MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db3330f499a07cf449e3e6f4f43428809d57f5b63923342694468cd6a4f4b943. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Snatch


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db3330f499a07cf449e3e6f4f43428809d57f5b63923342694468cd6a4f4b943
SHA3-384 hash: 52c26fca75119ee8c63019d13ae6508147d529b846d7b21cfaf82a34af8327547b537124f663d12ecc45d24b8c09a31d
SHA1 hash: e13e9062504329d1cf2af65ae7b4290a1024dcff
MD5 hash: b4b2d434294d1314a990d465a91a721f
humanhash: nitrogen-spaghetti-maine-carpet
File name:build.bin
Download: download sample
Signature Snatch
Create hunting rule
File size:856'064 bytes
First seen:2021-03-17 22:21:28 UTC
Last seen:2021-04-09 11:26:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (235 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 24576:NG88qOwK65EQKIP3jahV5HCGkCe2nXRs8tmPDL2LZOP:s9qOfQKIiwGkAX4L2LZ
Threatray 75 similar samples on MalwareBazaar
TLSH E1052313E843FE6AC87CCE7394F7442468125CA4C6E07E55B96AEB1C932FDA156BB081
Reporter Arkbird_SOLG
Tags:Maurigo Ransomware UPX

Intelligence

File Origin
# of uploads :
3
# of downloads :
340
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
build.exe
Verdict:
Malicious activity
Analysis date:
2021-03-17 13:27:32 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/91a8a385-01bf-43a3-a9a9-10c89ce7c33a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125324/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Changing a file
Reading critical registry keys
Sending a UDP request
Creating a file
Running batch commands
Stealing user critical data
Creating a file in the mass storage device
Deleting volume shadow copies
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4e5e28d-dfab-4131-8741-5ba186629875
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/643074
Signature
Antivirus / Scanner detection for submitted sample
Deletes shadow drive data (may be related to ransomware)
Drops a file containing file decryption instructions (likely related to ransomware)
May drop file containing decryption instructions (likely related to ransomware)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
Uses bcdedit to modify the Windows boot settings
Writes a notice file (html or txt) to demand a ransom
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 370506 Sample: build.bin Startdate: 17/03/2021 Architecture: WINDOWS Score: 88 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Sigma detected: Delete shadow copy via WMIC 2->46 48 2 other signatures 2->48 7 build.exe 115 2->7         started        process3 file4 34 C:\Users\user\Searches\desktop.ini, data 7->34 dropped 36 C:\Users\user\Links\desktop.ini, data 7->36 dropped 38 C:\Users\user\Favorites\Links\desktop.ini, data 7->38 dropped 40 19 other files (15 malicious) 7->40 dropped 50 Drops a file containing file decryption instructions (likely related to ransomware) 7->50 52 Deletes shadow drive data (may be related to ransomware) 7->52 54 Writes a notice file (html or txt) to demand a ransom 7->54 56 2 other signatures 7->56 11 cmd.exe 1 7->11         started        14 cmd.exe 1 7->14         started        16 cmd.exe 1 7->16         started        18 2 other processes 7->18 signatures5 process6 signatures7 58 Deletes shadow drive data (may be related to ransomware) 11->58 20 WMIC.exe 1 11->20         started        22 conhost.exe 11->22         started        24 conhost.exe 14->24         started        26 vssadmin.exe 1 14->26         started        28 conhost.exe 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 18->32         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db3330f499a07cf449e3e6f4f43428809d57f5b63923342694468cd6a4f4b943/
Threat name:
Win32.Ransomware.Encoder
Create hunting rule
Status:
Malicious
First seen:
2021-03-17 12:49:46 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
Snatch
25e7a047b79eb049df4b60224a2812a80a7fafc54ff789abc84ee7154a887a3c
Snatch
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
Snatch
61c2e524dcc25a59d7f2fe7eff269865a3ed14d6b40e4fea33b3cd3f58c14f19
Snatch
6651e6156af086e120114fb83b10af8b07acac4b73998cf5758bb5fe17677bfc
Snatch
981363a91d6118c450f063bea6ba0ea0e3855b121ba285baa311702d76375d9d
Snatch
aa9edd5569fc2940680fdec96cbeddd523ffe907acfabaf5db1e9283f7f227d9
Snatch
ad28a67a8f31c9cc363e1dd27ea9e226de97ead72ca696a7911b8d65b4e9a8fc
Snatch
aee048b20edd9abb8eff89b51d3c20e4ae4bfb9df25ca920cb9348f4d98ec3db
Snatch
f36a0ee7f4ec23765bb28fbfa734e402042278864e246a54b8c4db6f58275662
Snatch
+ 65 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
ransomware upx
Link:
https://tria.ge/reports/210317-pedh59plrn/
Behaviour
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops desktop.ini file(s)
Modifies extensions of user files
UPX packed file
Deletes shadow copies
Unpacked files
SH256 hash:
da273c6062c7fe4f69998113d6cabb51998f857194f9bd126343a8603d8200ff
MD5 hash:
02f81bb9649ac7a3697d66fe1f1b4ea6
SHA1 hash:
2af443cb5c247a78d54b6ca8cd8f67535f66228f
Link:
https://www.unpac.me/results/3e5891e1-e381-441e-8cbb-f697a45238d1/
SH256 hash:
db3330f499a07cf449e3e6f4f43428809d57f5b63923342694468cd6a4f4b943
MD5 hash:
b4b2d434294d1314a990d465a91a721f
SHA1 hash:
e13e9062504329d1cf2af65ae7b4290a1024dcff
Link:
https://www.unpac.me/results/3e5891e1-e381-441e-8cbb-f697a45238d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ransomware
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db3330f499a07cf449e3e6f4f43428809d57f5b63923342694468cd6a4f4b943

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cryptocoin_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:QnapCrypt
Create hunting rule
Author:Intezer Labs
Reference:https://www.intezer.com
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/siri_urz/status/1372092381848338438
Cape
Cape
https://www.capesandbox.com/analysis/125324/

Comments