MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc257f64a0279bb5ae221b968d3f38bbb7237a8475c165c5a8430fe6633e3fe6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Makop


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc257f64a0279bb5ae221b968d3f38bbb7237a8475c165c5a8430fe6633e3fe6
SHA3-384 hash: 99936b5e2e864c070c8eb75b4049a36aee8999783be03d31ee98e7f2cbd4578871f21f0adc83aa31625f0cf530267c3d
SHA1 hash: 7c88af3c8a27402da1d67cfaa1a02555f1c7945d
MD5 hash: f64ecdec4c84ac7ef0ca6c2ef4d94eea
humanhash: johnny-december-low-massachusetts
File name:f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
Download: download sample
Signature Makop
Create hunting rule
File size:120'468 bytes
First seen:2020-12-22 13:16:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 3072:Tf1BDZ0kVB67Duw9AMcUTeQZbMcpga/ijOJB8BtgIBQeM/nhG:T9X0GYbpyh/8A
Threatray 31 similar samples on MalwareBazaar
TLSH 9DC3CF0372E09CEBD1520A700E77FB1697ABA61426750F476F8C1A4A7F23282593F75D
Reporter abuse_ch
Tags:exe makop Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
407
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1.exe
Verdict:
Malicious activity
Analysis date:
2020-11-17 05:37:15 UTC
Tags:
installer ransomware makop oled evasion
Link:
https://app.any.run/tasks/864e43c5-77cd-471e-865d-ee2bb45c9cde

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108893/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Launching a service
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Creating a file in the Windows subdirectories
Creating a window
Using the Windows Management Instrumentation requests
Changing a file
Behavior that indicates a threat
Creating a file
Sending a UDP request
Modifying an executable file
Moving a file to the Program Files subdirectory
Creating a file in the Program Files subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting volume shadow copies
Creating a file in the mass storage device
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Makop
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/568291
Signature
Antivirus / Scanner detection for submitted sample
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Detected unpacking (overwrites its own PE header)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Maps a DLL or memory area into another process
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Sigma detected: Delete shadow copy via WMIC
Sigma detected: WannaCry Ransomware
Writes many files with high entropy
Yara detected Makop ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333219 Sample: NH8vMmn7Tg.exe Startdate: 22/12/2020 Architecture: WINDOWS Score: 100 61 Sigma detected: WannaCry Ransomware 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->65 67 6 other signatures 2->67 8 NH8vMmn7Tg.exe 17 2->8         started        12 NH8vMmn7Tg.exe 17 2->12         started        14 NH8vMmn7Tg.exe 16 2->14         started        16 3 other processes 2->16 process3 file4 51 C:\Users\user\AppData\Local\...\System.dll, PE32 8->51 dropped 71 Detected unpacking (overwrites its own PE header) 8->71 73 Maps a DLL or memory area into another process 8->73 75 Writes many files with high entropy 8->75 18 NH8vMmn7Tg.exe 7 8->18         started        53 C:\Users\user\AppData\Local\...\System.dll, PE32 12->53 dropped 23 NH8vMmn7Tg.exe 12->23         started        55 C:\Users\user\AppData\Local\...\System.dll, PE32 14->55 dropped 25 NH8vMmn7Tg.exe 14->25         started        77 Creates files inside the volume driver (system volume information) 16->77 signatures5 process6 dnsIp7 59 192.168.2.1 unknown unknown 18->59 43 C:\Users\user\AppData\...\USSres00001.jrs, DOS 18->43 dropped 45 C:\Users\user\...\chrome_installer.log, data 18->45 dropped 47 C:\Users\...\SetupExe(2020072310200717D0).log, data 18->47 dropped 49 275 other files (273 malicious) 18->49 dropped 69 Opens the same file many times (likely Sandbox evasion) 18->69 27 cmd.exe 1 18->27         started        30 NH8vMmn7Tg.exe 16 18->30         started        file8 signatures9 process10 file11 79 May disable shadow drive data (uses vssadmin) 27->79 81 Deletes shadow drive data (may be related to ransomware) 27->81 83 Deletes the backup plan of Windows 27->83 33 WMIC.exe 1 27->33         started        35 conhost.exe 27->35         started        37 wbadmin.exe 3 27->37         started        39 vssadmin.exe 1 27->39         started        57 C:\Users\user\AppData\Local\...\System.dll, PE32 30->57 dropped 85 Maps a DLL or memory area into another process 30->85 41 NH8vMmn7Tg.exe 30->41         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc257f64a0279bb5ae221b968d3f38bbb7237a8475c165c5a8430fe6633e3fe6/
Threat name:
Win32.Ransomware.Ako
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 23:41:51 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7qsx6zfae6n3llrcdoli2pzyxo3sg6ueoxawlrniimh6myz6h7ta._file
Verdict:
malicious
Similar samples:
03b5ff330cca623ed119cd2a77b2a142bc38f2a8a3a6e714793fe20f7b0c4051
Makop
2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
Makop
4aa3ae979ad5fb790408c90ebe653592f5861eb7b8dac54cad59e9ac1c54bac4
Makop
57eab146f612a387a6d0db7073f200742634a31cc78dda6f59cfdc8996ddca4a
Makop
6785ac0d25c3b5a7fa54aa4df7d2a00611305c06b51f1d5d4fb27d1ff2ccdba9
Makop
9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9
Makop
bc225c5fe58ce3b42512871afdcc4513a870812b6b6477d8fe53bca77100660e
Makop
e51abdb2023b560244802f7d9687944dc0dff3042c28d7bc7a2b517df6e24942
Makop
f8a505c194572963b8defea169a2bf9b7e87ba2a38df1afb990623715a81daf3
Makop
fa2b92d07e6f86bcd56bd1b5d146bedcda1e623028612afab2ee749764046834
Makop
+ 21 additional samples on MalwareBazaar
Result
Malware family:
makop
Create hunting rule
Score:
  10/10
Tags:
family:makop persistence ransomware spyware
Link:
https://tria.ge/reports/201222-wsc3nmern2/
Behaviour
Interacts with shadow copies
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads user/profile data of web browsers
Deletes backup catalog
Modifies extensions of user files
Deletes shadow copies
Makop
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
fc257f64a0279bb5ae221b968d3f38bbb7237a8475c165c5a8430fe6633e3fe6
MD5 hash:
f64ecdec4c84ac7ef0ca6c2ef4d94eea
SHA1 hash:
7c88af3c8a27402da1d67cfaa1a02555f1c7945d
Link:
https://www.unpac.me/results/1ecbc97a-1c0f-484b-9974-d5a54fa8b97a/
SH256 hash:
0fe1338a74ce1ac429f96b448359e3209a0fc1c335a91467a9d95238823fa529
MD5 hash:
3678ccc2791e3342babc8e96c7526cce
SHA1 hash:
cb2ae97ac6c242f2bf6148c813cf70a3b51924dd
Link:
https://www.unpac.me/results/1ecbc97a-1c0f-484b-9974-d5a54fa8b97a/
SH256 hash:
dc8fe9639a589c71112fc94da954701a72bcfc3f31df71ad52d10e6a5c3eb29f
MD5 hash:
2eb5814459a8cb5da6f1194093aa190e
SHA1 hash:
f49691ced20ef2dda22c3a73e4372d769712215e
Link:
https://www.unpac.me/results/1ecbc97a-1c0f-484b-9974-d5a54fa8b97a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
REvil
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc257f64a0279bb5ae221b968d3f38bbb7237a8475c165c5a8430fe6633e3fe6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RANSOM_makop
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect the unpacked Makop ransomware samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Makop

Executable exe fc257f64a0279bb5ae221b968d3f38bbb7237a8475c165c5a8430fe6633e3fe6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/938095/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108893/

Comments