Signature

Contains functionality to infect the boot sector

Contains functionality to modify Windows User Account Control (UAC) settings

Contains functionalty to change the wallpaper

Creates an undocumented autostart registry key

Creates files in alternative data streams (ADS)

Detected unpacking (changes PE section rights)

Disables the Windows registry editor (regedit)

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f/

Threat name:

Win32.Ransomware.Noescape

Status:

Malicious

First seen:

2020-11-30 04:11:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2mgxm5vdwterw56uap4boshl624ier2j3npymdqrjkfcas6klohq._file

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion persistence ransomware trojan

Link:

https://tria.ge/reports/220902-wa5bbahhak/

Behaviour

Modifies Control Panel

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

System policy modification

Drops file in Windows directory

Sets desktop wallpaper using registry

Checks whether UAC is enabled

Drops desktop.ini file(s)

Modifies WinLogon

Disables RegEdit via registry modification

Modifies WinLogon for persistence

UAC bypass

Unpacked files

SH256 hash:

d336a52265cc1b115f20996bf9918d6891cff04f0463f4159968a925da5307cd

MD5 hash:

cbcd9ad673629d2c17c85bb9f97da4bc

SHA1 hash:

ee293707eb21bf640d4310f66cfd6f29d61f8a4c

Link:

https://www.unpac.me/results/8fce2e36-8698-498c-b4d6-f1eae7707a5c/

SH256 hash:

d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

MD5 hash:

989ae3d195203b323aa2b3adf04e9833

SHA1 hash:

31a45521bc672abcf64e50284ca5d4e6b3687dc8

Link:

https://www.unpac.me/results/8fce2e36-8698-498c-b4d6-f1eae7707a5c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/