MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e43f0cf8905305adbb28597ad256c8e0547fe3ce3c648095635c1ae94ab0dbb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Maoloa


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e43f0cf8905305adbb28597ad256c8e0547fe3ce3c648095635c1ae94ab0dbb9
SHA3-384 hash: 233becb91b3d78dd6354c2ec3078bdc3a58f46c97c9b008503e093ff892f080d4112ae4a865faaf102e48fd6f20c6de4
SHA1 hash: bfbe30a7e6750df08a93d762b3ac0e403b50f7c2
MD5 hash: 377b6d3152bd8533ba547f1be9d5ef08
humanhash: fillet-burger-football-glucose
File name:1_2.exe
Download: download sample
Signature Maoloa
Create hunting rule
File size:969'728 bytes
First seen:2020-11-29 05:27:49 UTC
Last seen:2020-11-29 07:47:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:zj9z0bjVTdJKzW2GMAfdVPvJXJdejcK+g1FFSXnKzYLnyGe8SDDpd0s:0GGPfzvJvejcKh1FFfzUyzp
Threatray 31 similar samples on MalwareBazaar
TLSH B9252BF450EE10A2F15F853976AEBE9802B2B183DBCA5D48037CF5711BBEA627B0550D
Reporter vm001cn
Tags:Maoloa

Intelligence

File Origin
# of uploads :
2
# of downloads :
287
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105953/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling the 'hidden' option for recently created files
Running batch commands
Changing a file
Changing an executable file
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for files in the %temp% directory
Moving a file to the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Searching for the window
Moving a recently created file
Setting a single autorun event
Creating a file in the mass storage device
Launching the process to interact with network services
Launching a tool to kill processes
Enabling autorun by creating a file
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
4444_Ransomware Maoloa
Create hunting rule
Detection:
malicious
Classification:
rans.spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/550426
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Deletes shadow drive data (may be related to ransomware)
Disables security and backup related services
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Spreads via windows shares (copies files to share folders)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Yara detected 4444_Ransomware
Yara detected Maoloa
Yara detected Ransomware_Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324327 Sample: 1_2.exe Startdate: 29/11/2020 Architecture: WINDOWS Score: 100 70 Antivirus detection for dropped file 2->70 72 Antivirus / Scanner detection for submitted sample 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 10 other signatures 2->76 10 1_2.exe 18 9 2->10         started        process3 file4 56 C:\Users\user\AppData\Roaming\...\kepler.exe, PE32 10->56 dropped 58 C:\Users\user\AppData\Local\Temp\killer.exe, PE32 10->58 dropped 60 C:\Users\user\...\kepler.exe:Zone.Identifier, ASCII 10->60 dropped 62 C:\Users\user\AppData\Local\...\1_2.exe.log, ASCII 10->62 dropped 84 Creates an undocumented autostart registry key 10->84 86 Injects a PE file into a foreign processes 10->86 14 wscript.exe 1 10->14         started        16 1_2.exe 3 501 10->16         started        signatures5 process6 signatures7 19 killer.exe 8 14->19         started        68 Spreads via windows shares (copies files to share folders) 16->68 22 cmd.exe 16->22         started        process8 signatures9 78 Multi AV Scanner detection for dropped file 19->78 24 cmd.exe 1 19->24         started        27 conhost.exe 19->27         started        process10 signatures11 80 Very long command line found 24->80 82 Disables security and backup related services 24->82 29 cmd.exe 24->29         started        32 cmd.exe 1 24->32         started        34 cmd.exe 1 24->34         started        36 6 other processes 24->36 process12 dnsIp13 64 2.0.0.0 FranceTelecom-OrangeFR France 29->64 38 conhost.exe 29->38         started        66 3.0.0.0 AMAZON-02US United States 32->66 40 conhost.exe 32->40         started        42 sc.exe 1 32->42         started        50 2 other processes 32->50 44 conhost.exe 34->44         started        52 3 other processes 34->52 46 conhost.exe 36->46         started        48 conhost.exe 36->48         started        54 11 other processes 36->54 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e43f0cf8905305adbb28597ad256c8e0547fe3ce3c648095635c1ae94ab0dbb9/
Threat name:
ByteCode-MSIL.Trojan.WrapAgent
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 02:24:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4q7qz6eqkmc23ozilf5nevwi4bkh7y6ohrsibfldlqnossvq3o4q._file
Verdict:
malicious
Similar samples:
01f936785968394ba82a93a816c897d77879a247b12621b42e12b2a7592a4f6d
Maoloa
05a8800b05cf0c4293f9dcc297873f36691161746aec7b65e31b0e32c8f0bebb
Maoloa
13540d62324d40e8b15db72f32fdf1eb407f4f4d9c4cac05d5f436c39a000df2
Maoloa
238c224cf8d0b76532ae16f8a8d2682436a176909f382b8747e418f42ccaedeb
Maoloa
3ae3550b6baf30136ce9b846725c3322f23ee8428c2984750a2cfe02843993e9
Maoloa
3eb825e55857afc9c56dd4357f4223632fb5f5bb96d3acff8e444278e373eefb
Maoloa
47470dc6911824b1a903197f0d06acedeba47415ebf3d212dd6514a14eec0ded
Maoloa
6b9866969b0dcd61b84d7251526d527c48226564d6681db44bacc9c538538d35
Maoloa
bc9204be92ac0bd373bc0153d02be668ad82d382ebcc112fa8c252e6f9c67080
Maoloa
e748f3e105a9370ec194134350c352b1a2c12cdf43be16e5804e4eb12ab39c13
Maoloa
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware trojan
Link:
https://tria.ge/reports/201129-r6bnbs7zps/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Discovers systems in the same network
Kills process with taskkill
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Modifies extensions of user files
Executes dropped EXE
Modifies service settings
Stops running service(s)
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/c954c5cb-0a82-4d65-9961-1194112bc7b3/
SH256 hash:
29f893b095ed86606272c63a916110fbea9742aef2c860a9a091df80cceaccd6
MD5 hash:
009487fdfbbff51f8774e479f99e13f8
SHA1 hash:
6f48b7e77f76b1ba1e626a2ccb79f14fd5ed29eb
Link:
https://www.unpac.me/results/c954c5cb-0a82-4d65-9961-1194112bc7b3/
SH256 hash:
eecdebeb7f32e13feaa850a1e934beb0f6ebf16a04d714202664347d7d8b6048
MD5 hash:
86f0acdabd51668f1feffad9e3d03b20
SHA1 hash:
51f1061aa214aea51e6330f1fed883aaf5165da0
Link:
https://www.unpac.me/results/c954c5cb-0a82-4d65-9961-1194112bc7b3/
SH256 hash:
7fe8833fc8fe1afb2c76128b4b68c98320f5005dd9f185a5caa5ff2c6ddc8339
MD5 hash:
80953bfe6d42aa4b1a097c643193ac79
SHA1 hash:
1340919c5deee2cc09bd3d7ddebf29597b020191
Link:
https://www.unpac.me/results/c954c5cb-0a82-4d65-9961-1194112bc7b3/
SH256 hash:
e43f0cf8905305adbb28597ad256c8e0547fe3ce3c648095635c1ae94ab0dbb9
MD5 hash:
377b6d3152bd8533ba547f1be9d5ef08
SHA1 hash:
bfbe30a7e6750df08a93d762b3ac0e403b50f7c2
Link:
https://www.unpac.me/results/c954c5cb-0a82-4d65-9961-1194112bc7b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e43f0cf8905305adbb28597ad256c8e0547fe3ce3c648095635c1ae94ab0dbb9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105953/

Comments