MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e32998012af31476e39dedb2f725269dbd0a165d74b53a32e5e359da3a01221d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Troldesh


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e32998012af31476e39dedb2f725269dbd0a165d74b53a32e5e359da3a01221d
SHA3-384 hash: a16fe74e72f8d9fd8c4372d622aa764cafffa3548a778a98d49875ebbfab397fa24fc7bbc19135c0df7db0448862cb7e
SHA1 hash: e70a729a4bbc5de08fa4461d3ba43098cb17b3b6
MD5 hash: 7c8548dc28e0e2b14cfb953f4d2690b3
humanhash: uranus-fix-double-maine
File name:e32998012af31476e39dedb2f725269dbd0a165d74b53a32e5e359da3a01221d
Download: download sample
Signature Troldesh
Create hunting rule
File size:1'232'141 bytes
First seen:2021-08-30 07:04:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 52b706f9e593f5965899a4a9ea6b3440 (3 x Troldesh)
ssdeep 12288:XpflAzWulcKX7yKCHqknCLv/gEOF0ZV/cgtx61slrEiv/Kc9Rf8/3cwd88888881:BlAzCEMKaMpjt02yiv/7Rf8/MwoTxBB
Threatray 23 similar samples on MalwareBazaar
TLSH T1C5451212B3CB5132F9F6267845BA8C101E6F796C1AE151292C30F62E1C759C69CB6F2F
dhash icon e4a2a2acbb95dbfa (16 x Fabookie, 5 x Emmenhtal, 3 x Troldesh)
Reporter JAMESWT_WT
Tags:exe signed Troldesh

Code Signing Certificate

Organisation:JSWAKOXA
Issuer:JSWAKOXA
Algorithm:sha1WithRSA
Valid from:2019-01-23T05:55:39Z
Valid to:2039-12-31T23:59:59Z
Serial number: -7593b0d41951317dbe22e8a494b2f4e5
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a883064c28be6e3d016af717d952f2e14aff0647189999f091e9c2a33a63c76e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
835
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e32998012af31476e39dedb2f725269dbd0a165d74b53a32e5e359da3a01221d
Verdict:
Malicious activity
Analysis date:
2021-08-30 07:20:13 UTC
Tags:
ransomware troldesh shade
Link:
https://app.any.run/tasks/80bf9f3b-6cc8-4044-b624-bae5dfdff353

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183586/
Detection(s):
Win.Malware.Generickdz-9840963-0
Create hunting rule

Win.Malware.Generickdz-9840972-0
Create hunting rule

Win.Packed.Generickdz-9841009-0
Create hunting rule

Win.Malware.Generickdz-9841010-0
Create hunting rule

Win.Malware.Generickdz-9841018-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file
Connection attempt
Creating a file in the %temp% subdirectories
Moving a file to the %temp% subdirectory
Deleting a recently created file
Sending a custom TCP request
Delayed writing of the file
Sending a UDP request
Replacing files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e9ebfa9-effa-4673-98ee-c3706f19d5f4
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842000
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionalty to change the wallpaper
Deletes shadow drive data (may be related to ransomware)
Detected CryptOne packer
Drops PE files with benign system names
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
May encrypt documents and pictures (Ransomware)
May use the Tor software to hide its network traffic
Moves / writes many txt or jpg files (may be a ransomware encrypting documents)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Stores a public key to the registry (likely related to ransomware)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 474428 Sample: zMPWVyU5xF Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 75 Antivirus / Scanner detection for submitted sample 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Machine Learning detection for sample 2->79 81 4 other signatures 2->81 8 zMPWVyU5xF.exe 9 25 2->8         started        13 csrss.exe 2->13         started        15 csrss.exe 2->15         started        process3 dnsIp4 67 127.0.0.1 unknown unknown 8->67 69 185.72.244.37 TTMDE Germany 8->69 73 12 other IPs or domains 8->73 51 Jd0DkcuMMIooi4Thg2...rypted000007 (copy), DOS 8->51 dropped 53 C:\Users\user\AppData\...\medianet[1].htm, DOS 8->53 dropped 55 C:\ProgramData\Windows\csrss.exe, PE32 8->55 dropped 63 337 other files (326 malicious) 8->63 dropped 83 Detected CryptOne packer 8->83 85 Stores a public key to the registry (likely related to ransomware) 8->85 87 May disable shadow drive data (uses vssadmin) 8->87 95 6 other signatures 8->95 17 cmd.exe 8->17         started        19 vssadmin.exe 8->19         started        21 cmd.exe 8->21         started        25 14 other processes 8->25 71 192.168.2.1 unknown unknown 13->71 57 pgQ6BkmCchJxyOvSu4...rypted000007 (copy), data 13->57 dropped 59 C:\Users\...\Built-In Building Blocks.dotx, data 13->59 dropped 61 vwaIyNOKvCrO--8xLN...rypted000007 (copy), data 13->61 dropped 65 33 other malicious files 13->65 dropped 23 vssadmin.exe 13->23         started        89 Antivirus detection for dropped file 15->89 91 Multi AV Scanner detection for dropped file 15->91 93 Machine Learning detection for dropped file 15->93 file5 signatures6 process7 process8 27 chcp.com 17->27         started        29 conhost.exe 17->29         started        31 MpCmdRun.exe 19->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 chcp.com 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 24 other processes 25->43 process9 45 conhost.exe 27->45         started        47 chcp.com 27->47         started        49 conhost.exe 31->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e32998012af31476e39dedb2f725269dbd0a165d74b53a32e5e359da3a01221d/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Suspicious
First seen:
2021-08-20 01:46:29 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
40 of 46 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4muzqajk6mkhny455wzpojjgtw6qufs5os2tumxf4nm5uoqbeioq._file
Verdict:
malicious
Similar samples:
414bb1af4fbb618c4889d69144c7f66591c6e5294d0ab3b7ea8b774946977cf2
Troldesh
6192163bbb9343a274904093b94d6b12111a88bf24b58cbf9ed2c1463503e022
Troldesh
64f7ee64a85714afa869271965ada1e1ba588b07a205a3a5eda41e9265512b0b
Troldesh
6d6089fee5f86170c5b3485a626cc6073631d09004f298da7b690b12a9482086
Troldesh
701d3db21920f78b8ed2eb6b4286f858277928f50d567c9c6594bd1971e9c07e
Troldesh
c8aa0a26ce1bab524dd88d314d197a2af59b5b67db0fff3d82690b74e7d95c4e
Troldesh
cd2bc2ceb0e1b7d7c31f7a2aec7e838d3a90767ed3d02e1720170875e4a23cb6
Troldesh
df2894b4298be05620b329d27bf0b45314629316fd6a082b6d90bbdfe9bf5a53
Troldesh
e39fd52523f742331dc20ee90a051e456561481ef4c360a40ffaac292cb6c37b
Troldesh
e3f6a7a2d6628adf2956c3c1f387c2bd178b48e170a71368ae3e7f8c20b8e213
Troldesh
+ 13 additional samples on MalwareBazaar
Result
Malware family:
troldesh
Create hunting rule
Score:
  10/10
Tags:
family:troldesh discovery persistence ransomware spyware stealer trojan upx
Link:
https://tria.ge/reports/210830-mbnlj4gptj/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Adds Run key to start application
Checks installed software on the system
Reads user/profile data of web browsers
Modifies extensions of user files
UPX packed file
Deletes shadow copies
Troldesh, Shade, Encoder.858
Unpacked files
SH256 hash:
a783833aaf77b85746d0520632a71482be1757dfdcc0a82c1102e7df70199018
MD5 hash:
a3075c07faef09600e3fd923838efc65
SHA1 hash:
894a0bdb301d2eb5751da8d1baf505282cc4a38c
Detections:
win_troldesh_auto
Create hunting rule
Link:
https://www.unpac.me/results/4056315b-9222-4f55-b08b-5e8e546656d2/
Parent samples :
c8aa0a26ce1bab524dd88d314d197a2af59b5b67db0fff3d82690b74e7d95c4e
64f7ee64a85714afa869271965ada1e1ba588b07a205a3a5eda41e9265512b0b
6192163bbb9343a274904093b94d6b12111a88bf24b58cbf9ed2c1463503e022
6d6089fee5f86170c5b3485a626cc6073631d09004f298da7b690b12a9482086
cd2bc2ceb0e1b7d7c31f7a2aec7e838d3a90767ed3d02e1720170875e4a23cb6
df2894b4298be05620b329d27bf0b45314629316fd6a082b6d90bbdfe9bf5a53
ed801a3e54843afe989aadd69cdab5e6fbf00e8e02742f354519b4b16de8f31c
62214ccdcb1052b518e6059060daec143430c1ae13a799873ebabea7f3eae217
e32998012af31476e39dedb2f725269dbd0a165d74b53a32e5e359da3a01221d
8025918ab649e33642c4eb74c2814397e971d5ab68e631e91649354c8dec2be5
c197da0fda316a92c66744bf13c77891e9f39cc10fbfebc42285a8b4761440b5
1e43c5be3ac264cf5eba9bc4647d2004012e283050924da06d5c1da18255a3b1
c659b1a6e09e7d7b98b368984d8d8e70ceee5666e3a7f54cf5a0fd90cc9f0eea
b370a4f93fb6e655f131329f027615c6828cdfc7002d7b0692f5d28e952c2194
d09c59de1d634faf6852ea9cbfa01d721c3f0a50da1fc2798acc0864409888f9
a56e155faefc72a0f5174e27670cd9f8e8c66a646744feedd0211e37f6aef6fb
d158534622b057b387a617ebe2931fef6d5c7d386b6dfbeb652c4781846f87c1
32c3fc22cab918195b3590ae17a424b5f79c145f6ee8c7d4aff376ce070248fc
62230c1651781d4ab7234fe6d747dc6cc79c1381f4ee15a84cf9a2176dcdc5d9
5ca2121b8b5edb7d1de8afd934299cc83900dd2b4ba80d95b1693b11d06155fd
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/4056315b-9222-4f55-b08b-5e8e546656d2/
SH256 hash:
e32998012af31476e39dedb2f725269dbd0a165d74b53a32e5e359da3a01221d
MD5 hash:
7c8548dc28e0e2b14cfb953f4d2690b3
SHA1 hash:
e70a729a4bbc5de08fa4461d3ba43098cb17b3b6
Link:
https://www.unpac.me/results/4056315b-9222-4f55-b08b-5e8e546656d2/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e32998012af3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e32998012af31476e39dedb2f725269dbd0a165d74b53a32e5e359da3a01221d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_troldesh_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.troldesh.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183586/

Comments