MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


UniWinniCrypt


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61
SHA3-384 hash: 34930a531bb2a1dc81a99942e240adbfe3fc848dcc310451e3be00984fe3dc745bd294664683de3966c64612b259b8a8
SHA1 hash: 731b4b98b798af8b27ece271305d2359832f4c81
MD5 hash: c839a6834522a00faa53b0e8873e4f22
humanhash: sweet-carolina-moon-alanine
File name:e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61
Download: download sample
Signature UniWinniCrypt
Create hunting rule
File size:911'360 bytes
First seen:2021-04-11 11:12:26 UTC
Last seen:2021-04-11 11:42:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 26f18cc21a1a94a37c34528f6725a908 (1 x UniWinniCrypt)
ssdeep 24576:xhhOa+9EuP99x0XZoVeCe6TXjJpsB8jIyLTGq:xOaeDfz7sUnTGq
Threatray 2 similar samples on MalwareBazaar
TLSH 2B15BF6396A1C0F5C8B7C0B096AA5739FB35785042387FCBA7D81B521F22650B33E799
Reporter fbgwls245
Tags:Ransomware uniwinnicrypt

Intelligence

File Origin
# of uploads :
3
# of downloads :
377
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61
Verdict:
Malicious activity
Analysis date:
2021-04-06 17:31:28 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/cb74cfb2-d874-4447-83c1-a81b3a02f1ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133565/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.33744.10188.29821.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Launching a process
Creating a file
Replacing files
Changing a file
Moving a recently created file
Moving a file to the %AppData% subdirectory
Creating a file in the %AppData% subdirectories
Modifying an executable file
Deleting a recently created file
Unauthorized injection to a system process
Deleting of the original file
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
UniWinniCrypt
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/672234
Signature
Allocates memory in foreign processes
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Renames NTDLL to bypass HIPS
Writes to foreign memory regions
Yara detected UniWinniCrypt Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
nymaim
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61/
Threat name:
Win32.Trojan.Nymaim
Create hunting rule
Status:
Malicious
First seen:
2021-04-01 03:27:00 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ok6s2yxsegks6s6ejdifh7rrvogc6z47d474fts3jwvqdwohzqq._file
Verdict:
malicious
Similar samples:
75ef968283165b8a4fc163a383e2b28a210544fc10c05c914141f36c747ed23e
UniWinniCrypt
f61b83f5c8c63c2074e9445599ab9dacba8ff58ddb594f434157c6deda73d317
UniWinniCrypt
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210411-79jf7ga61x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Enumerates connected drives
Deletes itself
Unpacked files
SH256 hash:
e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61
MD5 hash:
c839a6834522a00faa53b0e8873e4f22
SHA1 hash:
731b4b98b798af8b27ece271305d2359832f4c81
Detections:
win_nymaim_auto
Create hunting rule
Link:
https://www.unpac.me/results/bd2a6884-c936-44b8-baa2-ee02c520969c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nymaim
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_nymaim_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

UniWinniCrypt

Executable exe e395e96b17910ca97a5e2246829ff18d5c617b3cf8f9fe1672da6d580ece3e61

(this sample)

  
X
https://twitter.com/0x4143/status/1377577882445299721
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133565/

Comments