MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TeslaCrypt


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56
SHA3-384 hash: 578677ce1d6ab636947bbd1c9517a6b78ead2262ab08b4f40477cc7304899c1a377f4e115a83ef81cf8ead0bcf1e33fc
SHA1 hash: 1bb17eef59764e84f95b7a5c0aad649b8517ee43
MD5 hash: 48ea3794091a9f17e12f5c1a90e1f7d7
humanhash: virginia-bakerloo-carpet-carolina
File name:wqm58yk7.exe
Download: download sample
Signature TeslaCrypt
Create hunting rule
File size:106'496 bytes
First seen:2021-01-22 08:01:40 UTC
Last seen:2021-01-22 10:12:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:otcvKR5Kkzk1s6eKSEqlcRHG9fHdJM9F+f:JoFEqlc09fd6U
Threatray 4 similar samples on MalwareBazaar
TLSH 20A3278497824625CFCFC6B4A4615B74B374B2C32134D73A2DEA76E916237D41A38ECB
Reporter ffforward
Tags:exe teslacrypt

Intelligence

File Origin
# of uploads :
2
# of downloads :
342
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://iffusedtrac.xyz/3/bbc.exe
Verdict:
Malicious activity
Analysis date:
2021-01-22 11:48:38 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/0bf53fe6-90ea-4337-93c8-268364a5a236

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Teslacrypt
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113464/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.6.Gen.23779.22771.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Sending a UDP request
Launching a process
Running batch commands
Launching the process to change the firewall settings
Searching for the window
Blocking the Windows Defender launch
Launching a tool to kill processes
Launching the process to interact with network services
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/588077
Signature
Disables Windows Defender (via service or powershell)
Machine Learning detection for sample
May drop file containing decryption instructions (likely related to ransomware)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343062 Sample: wqm58yk7.exe Startdate: 22/01/2021 Architecture: WINDOWS Score: 64 39 Multi AV Scanner detection for submitted file 2->39 41 May drop file containing decryption instructions (likely related to ransomware) 2->41 43 Machine Learning detection for sample 2->43 45 Disables Windows Defender (via service or powershell) 2->45 7 wqm58yk7.exe 1 2->7         started        process3 dnsIp4 33 192.168.2.1 unknown unknown 7->33 35 192.168.2.10 unknown unknown 7->35 37 12 other IPs or domains 7->37 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->47 11 powershell.exe 22 7->11         started        13 powershell.exe 8 7->13         started        15 powershell.exe 8 7->15         started        17 11 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        31 7 other processes 17->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56/
Threat name:
ByteCode-MSIL.Ransomware.Thanos
Create hunting rule
Status:
Malicious
First seen:
2021-01-22 08:02:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3tlslravz26h34lq5x2jv4mnn6doo3xxkgcxg7pfswkal5fozrla._file
Verdict:
malicious
Similar samples:
7a38f70d923669a989ea52fa1c356c5ac7ccce4067a37782973466102e3d27f6
TeslaCrypt
8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393
TeslaCrypt
b99e0b750b3815fec3b292ede3f94524c8bede7d158334295e096518e9cde0ad
TeslaCrypt
fd8c3259b8e80b8220c6053aa9b045676d1e3fe09356ed94b5e47fb5b895ff92
TeslaCrypt
Result
Malware family:
teslacrypt
Create hunting rule
Score:
  10/10
Tags:
family:teslacrypt discovery evasion ransomware trojan
Link:
https://tria.ge/reports/210122-vrb63wpxca/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Runs ping.exe
System policy modification
Discovers systems in the same network
Kills process with taskkill
Modifies registry key
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
Drops startup file
Modifies file permissions
Windows security modification
Modifies Windows Firewall
Modifies Windows Defender Real-time Protection settings
TeslaCrypt, AlphaCrypt
Unpacked files
SH256 hash:
dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56
MD5 hash:
48ea3794091a9f17e12f5c1a90e1f7d7
SHA1 hash:
1bb17eef59764e84f95b7a5c0aad649b8517ee43
Link:
https://www.unpac.me/results/37866256-a41a-4003-affb-ea5b5f93d478/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
TeslaCrypt
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TeslaCrypt

Excel file xls c7e40628fb6beb52d9d73a3b3afd1dca5d2335713593b698637e1a47b42bfc71

TeslaCrypt

Executable exe 8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393

TeslaCrypt

Executable exe dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56

(this sample)

  
Dropped by
SHA256 8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393
  
URLhaus
https://urlhaus.abuse.ch/url/973697/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113464/
  
URLhaus
https://urlhaus.abuse.ch/url/973904/

Comments