MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e32e01f3602e769a1b6a7965573648b420035c74fdae200213a992a16044a220. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e32e01f3602e769a1b6a7965573648b420035c74fdae200213a992a16044a220
SHA3-384 hash: f1c03c6394af57416178c57ae252c634b058928720bd57eae21d2c1fe2284de2de4c62b3edfc662ef31fa41c9e1c2e47
SHA1 hash: 096dd9c04db8699f6540e6ab528d958dabe38e8e
MD5 hash: 943b431e5a4e10212e6393cb705029df
humanhash: nitrogen-virginia-lion-dakota
File name:943b431e_by_Libranalysis
Download: download sample
Signature VirLock
Create hunting rule
File size:769'536 bytes
First seen:2021-05-05 08:04:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e89a8b2a76141e89841d10e88dee11e2 (1 x VirLock)
ssdeep 12288:1htoJa/NKF3ugKIo1qVta+p8OI1edbRQr5p7qLxlHN+tCd16btJdujHPZoYATm:1gwNKFe3sVwP0bqrL0RNjd0btirPZKTm
Threatray 12 similar samples on MalwareBazaar
TLSH 9CF48C1A13F88706D542D0B94109527F2DD9D29FFCE4D9965CB3B96A0683AD3EF2203B
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Zeus
Create hunting rule
Link:
https://www.capesandbox.com/analysis/149975/
Detection(s):
Win.Virus.Virlock-6332874-0
Create hunting rule

Win.Virus.Virlock-6804475-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a service
Launching a service
DNS request
Searching for the window
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Running batch commands
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e32e01f3602e769a1b6a7965573648b420035c74fdae200213a992a16044a220/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 00:50:14 UTC
AV detection:
47 of 48 (97.92%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
01b660c91e227a817722d8253374b0e0e535106f116d58c9e7bc74905a6856dd
VirLock
18f98b3e546cd029c9c0a7d3538ee81051feb61ed869b9f9bfc7f2804848c13d
VirLock
3bd7dcf904cb67945b0393b17213877bcec87f8a0ddf2000033ad32a6ac06f8a
VirLock
659b76788cccfc9c993dd9047e86844c7183957478fabe32455dc2a2ddea49fb
VirLock
728406539dbbb175ad0e0f346d6c9e563c7b95507e91c71af64f220a382525cf
VirLock
90d14abdcdbe7d81729865656ad42613ad7067c85b4cf9c6f850238ca0233c80
VirLock
ae4bafd3c3f078bb17813eeeeef9d5c9587c758a492359310690bc2cbc7278be
VirLock
c3cab87bb11691778b8aa91cd39945710eeb947e34ed4b980f0df655ed557b32
VirLock
ce110be24e6986a96b43b83b15c1d8d6a20274e47e677fccb47b97c8818a268c
VirLock
fe0d1bf3cfb9d2c9efa26530095d4541d82b5b80bc73d21d387ca3e37846b5c8
VirLock
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/210505-lz7bvjh8px/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
729d140140c3af5b46031f1a7652b159b08721afa80776f17afe73633800afc1
MD5 hash:
f848a48532cbc478c15234e75fc08e16
SHA1 hash:
3a49dc206a31770853e8307cc7d5b9cbe5739dcb
Link:
https://www.unpac.me/results/6c37ae15-02a6-46fa-b316-ea9c6e4e3220/
SH256 hash:
502418fbfce13dc35fd1776c28fc57402ea05ca5af5f37ef405ee91ed7c9286d
MD5 hash:
cbe7e80d4d856ea1328a215504e351ac
SHA1 hash:
43ae323c4166b3d615b08f30beb7aa45f64bdb6f
Link:
https://www.unpac.me/results/6c37ae15-02a6-46fa-b316-ea9c6e4e3220/
SH256 hash:
54e01d4236a24ed2c2dbd8a9d99038b52c3f64d9ccdbcba7cc0f5cce8a28b129
MD5 hash:
e71038eb8f176f53df835a795325c44d
SHA1 hash:
c22b9cc13e9f715e8441a4a45bfc2b5b28245d10
Link:
https://www.unpac.me/results/6c37ae15-02a6-46fa-b316-ea9c6e4e3220/
SH256 hash:
8a2f15b5d106fa5bd0fbea2bf6fc0332f0104538cee7ea3c05bbdcc21fde90c3
MD5 hash:
ef87e69dc960e72c0cbbe0c22c13a61c
SHA1 hash:
68120a00b7069ed621002ccba91331d648d4faaa
Link:
https://www.unpac.me/results/6c37ae15-02a6-46fa-b316-ea9c6e4e3220/
SH256 hash:
e32e01f3602e769a1b6a7965573648b420035c74fdae200213a992a16044a220
MD5 hash:
943b431e5a4e10212e6393cb705029df
SHA1 hash:
096dd9c04db8699f6540e6ab528d958dabe38e8e
Link:
https://www.unpac.me/results/6c37ae15-02a6-46fa-b316-ea9c6e4e3220/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149975/

Comments