MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d93f73c6469bd56ad4d1b9d07e4d5b271beb0c012d17c5576b18ebc35588e9ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Petya


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d93f73c6469bd56ad4d1b9d07e4d5b271beb0c012d17c5576b18ebc35588e9ab
SHA3-384 hash: 8189cb71b211656299ee2ba8c1542c802ec227794ad4855be0f580765e4bca060e52167d04ab2c57aac753cfe9b165c4
SHA1 hash: 2a1404ccf09e8c9e616e9f4039d9b98a2e0fa2c8
MD5 hash: 852656b9342fa5b987d15b6c01565e60
humanhash: delaware-cat-golf-shade
File name:PetrWrap.exe
Download: download sample
Signature Petya
Create hunting rule
File size:591'397 bytes
First seen:2024-11-20 23:58:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a1496c94d52a035fe47259ee6587b7 (5 x RemoteManipulator, 2 x CoinMiner, 1 x WSHRAT)
ssdeep 12288:nctEagGmcl4gBF1BRnI6hAVebOe1AFdMpUrMZ9uEIZc0b:aR+cl7X1BRnI6hmebOe1AbHWuEIZcW
Threatray 46 similar samples on MalwareBazaar
TLSH T14FC4AE89E3A84CF8F473A53ADD518509E773380947F4C66F136D560A3F63A9148FAB22
TrID 76.9% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.0% (.EXE) Win64 Executable (generic) (10522/11/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.5% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 0955c64a96985100 (3 x DCRat, 1 x AsyncRAT, 1 x Petya)
Reporter Anonymous
Tags:exe Petya Shingapi.sk Wiper

Intelligence

File Origin
# of uploads :
1
# of downloads :
585
Origin country :
SV SV
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PetrWrap.exe
Verdict:
No threats detected
Analysis date:
2024-11-21 00:01:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/47213461-eb98-494b-9c8a-26b375cca827

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Bulz.677164.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673e78991ff0153667476a2f
Tags:
infosteal autorun petya
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Running batch commands
Launching a process
Creating a process from a recently created file
BSOD occurred
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Low-level writing
Rewriting of the hard drive's master boot record
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/673e77c6a99242316c498071/reports/ca4b4612-88f9-4889-b15e-de59e4e7f258/overview
Verdict:
Malicious
Labled as:
Trojan.BadJoke
Link:
https://www.hybrid-analysis.com/sample/d93f73c6469bd56ad4d1b9d07e4d5b271beb0c012d17c5576b18ebc35588e9ab
Malware family:
Petya
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d832a97a-37c8-4148-81f4-7b3931538edc
Result
Threat name:
Babadeda, Petya
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1559853
Signature
Antivirus detection for dropped file
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Contains functionality to infect the boot sector
Creates an autostart registry key pointing to binary in C:\Windows
Found Tor onion address
Infects the boot sector of the hard disk
Infects the VBR (Volume Boot Record) of the hard disk
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs an instant shutdown (NtRaiseHardError)
Writes directly to the primary disk partition (DR0)
Yara detected Babadeda
Yara detected Petya ransomware
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d93f73c6469bd56ad4d1b9d07e4d5b271beb0c012d17c5576b18ebc35588e9ab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d93f73c6469bd56ad4d1b9d07e4d5b271beb0c012d17c5576b18ebc35588e9ab/
Threat name:
Win64.Trojan.Petya
Create hunting rule
Status:
Malicious
First seen:
2024-11-20 23:59:03 UTC
File Type:
PE+ (Exe)
Extracted files:
18
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3e7xhrsgtpkwvvgrxhih4tk3e4n6wdabful4kv3lddv4gvmi5gvq._file
Verdict:
malicious
Label(s):
petya
Create hunting rule
Similar samples:
14e5d0b7662ca8a97c90592f6ff7a012e769704e662651ae68e190252b54cb4c
Petya
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
Petya
66a64168ef1203b08b4dc0cde4b184c4db9023951f5ce9e12e3f93f3fde17c6d
Petya
72239d0cba7a80895957b43d854680fb2fefbaa8b1f68b001ce5905c32ddcde1
Petya
9ec7c031a11035fadb8d1e630761489aa85d512460e77518aa196a6a112c7a06
Petya
d61a8532f713407bd80a5099c818bbed391620e3891af00a68ef584e33be247a
Petya
error
Petya
f390094eef13ebbc342033020bb8fec8f7d44c9fe90c63738d0b161e762e62aa
Petya
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
bootkit persistence
Link:
https://tria.ge/reports/241120-31pf4sxapk/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Checks computer location settings
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/91c2c58f-47da-4177-a115-fd738e43e088
Unpacked files
SH256 hash:
690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408
MD5 hash:
81a7a946456f1f6dae4715b1feb72ed0
SHA1 hash:
af83b938017efd53f95671adc0c6d2aa1088d38e
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/999825ed-7b73-4da9-a840-6795ed84e7a1/
SH256 hash:
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
MD5 hash:
af2379cc4d607a45ac44d62135fb7015
SHA1 hash:
39b6d40906c7f7f080e6befa93324dddadcbd9fa
Link:
https://www.unpac.me/results/999825ed-7b73-4da9-a840-6795ed84e7a1/
SH256 hash:
d93f73c6469bd56ad4d1b9d07e4d5b271beb0c012d17c5576b18ebc35588e9ab
MD5 hash:
852656b9342fa5b987d15b6c01565e60
SHA1 hash:
2a1404ccf09e8c9e616e9f4039d9b98a2e0fa2c8
Link:
https://www.unpac.me/results/999825ed-7b73-4da9-a840-6795ed84e7a1/
Malware family:
Petya
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d93f73c6469b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d93f73c6469bd56ad4d1b9d07e4d5b271beb0c012d17c5576b18ebc35588e9ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Petya

Executable exe d93f73c6469bd56ad4d1b9d07e4d5b271beb0c012d17c5576b18ebc35588e9ab

(this sample)

Wiper

Executable exe 690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

  
Dropping
SHA256 690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408
  
Dropping
SHA256 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
  
Delivery method
Multiple

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments