MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eccee37b1781f0dfceea2076d15a467adadfcecf3017a62f32fbc2d5fee94211. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WannaCry


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eccee37b1781f0dfceea2076d15a467adadfcecf3017a62f32fbc2d5fee94211
SHA3-384 hash: f1b5e2c3b14ce5bf8e128f556b45210085fdcba5b3284121f08b71b76b342b20511a80b94fbbfc1645ca765a4d7412a9
SHA1 hash: 564421d31093136e65482e0e33ffee4442f5c81f
MD5 hash: 4aa3a61fb27345b240bf68111944ed60
humanhash: alaska-sierra-oxygen-nevada
File name:eccee37b1781f0dfceea2076d15a467adadfcecf3017a62f32fbc2d5fee94211
Download: download sample
Signature WannaCry
Create hunting rule
File size:2'281'472 bytes
First seen:2022-10-10 04:26:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9ecee117164e0b870a53dd187cdd7174 (82 x WannaCry, 1 x Worm.Virut)
ssdeep 24576:QbLguripdmMSirYbcMNgef0QeQjGudhAdmvn:QnvMSPbcBVQejudhnvn
Threatray 935 similar samples on MalwareBazaar
TLSH T1D1B523A571AC80F4D60A6270A8778E15F2B77C3931BD560FEF508B252C13B92F628B57
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter petikvx
Tags:exe Ransomware WannaCry

Intelligence

File Origin
# of uploads :
1
# of downloads :
622
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318108/
Detection(s):
Win.Ransomware.Wanna-9769986-0
Create hunting rule

Win.Ransomware.Wanacryptor-9942127-1
Create hunting rule

Win.Ransomware.Wannacry-6803937-0
Create hunting rule

Win.Ransomware.Wannacrypt-6804263-0
Create hunting rule

Win.Ransomware.WannaCry-6313787-0
Create hunting rule

Win.Malware.Djwy-6775897-0
Create hunting rule

Win.Malware.Djwy-6923377-0
Create hunting rule

Win.Exploit.Doublepulsar-7427328-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a service
Launching a service
Searching for synchronization primitives
Sending a custom TCP request
Query of malicious DNS domain
Enabling autorun for a service
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42121/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware greyware overlay packed packed ransomware wannacry worm
Link:
https://www.filescan.io/uploads/63439f1d1ddf36bcc3f42c22/reports/b01a9f3c-9735-40e5-afa5-f439b8f7694e/overview
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10dba4d6-7c28-4df4-8947-9acef3fc1f7f
Result
Threat name:
Wannacry
Create hunting rule
Detection:
malicious
Classification:
rans.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086667
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Yara detected Wannacry ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eccee37b1781f0dfceea2076d15a467adadfcecf3017a62f32fbc2d5fee94211/
Threat name:
Win32.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2022-10-09 04:40:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5thog6yxqhyn7txkeb3ncwsgplnn7twpgal2mlzs7pbnl7xjiiiq._file
Verdict:
malicious
Similar samples:
016b40a769d4d34da8cdf3bf08a166c3243b659c31c152d3c0899993a7aa8f07
WannaCry
0ca55fe01cf52696f424100ee6de4e8dd262ce1c83257d22bc3edc42c30fb944
WannaCry
0f1516a8c0600c59defcf96c87c27de6a81e732ecb2f64b5e48904c31ab2cbb2
WannaCry
3befcb73c9497db265428aa3dc0b0692fa5722344d4a772b25973e244b085266
WannaCry
499e277bcb0c1712223fe211751a00e56a9ab6580e96e27128877615aca811cb
WannaCry
540749acd2da3530292fed430ee05bd8752bd4f40499b987da31a24e67959352
WannaCry
8b51945ada866301cd583744f4363bbeac1b7ec84ee78c0135824a2dc57f7244
WannaCry
9782298315b127534cfb24720e76e4cc946f71a72126da11f9bcb738b94d6b49
WannaCry
b10225bfe75854f01b5f9aea098c2fde6f5fdc543f2a81aadafe389ae9a1dc94
WannaCry
f2cf2c68920d3812d76104aa8388cfa07934c53a39e8f48e098a282ddccbfbcf
WannaCry
+ 925 additional samples on MalwareBazaar
Result
Malware family:
wannacry
Create hunting rule
Score:
  10/10
Tags:
family:wannacry discovery ransomware worm
Link:
https://tria.ge/reports/221010-e24enaaef8/
Behaviour
Modifies data under HKEY_USERS
Drops file in Windows directory
Drops file in System32 directory
Creates a large amount of network flows
Contacts a large (720) amount of remote hosts
Contacts a large (3168) amount of remote hosts
Wannacry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2a40074c-8da4-4f19-bbae-207a17613b67
Unpacked files
SH256 hash:
eccee37b1781f0dfceea2076d15a467adadfcecf3017a62f32fbc2d5fee94211
MD5 hash:
4aa3a61fb27345b240bf68111944ed60
SHA1 hash:
564421d31093136e65482e0e33ffee4442f5c81f
Link:
https://www.unpac.me/results/15749f12-59fc-4dc6-9873-e9935f6aa44d/
Malware family:
WannaCry
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eccee37b1781/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eccee37b1781f0dfceea2076d15a467adadfcecf3017a62f32fbc2d5fee94211

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:WannaCry_Ransomware
Create hunting rule
Author:Florian Roth (with the help of binar.ly)
Description:Detects WannaCry Ransomware
Reference:https://goo.gl/HG2j5T
Rule name:WannaCry_Ransomware_Gen
Create hunting rule
Author:Florian Roth (based on rule by US CERT)
Description:Detects WannaCry Ransomware
Reference:https://www.us-cert.gov/ncas/alerts/TA17-132A
Rule name:WannaCry_Ransomware_Gen_RID302B
Create hunting rule
Author:Florian Roth (based on rule by US CERT)
Description:Detects WannaCry Ransomware
Reference:https://www.us-cert.gov/ncas/alerts/TA17-132A

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318108/

Comments