MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e615aae714898a4f78dc35243b76440021527835c02cdb904349e412b9631b8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e615aae714898a4f78dc35243b76440021527835c02cdb904349e412b9631b8c
SHA3-384 hash: de2c0f5b673bae4334d77d5c9e81a64ff060a3ca7649b69f687e15a16331ba3ed85081c9645c297416211a64c2bad37f
SHA1 hash: 4d0957d87e700367d62f974af56b358bafe588b8
MD5 hash: 784fe6761824ce0d7dd9252200b2ca55
humanhash: undress-romeo-network-pluto
File name:e615aae714898a4f78dc35243b76440021527835c02cdb904349e412b9631b8c
Download: download sample
File size:1'319'424 bytes
First seen:2021-09-28 09:21:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 02ed3575b7f1b355edc24642727fb2e7 (4 x VoidCrypt, 1 x CoinMiner, 1 x Ouroboros)
ssdeep 24576:ehPO3HkozHUaovTh7/hcEm5vc/TK0xNd58u5m5I7Tbie7e9xHcXL+klUQJ9qW:b3H1HDURiAmyDhXL+gUQPx
Threatray 9 similar samples on MalwareBazaar
TLSH T1AA55BF21BA03D0B2D45501F089BCAB7B4A7CED685B305AC7E7C46E3D99311C1AF3769A
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e615aae714898a4f78dc35243b76440021527835c02cdb904349e412b9631b8c
Verdict:
Malicious activity
Analysis date:
2021-09-28 09:31:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7c610e0c-a1f0-4b8a-a559-5c138925fd90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Spyro
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192605/
Detection(s):
Win.Ransomware.Vipasana-9783618-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Malware family:
Ouroboros
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/434c8177-0d57-4ec2-952d-ab5ade65670f
Result
Threat name:
Voidcrypt
Create hunting rule
Detection:
malicious
Classification:
rans.spre.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/860188
Signature
Creates files in the recycle bin to hide itself
Disables security and backup related services
Disables the windows firewall (over ALG)
Drops executable to a common third party application directory
Drops PE files to the startup folder
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Sigma detected: WannaCry Ransomware
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Voidcrypt Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492622 Sample: gjj5j4awEl Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 65 canonicalizer.ucsuri.tcs 2->65 71 Sigma detected: WannaCry Ransomware 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected Voidcrypt Ransomware 2->75 77 Machine Learning detection for dropped file 2->77 9 gjj5j4awEl.exe 66 2->9         started        signatures3 process4 dnsIp5 67 api.my-ip.io 157.245.5.40, 443, 49767 DIGITALOCEAN-ASNUS United States 9->67 69 127.0.0.1 unknown unknown 9->69 57 C:\ProgramData\Microsoft\...\gjj5j4awEl.exe, PE32 9->57 dropped 59 {DDF571F2-BE98-426...0000000000000001.db, DOS 9->59 dropped 61 C:\ProgramData\...\AcroRdrDCUpd1901220034.msp, DOS 9->61 dropped 63 163 other malicious files 9->63 dropped 79 Creates files in the recycle bin to hide itself 9->79 81 Writes a notice file (html or txt) to demand a ransom 9->81 83 Drops PE files to the startup folder 9->83 85 7 other signatures 9->85 14 cmd.exe 1 9->14         started        17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        21 11 other processes 9->21 file6 signatures7 process8 signatures9 87 Uses netsh to modify the Windows network and firewall settings 14->87 23 net.exe 1 14->23         started        25 conhost.exe 14->25         started        27 net.exe 1 17->27         started        29 conhost.exe 17->29         started        31 net.exe 1 19->31         started        33 conhost.exe 19->33         started        35 net.exe 1 21->35         started        37 net.exe 21->37         started        39 15 other processes 21->39 process10 process11 41 net1.exe 1 23->41         started        43 net1.exe 1 27->43         started        45 net1.exe 1 31->45         started        47 net1.exe 1 35->47         started        49 net1.exe 37->49         started        51 net1.exe 39->51         started        53 net1.exe 39->53         started        55 net1.exe 39->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e615aae714898a4f78dc35243b76440021527835c02cdb904349e412b9631b8c/
Threat name:
Win32.Ransomware.Amnesia
Create hunting rule
Status:
Malicious
First seen:
2021-09-26 00:38:58 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4
318c6717d3881cbc9b1f24325a85e79d5c5768a03387dfb2cf605638a4b45056
33894a6f9df34bfdd9408bf6771ddc3ce32a315287b228a3bef4753e699fd1d3
353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f
49921fa466e1dc65ea6c037726015a69c634fc1631a2e379bfb3d7cf7644bcad
581122114ad28f404b2cc4f8df5d77b6ed447f8f26f862960bb0181776bfacd9
91a66df8eaf8bc989c0e1a296b4bc5c578ceb8bcaf3d256d609480535def3da9
a6f33427a356dca0420466bcc3283592e87caf4c8224c7d50819f69c71edd461
cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion ransomware spyware stealer
Link:
https://tria.ge/reports/210928-lbx9aabean/
Behaviour
NTFS ADS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops desktop.ini file(s)
Drops startup file
Reads user/profile data of web browsers
Modifies Windows Firewall
Unpacked files
SH256 hash:
e615aae714898a4f78dc35243b76440021527835c02cdb904349e412b9631b8c
MD5 hash:
784fe6761824ce0d7dd9252200b2ca55
SHA1 hash:
4d0957d87e700367d62f974af56b358bafe588b8
Link:
https://www.unpac.me/results/0392229f-932e-4b08-b73c-893a488ce3d4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e615aae714898a4f78dc35243b76440021527835c02cdb904349e412b9631b8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:MALWARE_Win_Spyro
Create hunting rule
Author:ditekSHen
Description:Detects Spyro / VoidCrypt ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/192605/

Comments