MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1478f0eb8726ded131b456c701058b7791412a40d17f4b904d9c4bc133cc2bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1478f0eb8726ded131b456c701058b7791412a40d17f4b904d9c4bc133cc2bf
SHA3-384 hash: 10daa71e27af3b0e20aee565995f0ac9c259184136f364df7760169bcde5c8b79142043ce4d90d10beec77b7c134845f
SHA1 hash: 5ea841079e11e9710c935e8997f8e6690142adc0
MD5 hash: 27d160966f17b7b1ec2c59e9461a98d9
humanhash: july-pennsylvania-mirror-winter
File name:27d16096_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:1'090'048 bytes
First seen:2021-05-05 08:03:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 135a1fbbd836f19f6734a7f7beb7cd3c (1 x VirLock)
ssdeep 24576:/WYpxog/ibOruoRtkI3h+/TpetCJG13xBf:/WOoZatkI3Mp+Cqx9
Threatray 163 similar samples on MalwareBazaar
TLSH 4035D0161433D9F2BA714A7274BB74E740654DE26F631C321CAE0D67A933DF4CAB8889
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/149971/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6803820-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Creating a process from a recently created file
Creating a service
Launching a service
DNS request
Creating a file in the Windows subdirectories
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Searching for the window
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1478f0eb8726ded131b456c701058b7791412a40d17f4b904d9c4bc133cc2bf/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 00:53:41 UTC
AV detection:
47 of 48 (97.92%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
36f5b30256119951b473fb8afb278276aa4a246188cc49d52f13c134f3845661
VirLock
39917b97b330137a020c19ba7049cce5a7f580f7847b9ce9fbe1f137bf77dcfc
VirLock
5dcbbdb1d5a8b47a50a05b2cf13963139075616f4b6de2db2232aa73bde800c1
VirLock
89164a030c95d2445557ae7a793a7ab7d849b628fbafb0f483100c580a043a93
VirLock
904c908a4fbde1b76cc9466543fa36b18fc861efaafc315a1481634feb2ccff8
VirLock
a1de40b9a49349b4010ef253917ca7cbeb8cad2789d5cc44fba5b0bf9ee666ee
VirLock
a97731ed4b5723b44f9f6b84f3ae3b213f5d9783ee420a40a336b19c486300d3
VirLock
afc137d1a965052d7996e394d0763037002ad317606d0358b2f8d529331474ff
VirLock
baeb7f87041595c27abc2df4fd3cbdea1e21144bcd7d9e2bbc3b6251e4af0370
VirLock
c6b61962c4806e1841730e22c0c6eb15d23f84482ae26fa9cf386b5228a52fbc
VirLock
+ 153 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210505-bj17z412vn/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
76a9c8b969715c3615f3b4ebea90e9210283f4fbf457ea28ac08a932c562c471
MD5 hash:
69fa2a8f53881c427f2dbb15e19b5ea7
SHA1 hash:
3f137fa26fc3a701ab05c733427a9ce426125b71
Link:
https://www.unpac.me/results/69d65e8b-584c-4c2e-8a9b-940b534dd018/
SH256 hash:
2482b80d42b03b6b87d443d23e632915f13f8209f52fb001cd39f403b122d1fd
MD5 hash:
e0bf97adf2cca29a12a8da1db3d7e3bb
SHA1 hash:
57393c55db7c1a0f10a436eec4c05739e58037c3
Link:
https://www.unpac.me/results/69d65e8b-584c-4c2e-8a9b-940b534dd018/
SH256 hash:
e1478f0eb8726ded131b456c701058b7791412a40d17f4b904d9c4bc133cc2bf
MD5 hash:
27d160966f17b7b1ec2c59e9461a98d9
SHA1 hash:
5ea841079e11e9710c935e8997f8e6690142adc0
Link:
https://www.unpac.me/results/69d65e8b-584c-4c2e-8a9b-940b534dd018/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
VirLock
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1478f0eb8726ded131b456c701058b7791412a40d17f4b904d9c4bc133cc2bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149971/

Comments