MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MountLocker


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037
SHA3-384 hash: bd95558c1cbad4e4c940ac5bb428669b78239ab148b3b17190c8bc173f75582373386e9b3cb57897778430c3ef4367b1
SHA1 hash: f9eb40f6d3d4c83852e3781886db762bef8564e0
MD5 hash: 76f547c793b5478b970c64caf04d01d4
humanhash: artist-single-finch-blossom
File name:e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037.bin
Download: download sample
Signature MountLocker
Create hunting rule
File size:544'768 bytes
First seen:2020-11-20 02:36:47 UTC
Last seen:2020-11-20 05:12:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e66d4b0919dff687bb2716747c3d661f (1 x MountLocker)
ssdeep 6144:Q5fW8eILySdSS4JoHjnJVZJQQIreKsuKu3a2WQe0gz+Y:OeILzSS5jnJ/JTu3zWtqY
Threatray 2 similar samples on MalwareBazaar
TLSH 07C42A12F6D1AC40FC5200302625D6B628186876D5459A4BFB8C9F6F7BB19C3F9FA70B
Reporter Arkbird_SOLG
Tags:MountLocker Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
325
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Launching a process
Launching a service
Using the Windows Management Instrumentation requests
Forced system process termination
Deleting a recently created file
Changing a file
Replacing files
Creating a file
Modifying an executable file
Replacing executable files
Moving a file to the Program Files directory
Creating a file in the Program Files directory
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Enabling autorun with the shell\open\command registry branches
Deleting volume shadow copies
Creating a file in the mass storage device
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/543716
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes a notice file (html or txt) to demand a ransom
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320955 Sample: 3AofbVD41g.bin Startdate: 20/11/2020 Architecture: WINDOWS Score: 84 34 Multi AV Scanner detection for submitted file 2->34 36 Suspicious powershell command line found 2->36 38 Machine Learning detection for sample 2->38 40 3 other signatures 2->40 7 3AofbVD41g.exe 502 2->7         started        process3 file4 26 C:\Users\user\AppData\Local\...\~6306312.tmp, ASCII 7->26 dropped 28 C:\MSOCache\All Users\...\RecoveryManual.html, HTML 7->28 dropped 30 C:\MSOCache\All Users\...\RecoveryManual.html, HTML 7->30 dropped 32 15 other files (8 malicious) 7->32 dropped 42 Writes a notice file (html or txt) to demand a ransom 7->42 44 Tries to detect virtualization through RDTSC time measurements 7->44 46 Contains functionality to compare user and computer (likely to detect sandboxes) 7->46 11 powershell.exe 20 7->11         started        14 cmd.exe 1 7->14         started        16 splwow64.exe 7->16         started        signatures5 process6 signatures7 48 Deletes shadow drive data (may be related to ransomware) 11->48 50 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 11->50 18 vssadmin.exe 1 11->18         started        20 conhost.exe 11->20         started        22 conhost.exe 14->22         started        24 attrib.exe 1 14->24         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037/
Threat name:
Win32.Trojan.Vebzenpak
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 12:24:59 UTC
File Type:
PE (Exe)
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=47bhpkxgmcc7dygepcp6khfmkdr6vbwxtsfcil74azxnbmcuqa3q._file
Verdict:
unknown
Similar samples:
226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2
MountLocker
4ee11bd54d2f1dc61467de3f71bb6b9f01bfdd35df8fe586fa556f2383c96b21
MountLocker
Result
Malware family:
mountlocker
Create hunting rule
Score:
  10/10
Tags:
family:mountlocker persistence ransomware
Link:
https://tria.ge/reports/201120-tczmqpdvfa/
Behaviour
Interacts with shadow copies
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Drops file in Program Files directory
Modifies service
Drops desktop.ini file(s)
Deletes itself
Modifies extensions of user files
Deletes shadow copies
MountLocker Ransomware
Unpacked files
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/31c094b0-f97f-4e17-a7f4-d23e3f32f26f/
SH256 hash:
f245887b95a94e247a20bab172e016cb90dccf5ac1669ef43215762e4e18c576
MD5 hash:
66b16b1a9e4af8e233cf4e209daeee50
SHA1 hash:
53d3163453d52809fab84c0a7b2b3cf7b5f81a7e
Link:
https://www.unpac.me/results/31c094b0-f97f-4e17-a7f4-d23e3f32f26f/
SH256 hash:
cbd784c73f6122beb35c42f49b4e4755caa5baa0d50692f8cf3b5b73d8c0ae44
MD5 hash:
b825e8c9f92e19249444d844c272b63f
SHA1 hash:
6d9c81bd2d249fd7afac4005f1b0175bbab0c737
Link:
https://www.unpac.me/results/31c094b0-f97f-4e17-a7f4-d23e3f32f26f/
SH256 hash:
d0e08d1d194796ffafdd36f2366e8bed4af948354febf96ece32a4422009a58c
MD5 hash:
15652b9abce32a36cf4995c601aa25ed
SHA1 hash:
99febe86a7f23964e831cb7c30833dcea3909ed2
Link:
https://www.unpac.me/results/31c094b0-f97f-4e17-a7f4-d23e3f32f26f/
SH256 hash:
b762f8bb3a5e435352993a2acc9a67e6429ac0f1b76dbb8bfa975b4c626abce9
MD5 hash:
6750a5e24c7722e626bc99760776405d
SHA1 hash:
9cd9c8942993dca8bf68209fdf92a0e4644ac6ba
Link:
https://www.unpac.me/results/31c094b0-f97f-4e17-a7f4-d23e3f32f26f/
SH256 hash:
f27c160a3453d79d156ba1e53477a53dbc70a468098e34973c51a15da7ffeecb
MD5 hash:
353d0f54e53848f2c42a92c9637b1edd
SHA1 hash:
abf845c9834a6cb058b380ed51b2eafefcf02f7c
Link:
https://www.unpac.me/results/31c094b0-f97f-4e17-a7f4-d23e3f32f26f/
SH256 hash:
e7c277aae66085f1e0c4789fe51cac50e3ea86d79c8a242ffc066ed0b0548037
MD5 hash:
76f547c793b5478b970c64caf04d01d4
SHA1 hash:
f9eb40f6d3d4c83852e3781886db762bef8564e0
Link:
https://www.unpac.me/results/31c094b0-f97f-4e17-a7f4-d23e3f32f26f/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments