MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb9625edf0d6124df92cf0f3aa7f9e98d528526dfe9e166dad4d50778650da93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackClaw


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb9625edf0d6124df92cf0f3aa7f9e98d528526dfe9e166dad4d50778650da93
SHA3-384 hash: b40d04082d5ecca56683cc02b51937832197f8bedc4a1eb05abf4af33c3465b52e47e9b4c50736d938572ff844bee207
SHA1 hash: 02b1ea3d764a2e9d26a18c855940c6448765266b
MD5 hash: 3180ec0cfb5ab4747140c8f86e3ca9fd
humanhash: social-angel-tango-hamper
File name:WindowsFormsApp8.exe
Download: download sample
Signature BlackClaw
Create hunting rule
File size:51'200 bytes
First seen:2020-09-18 15:14:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:7q4RQaYsM/uNHgka/KOncZDMPiLQdsrAwEGQeC2Y5wHmLx0hIrJW8x8Mgi3Sdq:7PRDM/uNnOncFMwE1etKO+x0hI9W8x3
Threatray 12 similar samples on MalwareBazaar
TLSH EA3328897BF99E93D29D677A70E723542334C2263A03E7878AA7123D0D537E93C60917
Reporter James_inthe_box
Tags:BlackClaw exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Variant.Adware.BrowseFox.62.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Launching cmd.exe command interpreter
Creating a process with a hidden window
Changing a file
Modifying an executable file
Creating a file
Reading critical registry keys
Creating a file in the %AppData% directory
Launching the default Windows debugger (dwwin.exe)
Launching a process
Searching for the window
Moving a file to the %temp% directory
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file in the mass storage device
Stealing user critical data
Forced shutdown of a system process
Encrypting user's files
Result
Threat name:
BlackClaw
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/470063
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Creates files in the recycle bin to hide itself
Creates files inside the volume driver (system volume information)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Sigma detected: WannaCry Ransomware
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses bcdedit to modify the Windows boot settings
Writes many files with high entropy
Yara detected BlackClaw ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 287462 Sample: WindowsFormsApp8.exe Startdate: 18/09/2020 Architecture: WINDOWS Score: 100 61 Sigma detected: WannaCry Ransomware 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 5 other signatures 2->67 8 WindowsFormsApp8.exe 15 502 2->8         started        13 WerFault.exe 2->13         started        15 WerFault.exe 2->15         started        17 explorer.exe 2->17         started        process3 dnsIp4 57 claw.black 104.27.180.154, 443, 49727 CLOUDFLARENETUS United States 8->57 49 C:\Users\user\Desktop\JDDHMPCDUJ.pdf, data 8->49 dropped 51 C:\Users\user\DesktopbehaviorgraphIGIYTFFYT.pdf, data 8->51 dropped 53 C:\Users\user\DesktopIVQSAOTAQ.docx, data 8->53 dropped 55 105 other malicious files 8->55 dropped 69 Creates files inside the volume driver (system volume information) 8->69 71 Creates files in the recycle bin to hide itself 8->71 73 Uses bcdedit to modify the Windows boot settings 8->73 75 2 other signatures 8->75 19 cmd.exe 1 8->19         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        29 3 other processes 8->29 25 SearchUI.exe 13->25 injected 27 explorer.exe 15->27 injected 59 192.168.2.1 unknown unknown 17->59 file5 signatures6 process7 process8 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 WerFault.exe 25->37         started        39 WerFault.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 29->43         started        45 conhost.exe 29->45         started        process9 47 rundll32.exe 37->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb9625edf0d6124df92cf0f3aa7f9e98d528526dfe9e166dad4d50778650da93/
Threat name:
Win32.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2020-07-31 10:09:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
36 of 48 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2171947c8bc08fd32025d883f0668feefa0a43b4519889172df3dbc5f5ffe8d1
BlackClaw
3e472f9bb6ff7d05c153d332dd2deb6e56631c4e85472a8c04a140ca18e46b13
BlackClaw
40bdcc7f90d2bfa4b99928367f6ffca14065037637ae63940e5022b0ad7f648c
BlackClaw
439d5c2dcf14e2f1b24463094aafde50e9a5702e451a624c2078aa32acc194dd
BlackClaw
5081e2b9049e6bd2e9947c09a28a356ebed0d066ec43ae37e4ab6e646bb3b6a0
BlackClaw
73f32ab414285cfff2040dacd956c2a9b53f156e7c8c0f3bad1e0317d61259cd
BlackClaw
7f8ce0eabde719c8e568ac741f48f0d9d931b3da8172b26e53af451ffcea1e10
BlackClaw
e3a5edee75299a8ddfa254fda955173f9063ec8081ba03d946f82f996a3b0203
BlackClaw
e4491a0d3030a3c03f75f931bb5f532b6064feb927a9664bda88c675d480b77c
BlackClaw
fadcffc72696cb639334be446d2aeb90743b270276f48b730efbb59b73505a85
BlackClaw
+ 2 additional samples on MalwareBazaar
Result
Malware family:
blackclaw
Create hunting rule
Score:
  10/10
Tags:
ransomware family:blackclaw spyware
Link:
https://tria.ge/reports/200918-hgta431w6s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops desktop.ini file(s)
Drops startup file
Reads user/profile data of web browsers
BlackClaw
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb9625edf0d6124df92cf0f3aa7f9e98d528526dfe9e166dad4d50778650da93

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/63478/

Comments