MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Makop


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
SHA3-384 hash: 05d8a4f19abc6f7006ae2b0b2ebed7d183c9d4d7637edc7c2b5948927c3e8b960551a90a7600042751e2e0651ece1575
SHA1 hash: 8c427b861ce4cd4f9137d694c26542ce16b4ebcd
MD5 hash: 25700dce3a33c6a0ab9027c63ce2ef81
humanhash: tennis-london-mexico-carolina
File name:(경력사항도 같이 기재하였으니 참고부탁드립니다).exe
Download: download sample
Signature Makop
Create hunting rule
File size:304'367 bytes
First seen:2021-03-03 12:50:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 3072:PomnzVincQDKgcTIXgnQiQlo4SssssIkHY/a4o3bvx4oIQFAzKDFRD6dtJn:PtZoXgnQiKo4+Y0vIAA+PD6dt1
Threatray 11 similar samples on MalwareBazaar
TLSH 6054B13862F0A352D075423147E2C5346AE15F28DEE1D30BE2B42E2AB756ED93D8958F
Reporter Jirehlov
Tags:exe makop Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
345
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
이력서(경력사항도 같이 기재하였으니 참고부탁드립니다).exe
Verdict:
No threats detected
Analysis date:
2021-03-03 10:51:58 UTC
Tags:
installer
Link:
https://app.any.run/tasks/f2a2b84e-a95c-4f4e-ab95-1991c79f433f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/121330/
Detection(s):
Win.Malware.Injects-9838571-0
Create hunting rule

PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.42220477.4087.19311.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Makop Oled
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/625971
Signature
Creates files in the recycle bin to hide itself
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Detected unpacking (overwrites its own PE header)
Maps a DLL or memory area into another process
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Sigma detected: Delete shadow copy via WMIC
Sigma detected: WannaCry Ransomware
Writes many files with high entropy
Yara detected Makop ransomware
Yara detected Oled Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 361972 Sample: 8#Ub2e4).exe Startdate: 03/03/2021 Architecture: WINDOWS Score: 100 57 Sigma detected: WannaCry Ransomware 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected Oled Ransomware 2->61 63 5 other signatures 2->63 8 8#Ub2e4).exe 24 2->8         started        12 wbengine.exe 3 2->12         started        14 WerFault.exe 2->14         started        16 5 other processes 2->16 process3 file4 51 C:\Users\user\AppData\Local\...\System.dll, PE32 8->51 dropped 69 Detected unpacking (overwrites its own PE header) 8->69 71 Maps a DLL or memory area into another process 8->71 73 Writes many files with high entropy 8->73 18 8#Ub2e4).exe 10 8->18         started        75 Creates files inside the volume driver (system volume information) 12->75 23 explorer.exe 14->23 injected signatures5 process6 dnsIp7 55 192.168.2.1 unknown unknown 18->55 43 {DDF571F2-BE98-426...0000000000000001.db, data 18->43 dropped 45 {6AF0698E-D558-4F6...0000000000000003.db, data 18->45 dropped 47 {6AF0698E-D558-4F6...0000000000000001.db, data 18->47 dropped 49 45 other malicious files 18->49 dropped 65 Creates files in the recycle bin to hide itself 18->65 67 Opens the same file many times (likely Sandbox evasion) 18->67 25 cmd.exe 1 18->25         started        28 8#Ub2e4).exe 21 18->28         started        31 WerFault.exe 9 23->31         started        file8 signatures9 process10 file11 77 May disable shadow drive data (uses vssadmin) 25->77 79 Deletes shadow drive data (may be related to ransomware) 25->79 81 Deletes the backup plan of Windows 25->81 33 WMIC.exe 1 25->33         started        35 conhost.exe 25->35         started        37 wbadmin.exe 3 25->37         started        39 vssadmin.exe 1 25->39         started        53 C:\Users\user\AppData\Local\...\System.dll, PE32 28->53 dropped 83 Maps a DLL or memory area into another process 28->83 41 8#Ub2e4).exe 28->41         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2021-03-03 12:50:13 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=377pxxrhiqvzbfjyrmmhd764caoegc42qfatrpspsyrsrjnxh7pa._file
Verdict:
unknown
Similar samples:
03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051
Makop
2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
Makop
4aa3ae979ad5fb790408c90ebe653592f5861eb7b8dac54cad59e9ac1c54bac4
Makop
57eab146f612a387a6d0db7073f200742634a31cc78dda6f59cfdc8996ddca4a
Makop
bc225c5fe58ce3b42512871afdcc4513a870812b6b6477d8fe53bca77100660e
Makop
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec
Makop
e51abdb2023b560244802f7d9687944dc0dff3042c28d7bc7a2b517df6e24942
Makop
f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3
Makop
fa2b92d07e6f86bcd56bd1b5d146bedcda1e623028612afab2ee749764046834
Makop
fc257f64a0279bb5ae221b968d3f38bbb7237a8475c165c5a8430fe6633e3fe6
Makop
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210303-tzq4hq4xbn/
Behaviour
Enumerates physical storage devices
Unpacked files
SH256 hash:
a5e3f7722107a9ca0f8893c36463959f2e4482e08d211e4ad182f79380ae1a34
MD5 hash:
278032e27fad6d9e65595c5566c449f4
SHA1 hash:
9f60b017e4bd3c8b9701a6f4ac123bacceca38f4
Link:
https://www.unpac.me/results/09c5acd5-a221-437c-9cd9-6de065d06b08/
SH256 hash:
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
MD5 hash:
0063d48afe5a0cdc02833145667b6641
SHA1 hash:
e7eb614805d183ecb1127c62decb1a6be1b4f7a8
Detections:
win_buer_auto
Create hunting rule
Link:
https://www.unpac.me/results/09c5acd5-a221-437c-9cd9-6de065d06b08/
Parent samples :
5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee
f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283
dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
e0fb60da371912c158861c9660632d58e45cfcff12351cc9e03f497f319eb5de
904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a
SH256 hash:
dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
MD5 hash:
25700dce3a33c6a0ab9027c63ce2ef81
SHA1 hash:
8c427b861ce4cd4f9137d694c26542ce16b4ebcd
Link:
https://www.unpac.me/results/09c5acd5-a221-437c-9cd9-6de065d06b08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:RANSOM_makop
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect the unpacked Makop ransomware samples
Rule name:SUSP_NullSoftInst_Combo_Oct20_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious NullSoft Installer combination with common Copyright strings
Reference:https://twitter.com/malwrhunterteam/status/1313023627177193472

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/121330/

Comments