MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9ee500bcceeb9608800148f7c750e5d8676fb515f0decde33cc8b419f4e5b49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vovalex


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9ee500bcceeb9608800148f7c750e5d8676fb515f0decde33cc8b419f4e5b49
SHA3-384 hash: ba1182c00afa6e0c7965004f9beeab68f132ba9d97409e3baad5dfa417ad79e5c1eafca57e0d63e8257cae4d74b54695
SHA1 hash: 4dfbc84564abfd88c205914b7eb8acd89e22c558
MD5 hash: cc410e6c24d8bd6d645029dbb08cfc79
humanhash: oregon-floor-edward-winner
File name:e9ee500bcceeb9608800148f7c750e5d8676fb515f0decde33cc8b419f4e5b49.bin
Download: download sample
Signature Vovalex
Create hunting rule
File size:5'633'536 bytes
First seen:2021-01-29 17:14:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 47213d103768327f1ec64ab08cacc584 (2 x Vovalex)
ssdeep 98304:dVeNBpTBnOzs8JG5qDR4z6XzZRbG7c/X44Sk+hRF8rk+3V2kLIRnB:Xg9Ozh+qq8RbG7KX446hRaR2x
Threatray 1 similar samples on MalwareBazaar
TLSH 48460136A100A6E4C45288F8CFD5DAA59361BC78073532DB22D5B7261EB9DD0FF7D282
Reporter Arkbird_SOLG
Tags:Ransomware Vovalex

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114847/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Enabling the 'hidden' option for files in the %temp% directory
Deleting of the original file
Result
Threat name:
VovaLex
Create hunting rule
Detection:
suspicious
Classification:
rans
Score:
30 / 100
Link:
https://www.joesandbox.com/analysis/594248
Signature
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Yara detected VovaLex Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346165 Sample: B1P4uwWiqp.bin Startdate: 29/01/2021 Architecture: WINDOWS Score: 30 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected VovaLex Ransomware 2->37 39 PE file has a writeable .text section 2->39 8 B1P4uwWiqp.exe 11 2->8         started        process3 file4 31 C:\Users\user\...\unzIdBEmSZFsCxA9.exe, PE32 8->31 dropped 11 unzIdBEmSZFsCxA9.exe 2 8->11         started        14 notepad.exe 8->14         started        process5 file6 33 C:\Users\user\...\unzIdBEmSZFsCxA9.tmp, PE32 11->33 dropped 16 unzIdBEmSZFsCxA9.tmp 5 50 11->16         started        process7 file8 23 C:\Users\user\AppData\...\iswin7logo.dll, PE32 16->23 dropped 25 C:\Users\user\AppData\Local\...\botva2.dll, PE32 16->25 dropped 27 C:\Users\user\AppData\Local\Temp\...\b2p.dll, PE32 16->27 dropped 29 23 other files (none is malicious) 16->29 dropped 19 Uninstall.exe 230 13 16->19         started        21 WinRAR.exe 378 8 16->21         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9ee500bcceeb9608800148f7c750e5d8676fb515f0decde33cc8b419f4e5b49/
Threat name:
Win64.Ransomware.Vovalex
Create hunting rule
Status:
Malicious
First seen:
2021-01-17 04:32:23 UTC
File Type:
PE+ (Exe)
Extracted files:
24
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
3f531ce5eae08958610dbac073a881654f1efad802ca3d5a325a75355e460da0
Vovalex
Result
Malware family:
n/a
Score:
  8/10
Tags:
ransomware
Link:
https://tria.ge/reports/210129-lgq2v7sytj/
Behaviour
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Modifies extensions of user files
Unpacked files
SH256 hash:
e9ee500bcceeb9608800148f7c750e5d8676fb515f0decde33cc8b419f4e5b49
MD5 hash:
cc410e6c24d8bd6d645029dbb08cfc79
SHA1 hash:
4dfbc84564abfd88c205914b7eb8acd89e22c558
Link:
https://www.unpac.me/results/52606c23-13bc-4813-8f15-4829a11f8d5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9ee500bcceeb9608800148f7c750e5d8676fb515f0decde33cc8b419f4e5b49

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malwrhunterteam/status/1351808079164276736
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/114847/

Comments