MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e298ac8c4975ff92788ee7049e39b047d0805c2513f7a5ca4b1e98f8b260b923. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryLock


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e298ac8c4975ff92788ee7049e39b047d0805c2513f7a5ca4b1e98f8b260b923
SHA3-384 hash: ccca3b900ce1e2942a4560f6d46917ec0313e5e06563eab0e42d9e2b979908d9a8bb7da9afa2203761fe3d1d61054f0d
SHA1 hash: c33d4f634662ab4bf905004f8b68f57d3879f7c8
MD5 hash: 88b18bfdb85a55e0d1f1cb4389a69a69
humanhash: asparagus-finch-ohio-louisiana
File name:e298ac8c4975ff92788ee7049e39b047d0805c2513f7a5ca4b1e98f8b260b923.bin
Download: download sample
Signature CryLock
Create hunting rule
File size:688'128 bytes
First seen:2020-10-15 01:25:38 UTC
Last seen:2020-10-15 01:58:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f11da76d204e9f1bc32f5e73b0dc96db (2 x CryLock)
ssdeep 12288:CjEiyrFmeLmbWAUVAyu2kLV13E4PmKvyscesKxt5Z3y+pIhfJhkiMySTXdv5MiW6:sEbfmbWcymjaxesKxt5Z3y+pIhfJhkiK
Threatray 1 similar samples on MalwareBazaar
TLSH C8E46C36B2D1C53AD1261638DC0B93EE5825BE107E25944B3BF53F4DAF382A5352D2A3
Reporter Arkbird_SOLG
Tags:Crylock Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CryLock
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71144/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Sending a UDP request
Result
Threat name:
CryLock
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/491877
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Deletes shadow drive data (may be related to ransomware)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected CryLock ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e298ac8c4975ff92788ee7049e39b047d0805c2513f7a5ca4b1e98f8b260b923/
Threat name:
Win32.Ransomware.FileCryptor
Create hunting rule
Status:
Malicious
First seen:
2020-07-25 07:54:00 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4kmkzdcjox7ze6eo44cj4onqi7iiaxbfcp32lssld2mprmtaxerq._file
Verdict:
malicious
Similar samples:
04d8109c6c78055d772c01fefe1e5f48a70f2a65535cff17227b5a2c8506b831
CryLock
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201015-w6ak19qcmn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
e298ac8c4975ff92788ee7049e39b047d0805c2513f7a5ca4b1e98f8b260b923
MD5 hash:
88b18bfdb85a55e0d1f1cb4389a69a69
SHA1 hash:
c33d4f634662ab4bf905004f8b68f57d3879f7c8
Detections:
win_cryakl_auto
Create hunting rule
Link:
https://www.unpac.me/results/64934f06-b9d7-414a-931b-3382f2dc359f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Barys
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e298ac8c4975ff92788ee7049e39b047d0805c2513f7a5ca4b1e98f8b260b923

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_cryakl_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://github.com/StrangerealIntel/DailyIOC/blob/master/2020-10-15/Crylock/RAN_CryLock_Oct_2020_1.yar
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/71144/

Comments