MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef2cd9ded5532af231e0990feaf2df8fd79dc63f7a677192e17b89ef4adb7dd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Conti

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	ef2cd9ded5532af231e0990feaf2df8fd79dc63f7a677192e17b89ef4adb7dd2
SHA3-384 hash:	a6915fa8895324d8f020a3b0b36d8e7707c4feb642ef592dca6aa200614c87569d34a9b232dfcf5c92895b17c9b471c1
SHA1 hash:	301fcd84ac42886c1f532ab6a71e8b49834f6fd0
MD5 hash:	52e617eb5c923ddf2cb3c86d5b9332b1
humanhash:	nevada-avocado-fourteen-seven
File name:	52e617eb_by_Libranalysis
Download:	download sample
Signature	Conti Create hunting rule
File size:	200'704 bytes
First seen:	2021-05-25 12:01:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c2a4becf8f921158319527ff0049fea9 (9 x Conti)
ssdeep	3072:CLJGBP1t82ETTwPAobQ3tOqmb14Gul22QZkN7S44EXZLL0Rx6:gJEPCTwPp03YqyNulakFu6
Threatray	9 similar samples on MalwareBazaar
TLSH	85143A15B64E4634F25A98701AFC6DB354A89A38336FC8F7B3C9467D2A25AD27430F43
Reporter	Libranalysis
Tags:	conti

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

# of downloads :

387

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

EF2CD9DED5532AF231E0990FEAF2DF8FD79DC63F7A677192E17B89EF4ADB7DD2

Verdict:

Malicious activity

Analysis date:

2021-05-20 02:54:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/26949d8f-c461-461d-bd87-3a4d9935c279

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Conti

Link:

https://www.capesandbox.com/analysis/161898/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Connection attempt

Creating a file

Changing a file

Creating a file in the Program Files directory

Moving a file to the Program Files directory

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Modifying an executable file

Sending a UDP request

Reading critical registry keys

Creating a file in the mass storage device

Stealing user critical data

Encrypting user's files

Result

Threat name:

Conti

Detection:

malicious

Classification:

rans.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/791524

Signature

Found potential dummy code loops (likely to delay analysis)

Found ransom note / readme

Found Tor onion address

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Writes many files with high entropy

Yara detected Conti ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef2cd9ded5532af231e0990feaf2df8fd79dc63f7a677192e17b89ef4adb7dd2/

Threat name:

Win32.Ransomware.Cryptor

Status:

Malicious

First seen:

2021-05-20 04:58:00 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=54wntxwvkmvpempateh6v4w7r7lz3rr7pjtxdexbpoe66sw3pxja._file

Verdict:

malicious

Conti

26b2401211769d2fa1415228b4b1305eeeed249a996d149ad83b6fc9c4f703ce

Conti

2fc6d7df9252b1e2c4eb3ad7d0d29c188d87548127c44cebc40db9abe8e5aa35

Conti

449668f18d2aa75cc9493090764722eb4f0843a8da1b354d4e2147c6d6393078

Conti

7ca57576c6a2d7dbf49faeafd4804c6b86d9af7fff1390c58a30eb9d9bf2fbfd

Conti

a5751a46768149c5ddf318fd75afc66b3db28a5b76254ee0d6ae27b21712e266

Conti

b524ed1cc22253f09d56f54d8ded4566b63352ff739f58de961f8a5bebb0fad9

Conti

d16645bce49ea342c4b4f5afa3f711bf0a3986a4a7354f96f24a21f161fff7cb

Conti

d21c71a090cd6759efc1f258b4d087e82c281ce65a9d76f20a24857901e694fc

Conti

Result

Malware family:

conti

Score:

10/10

Tags:

family:conti ransomware spyware stealer

Link:

https://tria.ge/reports/210525-3m9vnvehrj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Drops file in Windows directory

Drops desktop.ini file(s)

Drops startup file

Reads user/profile data of web browsers

Modifies extensions of user files

Conti Ransomware

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef2cd9ded5532af231e0990feaf2df8fd79dc63f7a677192e17b89ef4adb7dd2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Conti Create hunting rule
Author:	kevoreilly
Description:	Conti Ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/161898/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample