MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Deathransom

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b
SHA3-384 hash:	8d3abe0fd712b7ca5b7cde66a9afac3f6b603151865efeb048fbe022e67adca113c8b4dd34ba97ff450da0fc85bea7a5
SHA1 hash:	e495204839417ab64d7b146279c56c25c2815b1f
MD5 hash:	262fdac1291740ba9408d06da265dd9f
humanhash:	ten-lion-carpet-yankee
File name:	Deathransom (2)
Download:	download sample
Signature	Deathransom Create hunting rule
File size:	196'608 bytes
First seen:	2020-08-03 15:07:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a4e1ff10d083ff95995012e5b2cbc654 (1 x Deathransom)
ssdeep	3072:K75DzyLgv8vT6nRc24odbkDXFwzIc3jiptvwF:GDjv8v44o+X3pWF
Threatray	254 similar samples on MalwareBazaar
TLSH	E7148F02E4618932C7FA4A7594F786655B3D3202EF761F1F116CE2582FD32C222A7B5E
Reporter	JAMESWT_WT
Tags:	Deathransom

Intelligence

File Origin

# of uploads :

1

# of downloads :

124

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38014/

Detection(s):

Win.Packed.Tofsee-7401529-0

Win.Dropper.Tofsee-7403234-0

Win.Dropper.Tofsee-7433714-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Launching the default Windows debugger (dwwin.exe)

Creating a file

Creating a file in the mass storage device

Encrypting user's files

Result

Threat name:

Deathransom

Detection:

malicious

Classification:

rans.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/408200

Signature

Country aware sample found (crashes after keyboard check)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Writes a notice file (html or txt) to demand a ransom

Yara detected Deathransom

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b/

Threat name:

Win32.Trojan.CryptInject

Status:

Malicious

First seen:

2019-11-16 12:43:37 UTC

File Type:

PE (Exe)

Extracted files:

8

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=66fhioatvmou53rxrgipgrzgfdwwcuzorgkqhtetofbdgb66hwfq._file

Verdict:

malicious

Similar samples:

3d569e91d2ca75b52e3baa820cf909bb86e8163fcc8a03a7d88dd37654914cd2

518394d105b9f9f1c375efe6038468e595bfd4e848940b9af6c6f563f00bbe26

5b5dcd2dd420cb6a9ef69b94fb8340145ca859897285ef38d87b38b1757af463

7c267f393664ccc38c7a4fb521587e77db7fc7e3a157a9ef5c19783f03a67c76

7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1

9b7b27cad5100d9d7319601260c35ffb71cac9728677c17540c45689d1399479

b3ded80c7b59052aef7e34aa7e3807c2afef634b11bd884377bed9682a4b9f9d

b936e7fcab055b4ac4f2afac1ae971753efc923f8b234b141049c095fa983517

ef0d6ddb130fee72d17b1c077b332c474205897f806b16d2dd130768429b9add

f7cd954387c8bb7d14853752c5a02477efc296ae06481ed4367e4e322907e428

+ 244 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

ransomware

Link:

https://tria.ge/reports/200803-lc687ctk8j/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Drops desktop.ini file(s)

Drops desktop.ini file(s)

Modifies extensions of user files

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tofsee

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/38014/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample