MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b
SHA3-384 hash: 5c0d9ac6dd57385239d8321f2fa5bf4140826c035b9a2fea5a045dde94e4b2ca7e80af62cf316cc69dd5402416286b91
SHA1 hash: 0f5259812be378bbd764cef94697019075990b4d
MD5 hash: 04a8307259478245cbae49940b6d655a
humanhash: batman-twenty-montana-yankee
File name:d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b
Download: download sample
File size:336'384 bytes
First seen:2021-09-14 08:58:03 UTC
Last seen:2021-10-04 22:38:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 07a0cdd4807510f9323ce2fd61059e50 (1 x LockFile)
ssdeep 6144:nRFozSJuWEogXa7HLTqd2dzjrsDEoERSj4B5z2F6RzZmjO:nRmzSYW32YHCd21j+E5O4BZRlmjO
Threatray 4 similar samples on MalwareBazaar
TLSH T18F64226B22C87B13CA5AD27F81B6F832854DB497C877D037E5085E928CE365CCC9646E
Reporter Finch39487976
Tags:.ATOMSILO exe Ransomware

Intelligence

File Origin
# of uploads :
3
# of downloads :
368
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b
Verdict:
No threats detected
Analysis date:
2021-09-14 09:03:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/139f7071-149e-421e-b5d9-ef0e4db353b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187772/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.34340.32005.3779.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Changing a file
Changing an executable file
Creating a file in the Program Files directory
Creating a file in the Program Files subdirectories
Launching the default Windows debugger (dwwin.exe)
Creating a file in the mass storage device
Encrypting user's files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61750e0f9a5a1e91c5d2010e/reports/3f5d2b25-4d20-4d16-959d-6a7269cf2a88/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1386299-a4d9-43eb-a242-df6d7da0b088
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/850532
Signature
Antivirus / Scanner detection for submitted sample
Creates HTA files
Detected unpacking (changes PE section rights)
Found potential dummy code loops (likely to delay analysis)
Found Tor onion address
Multi AV Scanner detection for submitted file
Potential time zone aware malware
Self deletion via cmd delete
Writes a notice file (html or txt) to demand a ransom
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b/
Threat name:
Win64.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-12 11:24:56 UTC
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1b30e0509075234edd5f46ed054ad56bb6cf8d234341e0c72fe27407027e94de
475df55bf31e8c58a8646cad8863913d3fd2d58b72a48ecef4cb1057efd1268c
e3f297dcc0aac80152ba1af99a2c4c101a1ee88759900da7cdfcc9cb5955f06d
f8b132d8c750482bd5b6f03bae58f6805fb3480ef0904a21f0111ede5a1ebb1b
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware
Link:
https://tria.ge/reports/210914-kw6kqaaddr/
Behaviour
Modifies Internet Explorer settings
Runs ping.exe
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Deletes itself
Drops startup file
Modifies extensions of user files
Unpacked files
SH256 hash:
d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b
MD5 hash:
04a8307259478245cbae49940b6d655a
SHA1 hash:
0f5259812be378bbd764cef94697019075990b4d
Link:
https://www.unpac.me/results/25299875-fd5a-457a-b050-8c293c524f1a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d9f7bb98ad01/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
SNC
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/siri_urz/status/1437664046556274694
Cape
Cape
https://www.capesandbox.com/analysis/187772/

Comments