MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Snatch


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a
SHA3-384 hash: f61b2f16d36e353d473a32534f7689c18cb72a0cc2fdd6741c79cb840e48a6b846fa67e1f4be42f983cd0ade9d56c093
SHA1 hash: 45adb2e2ee26e9221b76e71180dc955b7c9eff70
MD5 hash: 1a2978ce842c0d4c2fc309801cbbcabb
humanhash: undress-butter-maine-steak
File name:d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a.bin
Download: download sample
Signature Snatch
Create hunting rule
File size:2'603'008 bytes
First seen:2021-03-17 22:22:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (238 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 49152:bCUyJ4g9ORa57v5x6oFasJcloaz1+BwIMd1EdUMnTzgDQmFIfiwH8ML4:bCh4g9Ogv6oFclo41qwIu1uTzgE6I6wz
Threatray 2 similar samples on MalwareBazaar
TLSH 03C5339B4587E6B4D25905B02A79FE7D42147C930CEA78B88C62E87514BF6C2E2FB113
Reporter Arkbird_SOLG
Tags:Maurigo Ransomware Snatch

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'569
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a.bin
Verdict:
No threats detected
Analysis date:
2021-03-17 22:33:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f163c2c1-9193-4fcc-9283-90968d94adc7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Babuk
Create hunting rule
Link:
https://www.capesandbox.com/analysis/125325/
Detection(s):
Win.Ransomware.Snatch-9833001-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Launching a process
Deleting a recently created file
Creating a file in the Program Files subdirectories
Creating a file in the Program Files directory
Changing a file
Moving a file to the Program Files subdirectory
Modifying an executable file
Sending a UDP request
Creating a file in the mass storage device
Encrypting user's files
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snatch Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/21b43467-e15f-4cf4-9d99-e72faa13f32d
Result
Threat name:
Gocoder Snatch Ransomware
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/643073
Signature
Antivirus / Scanner detection for submitted sample
Deletes shadow drive data (may be related to ransomware)
Found ransom note / readme
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes many files with high entropy
Yara detected Gocoder ransomware
Yara detected Snatch Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 370505 Sample: 44u1WtwHoo.bin Startdate: 17/03/2021 Architecture: WINDOWS Score: 96 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Found ransom note / readme 2->50 52 4 other signatures 2->52 7 44u1WtwHoo.exe 501 2->7         started        11 SearchUI.exe 315 153 2->11         started        13 notepad.exe 2->13         started        process3 file4 38 C:\...\PSGet.Resource.psd1.aulmhwpbpzi, data 7->38 dropped 40 C:\...\PSModule.psm1.aulmhwpbpzi, data 7->40 dropped 42 C:\...\PSGet.Resource.psd1.aulmhwpbpzi, data 7->42 dropped 44 191 other malicious files 7->44 dropped 54 Writes many files with high entropy 7->54 15 cmd.exe 1 7->15         started        18 cmd.exe 1 7->18         started        20 cmd.exe 1 7->20         started        22 cmd.exe 1 7->22         started        signatures5 process6 signatures7 56 May disable shadow drive data (uses vssadmin) 15->56 58 Deletes shadow drive data (may be related to ransomware) 15->58 24 conhost.exe 15->24         started        26 sc.exe 1 15->26         started        28 findstr.exe 1 15->28         started        30 conhost.exe 18->30         started        32 vssadmin.exe 1 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a/
Threat name:
Win64.Ransomware.Snatch
Create hunting rule
Status:
Malicious
First seen:
2021-01-09 02:32:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
30 of 47 (63.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3biyrrmkzm4vv2ek2k7b6saeiciowa7rexexnewca6d3sm53xuna._file
Verdict:
suspicious
Similar samples:
1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593
Snatch
4e002bce081442b7bc369d0a52eca3dba64d38649da8416863bd40b8bc3a49c7
Snatch
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware spyware stealer upx
Link:
https://tria.ge/reports/210317-6vkqva8c6a/
Behaviour
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Launches sc.exe
Drops startup file
Reads user/profile data of web browsers
Modifies extensions of user files
UPX packed file
Deletes shadow copies
Unpacked files
SH256 hash:
d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a
MD5 hash:
1a2978ce842c0d4c2fc309801cbbcabb
SHA1 hash:
45adb2e2ee26e9221b76e71180dc955b7c9eff70
Link:
https://www.unpac.me/results/b39b4851-7830-4f64-9e89-750b604b4a1d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Snatch

Executable exe db3330f499a07cf449e3e6f4f43428809d57f5b63923342694468cd6a4f4b943

Snatch

Executable exe d85188c58acb395ae88ad2be1f48044090eb03f125c97692c20787b933bbbd1a

(this sample)

  
X
https://twitter.com/siri_urz/status/1372092381848338438
  
Dropped by
SHA256 db3330f499a07cf449e3e6f4f43428809d57f5b63923342694468cd6a4f4b943
Cape
Cape
https://www.capesandbox.com/analysis/125325/

Comments