MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e812d2f7858c5971f4f6f56e7449eeaf682863dde440dd903ae93ddaaafa2002. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiskWriter


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e812d2f7858c5971f4f6f56e7449eeaf682863dde440dd903ae93ddaaafa2002
SHA3-384 hash: 1fc5356ab7563e65900d0917ec4f45218fba673568e5c79e5ac1d7c955649cf023bc10267d5bf681465ca07cc8ef506b
SHA1 hash: d7182be789f06d348bfe0aaff0ca2da7e1fedf2d
MD5 hash: 49d24fc12ccba3d412757a18039fff16
humanhash: zebra-uncle-blossom-fish
File name:unknow辅助工具1.4.12.exe
Download: download sample
Signature DiskWriter
Create hunting rule
File size:695'856 bytes
First seen:2020-10-03 01:36:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b8dc3053f3622bd573753ca1ed0e05a (1 x DiskWriter)
ssdeep 12288:cfjuCI5kFKR3xLpeJz8FXrAqQwsgx13gNsl2KZquoljauh0Nplns+Tg1:vl3kJz4XrpQwXx5gNsl2KQJZ++
TLSH 30E4122D6728DDA5C09E0CF8095346792E214C6284A4824E3BAFBD0C38B7BF55BD75F6
Reporter vm001cn
Tags:DiskWriter MBRLock

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Detection:
XiaoBa
Create hunting rule
Link:
https://www.capesandbox.com/analysis/67866/
Detection(s):
SecuriteInfo.com.Variant.Graftor.401081.27875.26294.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Searching for the window
Searching for analyzing tools
Creating a window
Windows shutdown
Low-level writing
Rewriting of the hard drive's master boot record
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.spyw.evad
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/480681
Signature
Adds a new user with administrator rights
Antivirus / Scanner detection for submitted sample
Contains functionality to infect the boot sector
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Infects the boot sector of the hard disk
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites the password of the administrator account
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (window names)
Writes directly to the primary disk partition (DR0)
Yara detected Keylogger Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 292781 Sample: unknow#U8f85#U52a9#U5de5#U5... Startdate: 03/10/2020 Architecture: WINDOWS Score: 78 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Machine Learning detection for sample 2->36 38 4 other signatures 2->38 7 unknow#U8f85#U52a9#U5de5#U51771.4.12.exe 4 2->7         started        process3 file4 30 \Device\Harddisk0\DR0, ID=0xee, 7->30 dropped 40 Detected unpacking (creates a PE file in dynamic memory) 7->40 42 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->42 44 Writes directly to the primary disk partition (DR0) 7->44 46 5 other signatures 7->46 11 net.exe 1 7->11         started        14 net.exe 1 7->14         started        16 net.exe 1 7->16         started        signatures5 process6 signatures7 48 Overwrites the password of the administrator account 11->48 18 conhost.exe 11->18         started        20 net1.exe 1 11->20         started        22 conhost.exe 14->22         started        24 net1.exe 1 14->24         started        26 conhost.exe 16->26         started        28 net1.exe 1 16->28         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e812d2f7858c5971f4f6f56e7449eeaf682863dde440dd903ae93ddaaafa2002/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-02 16:12:00 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
bootkit persistence ransomware
Link:
https://tria.ge/reports/201003-lz332exzjx/
Behaviour
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of NtSetInformationThreadHideFromDebugger
Writes to the Master Boot Record (MBR)
Modifies WinLogon to allow AutoLogon
Grants admin privileges
Unpacked files
SH256 hash:
e812d2f7858c5971f4f6f56e7449eeaf682863dde440dd903ae93ddaaafa2002
MD5 hash:
49d24fc12ccba3d412757a18039fff16
SHA1 hash:
d7182be789f06d348bfe0aaff0ca2da7e1fedf2d
Link:
https://www.unpac.me/results/4c5683bc-4f2e-43fc-9332-bacfcc61d42a/
SH256 hash:
bd4fd018e3c7bf11b1fbfbbd3702756739d898a6b7faaec0b09215aec8ca8339
MD5 hash:
93e1a47cec2bc4d1a81324ae1eb880bd
SHA1 hash:
c7ac4edf728d757f0ebf9cde13b141a2b8407b8a
Link:
https://www.unpac.me/results/4c5683bc-4f2e-43fc-9332-bacfcc61d42a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e812d2f7858c5971f4f6f56e7449eeaf682863dde440dd903ae93ddaaafa2002

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/67866/

Comments