MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackMatter


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee
SHA3-384 hash: 47cc2814cf6b8c144d0efcb51510f5d9173acb1541ca83875d83ba0494e85b673673875d6f9e551a14524d5c133ce4b0
SHA1 hash: c2a321b6078acfab582a195c3eaf3fe05e095ce0
MD5 hash: 628e4a77536859ffc2853005924db2ef
humanhash: cardinal-five-social-thirteen
File name:lockbit_v3_unpacked.mal_
Download: download sample
Signature BlackMatter
Create hunting rule
File size:165'888 bytes
First seen:2022-07-03 20:21:55 UTC
Last seen:2022-07-03 20:32:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a50a0d82b9120fc73965c28fea79e1f9 (4 x LockBit, 3 x BlackMatter)
ssdeep 3072:o5uyulsHwDV1gFnTwn7zwJGJ+3t5kCI5Gzei3N2VzRmK:o5uZ1DPgFnk7EJwaI5gDN2VVm
Threatray 12'847 similar samples on MalwareBazaar
TLSH T182F36C227152D177C4A239F1B32A76A1B39D8E2C16A8A453FAF8DF0538778237F11857
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.5% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter cPeterr
Tags:BlackMatter exe lockbit lockbit3 Ransomware unpacked


Avatar
cPeterr
Fully unpacked Lockbit v3.0

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee.exe
Verdict:
Suspicious activity
Analysis date:
2022-07-03 21:21:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/298bb46a-3eb1-473b-8fcf-1d19427c32b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Babar.70652.19293.8488.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Сreating synchronization primitives
Launching a service
Delayed writing of the file
Changing a file
Reading critical registry keys
Creating a window
Moving a recently created file
Using the Windows Management Instrumentation requests
Launching a process
Sending a UDP request
Creating a file in the %temp% directory
Stealing user critical data
Creating a file in the mass storage device
Forced shutdown of a system process
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
babar packed virus
Link:
https://www.filescan.io/uploads/62c1faa6dd037e27032d120e/reports/325f5b17-afdc-483e-883b-633ef91af430/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BlackMatter Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe9c9cee-3921-49fd-9148-cd5e0a024eea
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1023738
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found Tor onion address
Hides threads from debuggers
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee/
Threat name:
Win32.Ransomware.Lockbit
Create hunting rule
Status:
Malicious
First seen:
2022-07-03 20:22:06 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ynpab7wy6jlr63mm5yuhn6q4jjthfhcrrihg5mi4qg2i5oaidxa._file
Verdict:
malicious
Similar samples:
4ed83928e3ee46e2bfdd24cf49a4f0dd49f70911df7c0c6c740ed9b7a407b8d6
BlackMatter
598f6a197785846295000434721eede352fc5bea22fe3faef352f64770d06909
BlackMatter
63a8a847683b777e6d6143a1c886a2d38bd68ab632826115763db3b214d1e127
BlackMatter
7bafdf9104df0d8445c2478014a23e68200d48c2c438b4ad1820f8995936d129
BlackMatter
899e3f377624c91677b2ddc324199eb854a630409145acf0941a32ed2d4cd005
BlackMatter
963043215c54f2a5b1ae6a53787ed78c838beb576e2744e304665f611c7fcb60
BlackMatter
9e3aeccf79c4c92f97410817a161701c59affa07403748695e61fef0d1d082e7
BlackMatter
ce7d3bdad0d089583e735635f3d475e11dde86d0ad1c76d8735085a9ec031d96
BlackMatter
ded5b8b5d57f0e7d66f85cfd7067af3a22e6ce2877cb4d1fc5eb88963559316b
BlackMatter
+ 12'837 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware
Link:
https://tria.ge/reports/220703-y5jn7sdacl/
Behaviour
Modifies Control Panel
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops desktop.ini file(s)
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Modifies extensions of user files
Unpacked files
SH256 hash:
d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee
MD5 hash:
628e4a77536859ffc2853005924db2ef
SHA1 hash:
c2a321b6078acfab582a195c3eaf3fe05e095ce0
Detections:
win_blackmatter_auto
Create hunting rule
Link:
https://www.unpac.me/results/c462b34e-bf3e-473f-bfcd-dc8a9217795a/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments