MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6c4ba7e81f05fb9d660adc4a73562ce9d78a5850622bc90132f0afde601f804. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6c4ba7e81f05fb9d660adc4a73562ce9d78a5850622bc90132f0afde601f804
SHA3-384 hash: dd3f9d90b176a7b23642ffc273e8782fcd8db30b356bdac70cfb4ae8b338f7ed9ce3dadcecf98b3d3e6ba9238d840029
SHA1 hash: 32eda62ed3b0e642072079de2ffddf686a5783a0
MD5 hash: ea504e669073d9e506fb403e633a68c8
humanhash: idaho-triple-sodium-spaghetti
File name:ea504e66_by_Libranalysis
Download: download sample
File size:600'064 bytes
First seen:2021-05-21 09:38:03 UTC
Last seen:2022-04-12 12:54:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c26403ea8cfe82591aff1eaca9fb0431 (1 x MedusaLocker)
ssdeep 12288:FfV36FBXWYgeWYg955/155/OqgG0xbxHrRBVmfxnmtoj:VV36FB8gG01BVDIRmt0
Threatray 4 similar samples on MalwareBazaar
TLSH BAD47D8AA6A503F9E077E134C991850AE6B27C850BA1C7DF139057AE1F732D24E3F761
Reporter Libranalysis
Tags:Curator Ever101 Ransomware


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
64RA.exe
Verdict:
No threats detected
Analysis date:
2021-05-20 13:00:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b010e4f7-cc0f-4bd3-853a-05a0dc9baa2a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/160404/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a file in the Program Files subdirectories
Modifying an executable file
Moving a file to the Program Files subdirectory
Changing a file
Creating a process with a hidden window
Reading critical registry keys
DNS request
Sending a UDP request
Running batch commands
Launching a process
Deleting volume shadow copies
Stealing user critical data
Creating a file in the mass storage device
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/787103
Signature
Antivirus / Scanner detection for submitted sample
Deletes shadow drive data (may be related to ransomware)
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 419500 Sample: ea504e66_by_Libranalysis Startdate: 21/05/2021 Architecture: WINDOWS Score: 84 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities 2->37 39 3 other signatures 2->39 7 ea504e66_by_Libranalysis.exe 501 2->7         started        11 notepad.exe 2->11         started        13 OpenWith.exe 2->13         started        process3 file4 25 C:\ProgramData\...\customizations.xml, data 7->25 dropped 27 C:\ProgramData\...\customizations.xml, data 7->27 dropped 29 C:\ProgramData\Microsoft\...\RunTime.xml, data 7->29 dropped 31 31 other files (18 malicious) 7->31 dropped 41 May disable shadow drive data (uses vssadmin) 7->41 43 Deletes shadow drive data (may be related to ransomware) 7->43 45 Writes many files with high entropy 7->45 15 cmd.exe 1 7->15         started        17 vssadmin.exe 1 7->17         started        signatures5 process6 process7 19 conhost.exe 15->19         started        21 timeout.exe 1 15->21         started        23 conhost.exe 17->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6c4ba7e81f05fb9d660adc4a73562ce9d78a5850622bc90132f0afde601f804/
Threat name:
Win64.Ransomware.LockCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-05-20 18:10:10 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1b30e0509075234edd5f46ed054ad56bb6cf8d234341e0c72fe27407027e94de
475df55bf31e8c58a8646cad8863913d3fd2d58b72a48ecef4cb1057efd1268c
e3f297dcc0aac80152ba1af99a2c4c101a1ee88759900da7cdfcc9cb5955f06d
f8b132d8c750482bd5b6f03bae58f6805fb3480ef0904a21f0111ede5a1ebb1b
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware
Link:
https://tria.ge/reports/210521-kyd8lh8dwj/
Behaviour
Delays execution with timeout.exe
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops desktop.ini file(s)
Deletes itself
Modifies extensions of user files
Deletes shadow copies
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6c4ba7e81f05fb9d660adc4a73562ce9d78a5850622bc90132f0afde601f804

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Win64_Ransomware_Curator
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects Curator ransomware.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/160404/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-21 10:03:10 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0030.002] Command and Control::Receive Data
1) [B0030.001] Command and Control::Send Data
2) [C0002.009] Communication Micro-objective::Connect to Server::HTTP Communication
3) [C0002.012] Communication Micro-objective::Create Request::HTTP Communication
4) [C0002.017] Communication Micro-objective::Get Response::HTTP Communication
5) [C0002.003] Communication Micro-objective::Send Request::HTTP Communication
6) [C0001.006] Communication Micro-objective::Receive Data::Socket Communication
7) [C0001.007] Communication Micro-objective::Send Data::Socket Communication
8) [C0059] Cryptography Micro-objective::Crypto Library
9) [C0031] Cryptography Micro-objective::Decrypt Data
10) [C0027.001] Cryptography Micro-objective::AES::Encrypt Data
11) [C0027.008] Cryptography Micro-objective::Sosemanuk::Encrypt Data
12) [C0027] Cryptography Micro-objective::Encrypt Data
13) [C0021.005] Cryptography Micro-objective::Mersenne Twister::Generate Pseudo-random Sequence
14) [C0021.003] Cryptography Micro-objective::Use API::Generate Pseudo-random Sequence
15) [C0026.002] Data Micro-objective::XOR::Encode Data
16) [C0030.005] Data Micro-objective::FNV::Non-Cryptographic Hash
17) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash
20) [C0048] File System Micro-objective::Delete Directory
21) [C0047] File System Micro-objective::Delete File
22) [C0051] File System Micro-objective::Read File
23) [C0052] File System Micro-objective::Writes File
24) [C0040] Process Micro-objective::Allocate Thread Local Storage
25) [C0017] Process Micro-objective::Create Process
26) [C0038] Process Micro-objective::Create Thread
27) [C0041] Process Micro-objective::Set Thread Local Storage Value
28) [C0018] Process Micro-objective::Terminate Process