MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204
SHA3-384 hash: d930c6887d482b7a03e6e0918d8d581f8d800fe66d5a9ece4e9837b96a9c64f06ab30b336034af4772174beadcc21555
SHA1 hash: 69201178ee3bf8bc5b9f8212bb412c7f7a3aa3c0
MD5 hash: 57cc3140477c915e6202e6b1d2f8bb7e
humanhash: blossom-xray-oscar-white
File name:dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204
Download: download sample
File size:39'424 bytes
First seen:2021-09-07 06:10:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:B51I4cnvHkMeaEIwCrbjvkTlmx3El3xF00ydemHlTfLIt3GeMd:31Ix/eaZwCXjvY5/F7ygmRfLIt3GF
Threatray 1 similar samples on MalwareBazaar
TLSH T16703F19AD193D5DBC46F82775DFA1A03DBA4D9F04A41FCE2717BE8CC21283ADD244846
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204
Verdict:
No threats detected
Analysis date:
2021-09-07 07:18:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f203169a-a6da-47b5-ab6e-8b555cdcfb24

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185886/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Changing a file
Reading critical registry keys
Creating a file
Launching a process
Creating a window
Deleting a recently created file
Running batch commands
DNS request
Connection attempt
Sending an HTTP GET request
Stealing user critical data
Creating a file in the mass storage device
Enabling autorun with the shell\open\command registry branches
Deleting volume shadow copies
Forced shutdown of a system process
Unauthorized injection to a system process
Encrypting user's files
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/de292ef8-b7f7-4bb9-8e45-3f2f1f9b8ab4
Result
Threat name:
Conti
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846279
Signature
Contains functionality to create processes via WMI
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes shadow drive data (may be related to ransomware)
Found ransom note / readme
Found Tor onion address
Maps a DLL or memory area into another process
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sets debug register (to hijack the execution of another thread)
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Suspicious Svchost Process
Yara detected Conti ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 478711 Sample: ssPX4LUt2E Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 111 Multi AV Scanner detection for submitted file 2->111 113 Found ransom note / readme 2->113 115 Yara detected Conti ransomware 2->115 117 7 other signatures 2->117 10 loaddll64.exe 2 2->10         started        13 vssadmin.exe 2->13         started        15 cmd.exe 2->15         started        17 9 other processes 2->17 process3 signatures4 131 Sets debug register (to hijack the execution of another thread) 10->131 133 Modifies the context of a thread in another process (thread injection) 10->133 135 Maps a DLL or memory area into another process 10->135 137 Creates a thread in another existing process (thread injection) 10->137 19 cmd.exe 3 10->19         started        22 sihost.exe 2 10 10->22 injected 25 fontdrvhost.exe 10->25 injected 27 svchost.exe 1 10->27 injected 139 Creates processes via WMI 13->139 29 conhost.exe 13->29         started        35 2 other processes 15->35 31 conhost.exe 17->31         started        33 conhost.exe 17->33         started        37 5 other processes 17->37 process5 file6 119 Creates processes via WMI 19->119 39 rundll32.exe 1 19->39         started        103 C:\Users\user\DesktopOWRVPQCCS.jpg, data 22->103 dropped 105 C:\Users\user\Desktop\...FOYFBOLXA.docx, data 22->105 dropped 107 C:\Users\user\Desktop\...\BJZFPPWAPT.png, data 22->107 dropped 121 Modifies existing user documents (likely ransomware behavior) 22->121 42 cmd.exe 22->42         started        44 cmd.exe 22->44         started        46 cmd.exe 22->46         started        52 3 other processes 22->52 48 WMIC.exe 1 25->48         started        50 cmd.exe 1 25->50         started        54 4 other processes 25->54 56 6 other processes 27->56 signatures7 process8 signatures9 123 Modifies the context of a thread in another process (thread injection) 39->123 125 Maps a DLL or memory area into another process 39->125 127 Creates a thread in another existing process (thread injection) 39->127 63 3 other processes 39->63 67 2 other processes 42->67 69 2 other processes 44->69 71 2 other processes 46->71 129 Creates processes via WMI 48->129 58 conhost.exe 48->58         started        61 conhost.exe 50->61         started        73 4 other processes 52->73 75 4 other processes 54->75 77 10 other processes 56->77 process10 dnsIp11 141 Creates processes via WMI 58->141 79 conhost.exe 61->79         started        109 192.168.2.1 unknown unknown 63->109 101 C:\Users\Public\readme.txt, data 63->101 dropped 81 WMIC.exe 1 63->81         started        83 WMIC.exe 1 63->83         started        85 cmd.exe 1 63->85         started        87 5 other processes 63->87 file12 signatures13 process14 process15 89 conhost.exe 81->89         started        91 conhost.exe 83->91         started        93 conhost.exe 85->93         started        95 conhost.exe 87->95         started        97 conhost.exe 87->97         started        99 conhost.exe 87->99         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204/
Threat name:
Win64.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 20:20:50 UTC
File Type:
PE+ (Dll)
AV detection:
7 of 43 (16.28%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
Result
Malware family:
magniber
Create hunting rule
Score:
  10/10
Tags:
family:magniber ransomware
Link:
https://tria.ge/reports/210907-gxpf2sfcdn/
Behaviour
Interacts with shadow copies
Modifies Internet Explorer settings
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Modifies extensions of user files
Deletes shadow copies
Magniber Ransomware
Process spawned unexpected child process
Unpacked files
SH256 hash:
dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204
MD5 hash:
57cc3140477c915e6202e6b1d2f8bb7e
SHA1 hash:
69201178ee3bf8bc5b9f8212bb412c7f7a3aa3c0
Link:
https://www.unpac.me/results/4bd24618-0faa-4773-9712-1d0522d6518c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dc7be5c75c74/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185886/

Comments