MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7865bb92711d9564c275ab5c4ca927e1d59f0e5bd66b97248b56805d806a166. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WannaCry


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7865bb92711d9564c275ab5c4ca927e1d59f0e5bd66b97248b56805d806a166
SHA3-384 hash: 113c5c29c47b95f5d3f07e4b71c024030068eaaa700b377d3af6e30dd559b5e6f423fb445a5048c3e423428a422ec716
SHA1 hash: 6d50778a151070ed3e43e3fee0dbd778de6f33eb
MD5 hash: f7b5f2070c6aa8605a16be99c476cdca
humanhash: edward-iowa-failed-michigan
File name:2023-02-21_f7b5f2070c6aa8605a16be99c476cdca_neshta_wannacry
Download: download sample
Signature WannaCry
Create hunting rule
File size:2'884'608 bytes
First seen:2023-02-23 05:04:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (253 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 24576:BS4lQMNWi3VesNY8106qPN4K3P0QcejoMZLyiTtiFfkOfEpo:BSy6PX3PpM+P5Idko
Threatray 133 similar samples on MalwareBazaar
TLSH T111D52E3839EA9019F1B3EF7A6FD4B9D7DA9FB7733A0294191081034B4623A81DD9153E
TrID 84.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e8f4b27959b2f4e8 (5 x Chaos, 5 x WannaCry)
Reporter petikvx
Tags:WannaCry

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2023-02-21_f7b5f2070c6aa8605a16be99c476cdca_neshta_wannacry
Verdict:
Malicious activity
Analysis date:
2023-02-23 05:05:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1dade774-8ee0-4ba7-911b-e82dc94d4a73

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Chaos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369162/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Ransomware.Hydracrypt-9878672-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a window
Searching for the window
Creating a file
Creating a file in the Program Files subdirectories
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process with a hidden window
Running batch commands
Launching a service
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting volume shadow copies
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
neshta overlay shell32.dll virus winlock
Link:
https://www.filescan.io/uploads/63f6f40242bf85850e439916/reports/9eeb46ee-d6c1-4757-9240-a78a09d06142/overview
Verdict:
Malicious
Labled as:
Virus.Neshta
Link:
https://www.hybrid-analysis.com/sample/e7865bb92711d9564c275ab5c4ca927e1d59f0e5bd66b97248b56805d806a166
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f88ad11-9f1f-4edd-891f-64938690eb32
Result
Threat name:
Chaos, Neshta
Create hunting rule
Detection:
malicious
Classification:
rans.spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181075
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Deletes shadow drive data (may be related to ransomware)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Delete shadow copy via WMIC
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Yara detected Chaos Ransomware
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 813906 Sample: 1yBZflzmAi.exe Startdate: 23/02/2023 Architecture: WINDOWS Score: 100 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for dropped file 2->87 89 Antivirus / Scanner detection for submitted sample 2->89 91 8 other signatures 2->91 10 1yBZflzmAi.exe 4 2->10         started        14 svchost.com 2->14         started        16 svchost.com 2->16         started        process3 file4 75 C:\Windows\svchost.com, PE32 10->75 dropped 77 C:\Users\user\AppData\Local\...\setup.exe, PE32 10->77 dropped 79 C:\Users\user\AppData\...\1yBZflzmAi.exe, PE32 10->79 dropped 81 8 other malicious files 10->81 dropped 113 Creates an undocumented autostart registry key 10->113 115 Drops PE files with a suspicious file extension 10->115 117 Drops executable to a common third party application directory 10->117 119 Infects executable files (exe, dll, sys, html) 10->119 18 1yBZflzmAi.exe 5 10->18         started        23 svchost.exe 1 415 14->23         started        25 svchost.exe 16->25         started        signatures5 process6 dnsIp7 83 192.168.2.1 unknown unknown 18->83 65 C:\Users\user\AppData\Roaming\svchost.exe, PE32 18->65 dropped 67 C:\Users\user\AppData\...\1yBZflzmAi.exe.log, CSV 18->67 dropped 93 Multi AV Scanner detection for dropped file 18->93 95 Drops PE files with benign system names 18->95 27 svchost.exe 4 3 18->27         started        69 C:\Users\user\Desktop\1yBZflzmAi.exe.tdyg, data 23->69 dropped 71 C:\Users\user\AppData\...\svchost.exe.htwk, data 23->71 dropped 97 Deletes shadow drive data (may be related to ransomware) 23->97 99 Drops executables to the windows directory (C:\Windows) and starts them 23->99 101 Uses bcdedit to modify the Windows boot settings 23->101 103 2 other signatures 23->103 30 svchost.com 23->30         started        32 svchost.com 23->32         started        34 svchost.com 23->34         started        file8 signatures9 process10 signatures11 121 Multi AV Scanner detection for dropped file 27->121 123 Deletes shadow drive data (may be related to ransomware) 27->123 125 Uses bcdedit to modify the Windows boot settings 27->125 36 svchost.com 1 27->36         started        40 cmd.exe 30->40         started        42 cmd.exe 32->42         started        44 cmd.exe 34->44         started        process12 file13 73 C:\Windows\directx.sys, ASCII 36->73 dropped 105 Multi AV Scanner detection for dropped file 36->105 107 Deletes shadow drive data (may be related to ransomware) 36->107 109 Uses bcdedit to modify the Windows boot settings 36->109 111 Sample is not signed and drops a device driver 36->111 46 cmd.exe 1 36->46         started        49 conhost.exe 40->49         started        51 vssadmin.exe 40->51         started        53 WMIC.exe 40->53         started        55 conhost.exe 42->55         started        57 conhost.exe 44->57         started        signatures14 process15 signatures16 127 Deletes shadow drive data (may be related to ransomware) 46->127 59 WMIC.exe 1 46->59         started        61 conhost.exe 46->61         started        63 vssadmin.exe 1 46->63         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7865bb92711d9564c275ab5c4ca927e1d59f0e5bd66b97248b56805d806a166/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2023-02-21 22:25:19 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
25 of 25 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=46dfxojhchmvmtbhlk24jsuspyovt4hfxvtls4siwvualwagufta._file
Verdict:
malicious
Similar samples:
101580f357d05a637f15eeab3a11c713a7e19d223209b443ce5d4e62346e2869
WannaCry
2cf1affaddac715171d5be89d0c2bfaa3470608efdc12940967fc22fcffde54f
WannaCry
4ee95ee6271482c7939ce3b9db210ffb7a73ceebb6500b978fa3e6fe1d6ea168
WannaCry
a70171a1bc2a7fba0f4dcc65d2f0458f4e08388fcea7fe880c26341dcaaed413
WannaCry
aae66e4930de3e86e7a4095dbba08680278f96f570a0d116e4616c12492a3073
WannaCry
c03f0aebf7867cd5195061605cec8e933575787fc59950b15ae2947dc34a2a42
WannaCry
+ 123 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:chaos family:neshta evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/230223-fqvttagg2y/
Behaviour
Interacts with shadow copies
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Sets desktop wallpaper using registry
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Modifies extensions of user files
Deletes shadow copies
Chaos
Chaos Ransomware
Detect Neshta payload
Neshta
Unpacked files
SH256 hash:
e7865bb92711d9564c275ab5c4ca927e1d59f0e5bd66b97248b56805d806a166
MD5 hash:
f7b5f2070c6aa8605a16be99c476cdca
SHA1 hash:
6d50778a151070ed3e43e3fee0dbd778de6f33eb
Detections:
win_neshta_g0
Create hunting rule
Link:
https://www.unpac.me/results/396db322-60e2-40c4-8e47-7ce166efa0ae/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7865bb92711/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7865bb92711d9564c275ab5c4ca927e1d59f0e5bd66b97248b56805d806a166

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:INDICATOR_SUSPICOUS_EXE_References_VEEAM
Create hunting rule
Author:ditekSHen
Description:Detects executables containing many references to VEEAM. Observed in ransomware
Rule name:MALWARE_Win_Chaos
Create hunting rule
Author:ditekSHen
Description:Detects Chaos ransomware
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369162/

Comments