MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4b11885a3056fc56efdedbc0dd71fae152368e4c2e96a3481c6dff21e9d75aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


VirLock


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4b11885a3056fc56efdedbc0dd71fae152368e4c2e96a3481c6dff21e9d75aa
SHA3-384 hash: 1e4eb8a382ce5e757fcce29fd6d4aa1091a5b326a201fe4ecbc5f90bce632a9e45001338ea7aa5873e3dc496203d3cdb
SHA1 hash: 66191081ff51e8483f224335e23b29d753592669
MD5 hash: e5db392e58f21662881156c5e3aeb4c8
humanhash: steak-oven-south-early
File name:f4b11885a3056fc56efdedbc0dd71fae152368e4c2e96a3481c6dff21e9d75aa
Download: download sample
Signature VirLock
Create hunting rule
File size:499'712 bytes
First seen:2021-01-29 15:12:56 UTC
Last seen:2021-01-29 15:24:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 141dd6259e7ce9b4ac02f7076d01c1dd (1 x VirLock)
ssdeep 12288:Rooinw2tnsmEIaxaqR/zU/ZgMUx8VqpcR:Rooi5tnNzaLU/ieR
Threatray 1 similar samples on MalwareBazaar
TLSH 27B402CCE184AD8DFE457DBAE96E50810731E70DE4B75BEA1BAF8AD494DCB02C045358
Reporter JAMESWT_WT
Tags:Ransomware VirLock

Intelligence

File Origin
# of uploads :
2
# of downloads :
295
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f4b11885a3056fc56efdedbc0dd71fae152368e4c2e96a3481c6dff21e9d75aa
Verdict:
Malicious activity
Analysis date:
2021-01-29 15:14:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3dc4f81a-3917-4a81-bdbe-4625d7ddfcf1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114742/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a service
Launching a service
DNS request
Creating a file in the Windows subdirectories
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Brute forcing passwords of local accounts
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/594061
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Command shell drops VBS files
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Delayed program exit found
Drops batch files with force delete cmd (self deletion)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346071 Sample: SeKW5DNgjM Startdate: 29/01/2021 Architecture: WINDOWS Score: 100 117 Antivirus / Scanner detection for submitted sample 2->117 119 Multi AV Scanner detection for submitted file 2->119 121 Machine Learning detection for sample 2->121 12 SeKW5DNgjM.exe 2 13 2->12         started        16 yqUYEMEY.exe 3 2->16         started        18 svchost.exe 2->18         started        21 svchost.exe 1 2->21         started        process3 dnsIp4 99 C:\Users\user\QCAogAgs\jyAoAsMk.exe, PE32 12->99 dropped 101 C:\ProgramData\lsggwoQI\yqUYEMEY.exe, PE32 12->101 dropped 103 C:\ProgramData\fUwMgQUAbehaviorgraphWoMgUsc.exe, PE32 12->103 dropped 105 C:\Users\user\AppData\Local\...\SeAsoMks.bat, ASCII 12->105 dropped 139 Uses cmd line tools excessively to alter registry or file data 12->139 141 Drops batch files with force delete cmd (self deletion) 12->141 143 Tries to detect virtualization through RDTSC time measurements 12->143 23 cmd.exe 1 12->23         started        25 jyAoAsMk.exe 24 12->25         started        28 GWoMgUsc.exe 23 12->28         started        31 3 other processes 12->31 145 Antivirus detection for dropped file 16->145 147 Machine Learning detection for dropped file 16->147 149 Delayed program exit found 16->149 109 127.0.0.1 unknown unknown 18->109 file5 signatures6 process7 dnsIp8 33 SeKW5DNgjM.exe 4 23->33         started        37 conhost.exe 23->37         started        127 Antivirus detection for dropped file 25->127 129 Machine Learning detection for dropped file 25->129 131 Contains functionality to detect hardware virtualization (CPUID execution measurement) 25->131 111 200.87.164.69, 666 EntelSA-EntelNetBO Bolivia 28->111 113 190.186.45.170, 666 COTASLTDABO Bolivia 28->113 115 2 other IPs or domains 28->115 133 Contains functionality to automate explorer (e.g. start an application) 28->133 135 Tries to detect virtualization through RDTSC time measurements 28->135 137 Delayed program exit found 28->137 39 conhost.exe 31->39         started        41 conhost.exe 31->41         started        43 conhost.exe 31->43         started        signatures9 process10 file11 95 C:\Users\user\AppData\Local\...\IwwAUEgo.bat, ASCII 33->95 dropped 123 Uses cmd line tools excessively to alter registry or file data 33->123 45 cmd.exe 33->45         started        47 cmd.exe 33->47         started        50 reg.exe 33->50         started        52 2 other processes 33->52 signatures12 process13 signatures14 54 SeKW5DNgjM.exe 45->54         started        58 conhost.exe 45->58         started        151 Command shell drops VBS files 47->151 60 conhost.exe 47->60         started        62 cscript.exe 47->62         started        64 conhost.exe 50->64         started        66 conhost.exe 52->66         started        68 conhost.exe 52->68         started        process15 file16 97 C:\Users\user\AppData\Local\...\LMsoMYYg.bat, ASCII 54->97 dropped 125 Uses cmd line tools excessively to alter registry or file data 54->125 70 cmd.exe 54->70         started        72 cmd.exe 54->72         started        74 reg.exe 54->74         started        76 2 other processes 54->76 signatures17 process18 process19 78 SeKW5DNgjM.exe 70->78         started        81 conhost.exe 70->81         started        83 conhost.exe 72->83         started        85 cscript.exe 72->85         started        87 conhost.exe 74->87         started        89 conhost.exe 76->89         started        91 conhost.exe 76->91         started        file20 107 C:\Users\user\AppData\Local\...\ygMgQsUU.bat, ASCII 78->107 dropped 93 cmd.exe 78->93         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4b11885a3056fc56efdedbc0dd71fae152368e4c2e96a3481c6dff21e9d75aa/
Threat name:
Win32.Ransomware.VirLock
Create hunting rule
Status:
Malicious
First seen:
2021-01-28 22:28:20 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
44 of 46 (95.65%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
62acc5d1f03cb597ee923beb74381aa435097f9df0eb0663ee66f6dd40dfaa24
VirLock
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware trojan
Link:
https://tria.ge/reports/210129-rqpldp3z52/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System policy modification
Drops file in System32 directory
Enumerates physical storage devices
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Modifies visibility of file extensions in Explorer
UAC bypass
Unpacked files
SH256 hash:
0f3ef5665fa57b952fea893e080f1bbfbef769b0f71a59e6d6bee5b0d06fe63a
MD5 hash:
ea1e9ef2145dc58b82cff90afae063a8
SHA1 hash:
af69c870e52b00e7cf3e12509b9b841121fa070d
Link:
https://www.unpac.me/results/759391ce-43c3-4da2-a807-08323deb4558/
SH256 hash:
941d0215d5277ae077de2fda5b0dcfabd3252cbc55dd03a13336e0bd202f0bef
MD5 hash:
18a6726b81bbcf1ac636201168f45630
SHA1 hash:
a31bf97fec22d3fd86cf5c408941c4f39f30b1c9
Link:
https://www.unpac.me/results/759391ce-43c3-4da2-a807-08323deb4558/
SH256 hash:
f4b11885a3056fc56efdedbc0dd71fae152368e4c2e96a3481c6dff21e9d75aa
MD5 hash:
e5db392e58f21662881156c5e3aeb4c8
SHA1 hash:
66191081ff51e8483f224335e23b29d753592669
Link:
https://www.unpac.me/results/759391ce-43c3-4da2-a807-08323deb4558/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4b11885a3056fc56efdedbc0dd71fae152368e4c2e96a3481c6dff21e9d75aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/114742/

Comments