MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Royal

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429
SHA3-384 hash:	cd2885fa1df54df3f3442973b7577bdc801638f4d60a2fd048f3e19fd6b1f372ce3a3e80e63480c43cb86465f684b478
SHA1 hash:	db3163a09eb33ff4370ad162a05f4b2584a20456
MD5 hash:	df0b88dafe7a65295f99e69a67db9e1b
humanhash:	mississippi-lamp-kansas-alaska
File name:	avi.exe
Download:	download sample
Signature	Royal Create hunting rule
File size:	3'085'312 bytes
First seen:	2022-10-12 19:45:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	150bdf1f53f6260c91ec3fcff5867019 (1 x Royal)
ssdeep	49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzkw5c:wm+GaNqqJJ12vlZol8cJ7rc3
Threatray	4 similar samples on MalwareBazaar
TLSH	T1BEE58D6AF6A800D8D56AC13CC5564227E3B1FC2517B287CB1AB4AA790F73AD55F3E700
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	kernelv0id
Tags:	exe Ransomware royal zeon

Intelligence

File Origin

# of uploads :

# of downloads :

832

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/319539/

Detection(s):

SecuriteInfo.com.Trojan.DelShadows.21.16918.30482.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a service

Sending a custom TCP request

Deleting volume shadow copies

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/42767/overview

Behaviour

MalwareBazaar

MeasuringTime

CallSleep

CPUID_Instruction

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

explorer.exe filecoder greyware royal

Link:

https://www.filescan.io/uploads/6347197b5cada2cbc6ebcb98/reports/e597d1e1-2e4f-476d-b344-b177cc2dba65/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/08dc8dee-bbe9-422d-8bca-9be83a056db2

Result

Threat name:

Royal

Detection:

malicious

Classification:

rans.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1089278

Signature

Antivirus / Scanner detection for submitted sample

Deletes shadow drive data (may be related to ransomware)

Found Tor onion address

May disable shadow drive data (uses vssadmin)

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Yara detected Royal Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429/

Threat name:

Win64.Trojan.DelShad

Status:

Malicious

First seen:

2022-10-11 23:13:11 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6scpsgn2ny3p6m7e7m4rxcczvfgytqlsurszmt4z2yitwvoo2quq._file

Verdict:

malicious

Royal

2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f

Royal

7b7e104ca9e6eff6351c60c93a1054cb70c7744f5736b980b363a577be2d732d

Royal

9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926

Royal

Result

Malware family:

n/a

Score:

9/10

Tags:

ransomware

Link:

https://tria.ge/reports/221012-ygzqhsaabj/

Behaviour

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Deletes shadow copies

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d34a190c-e00a-42e6-974c-d1442944354f

Unpacked files

SH256 hash:

f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429

MD5 hash:

df0b88dafe7a65295f99e69a67db9e1b

SHA1 hash:

db3163a09eb33ff4370ad162a05f4b2584a20456

Link:

https://www.unpac.me/results/b53e7eee-2dff-49a4-b715-6bff00c7edca/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Royal_Ran_V1 Create hunting rule
Author:	DigitalPanda

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/albertzsigovits/status/1576887610693369856

Cape

https://www.capesandbox.com/analysis/319539/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample