MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db8b499d613b604a439bca37c3be2f578bdfcde1b2271eccbcf22db85996e785. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ragnarok


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db8b499d613b604a439bca37c3be2f578bdfcde1b2271eccbcf22db85996e785
SHA3-384 hash: 4d001c687904b860f35783bc32269bac5df98b23bf34baeb507a9656f29b60e64dcbca94c10838befc13c1ec0ab8d955
SHA1 hash: 260c54f8ef9450d2366794f35d0b291bdc133ec5
MD5 hash: e134d5a91ed31516566a091c0caa76fe
humanhash: white-cardinal-enemy-lamp
File name:db8b499d613b604a439bca37c3be2f578bdfcde1b2271eccbcf22db85996e785
Download: download sample
Signature Ragnarok
Create hunting rule
File size:233'984 bytes
First seen:2022-04-24 03:13:17 UTC
Last seen:2022-04-24 03:33:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c4aad01e653e8700334c4e14fafa9909 (1 x Ragnarok)
ssdeep 3072:PaOtRGsL8/MmCtAyBsli4bnQC2mCr/yXt5NKMxyNuX987URxf+zgTP7VZKf:PhGsL8kfAyBslvAyd3KMxomvf+iC
Threatray 1'658 similar samples on MalwareBazaar
TLSH T14134BF01B552C031E6B3157A62BDDBB94D3D7A301B2996DB57880B62DE700E2B738F4B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter petikvx
Tags:exe ragnarok Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
780
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
db8b499d613b604a439bca37c3be2f578bdfcde1b2271eccbcf22db85996e785
Verdict:
Malicious activity
Analysis date:
2020-02-22 10:12:27 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/e2998928-b475-4100-b57f-bd7f9a0e88d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ragnarok
Create hunting rule
Link:
https://www.capesandbox.com/analysis/266157/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.31080.8060.2163.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the process to change network settings
Searching for synchronization primitives
Launching a service
Changing a file
Creating a file
Moving a file to the %AppData% subdirectory
Creating a window
Deleting volume shadow copies
Preventing system recovery
Firewall traversal
Enabling autorun for a service
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
filecoder greyware ragnar ragnarok
Link:
https://www.filescan.io/uploads/6264c07a448aa6d887a40c47/reports/8ed62f69-1aa1-4d0d-a97b-e4046529d4ee/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed89c2d0-7231-4f17-8e41-1961c6111266
Result
Threat name:
Ragnarok
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/981999
Signature
Antivirus / Scanner detection for submitted sample
Deletes shadow drive data (may be related to ransomware)
Detected suspicious e-Mail address in disassembly
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Modification of Boot Configuration
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Yara detected Ragnarok ransomware
Yara detected RansomwareGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 614485 Sample: sF3pdr7k4a Startdate: 24/04/2022 Architecture: WINDOWS Score: 100 34 Antivirus / Scanner detection for submitted sample 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Ragnarok ransomware 2->38 40 5 other signatures 2->40 7 sF3pdr7k4a.exe 10 2->7         started        process3 file4 28 C:\Users\user\Desktop\ZSSZYEFYMU.png, data 7->28 dropped 30 C:\Users\user\Desktop\ONBQCLYSPU.png, data 7->30 dropped 32 C:\Users\user\DesktopWZCVGNOWT.jpg, data 7->32 dropped 42 Uses bcdedit to modify the Windows boot settings 7->42 44 Modifies the windows firewall 7->44 46 Detected suspicious e-Mail address in disassembly 7->46 48 Modifies existing user documents (likely ransomware behavior) 7->48 11 cmd.exe 1 7->11         started        14 cmd.exe 1 7->14         started        16 cmd.exe 1 7->16         started        18 2 other processes 7->18 signatures5 process6 signatures7 50 May disable shadow drive data (uses vssadmin) 11->50 52 Deletes shadow drive data (may be related to ransomware) 11->52 54 Uses netsh to modify the Windows network and firewall settings 11->54 20 vssadmin.exe 1 11->20         started        56 Uses bcdedit to modify the Windows boot settings 14->56 22 bcdedit.exe 8 1 14->22         started        24 bcdedit.exe 7 1 16->24         started        26 netsh.exe 3 18->26         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db8b499d613b604a439bca37c3be2f578bdfcde1b2271eccbcf22db85996e785/
Threat name:
Win32.Ransomware.Ragnarok
Create hunting rule
Status:
Malicious
First seen:
2020-01-09 17:55:14 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 42 (61.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ofuthlbhnqeuq43zi34hprpk6f57tpbwitr5tf46iw3qwmw46cq._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259
Ragnarok
1ac5871f2a0cb7448f6f7d6cbf6602954589bf34940e899ba284730bb9623b2e
Ragnarok
35616cb24994c8f53d586c6a5959c1011331e4c224be38bb5de08ee89378ecb8
Ragnarok
36e08c2df39cd84d8969a95de6a6882fbc954e7ca31a5a5d4be8ec33cfa84649
Ragnarok
5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078
Ragnarok
716408476bc23c3e74a852ed6246dd60e8ed18533bedc13d4984279c97cd1a74
Ragnarok
8e8caa79da5237c8973fa2490bfd316a5001e5ed3a5175c9f7d5d2f84cd009f7
Ragnarok
bb5ec56740f8e99fe4bf5b43e7fd7db75d678a7273dd418060b610e60185cc20
Ragnarok
cf5b221512a74ec01429790f7fadaefe27889258c89c4053e0d10e78b1619760
Ragnarok
d0f8a2be536ca434da7734bd318d2a88ea5005f47d518c30ff611185f42c3701
Ragnarok
+ 1'648 additional samples on MalwareBazaar
Result
Malware family:
ragnarok
Create hunting rule
Score:
  10/10
Tags:
family:ragnarok evasion ransomware spyware stealer
Link:
https://tria.ge/reports/220424-drbffscagr/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
Modifies Windows Firewall
Modifies extensions of user files
Deletes shadow copies
Modifies boot configuration data using bcdedit
Ragnarok
Unpacked files
SH256 hash:
db8b499d613b604a439bca37c3be2f578bdfcde1b2271eccbcf22db85996e785
MD5 hash:
e134d5a91ed31516566a091c0caa76fe
SHA1 hash:
260c54f8ef9450d2366794f35d0b291bdc133ec5
Link:
https://www.unpac.me/results/a1b57928-c9c0-485e-93b7-80b94101bf9a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db8b499d613b604a439bca37c3be2f578bdfcde1b2271eccbcf22db85996e785

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:myGozi
Create hunting rule
Rule name:pdb2
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/266157/

Comments