7558b47e...d5b9

VMRay Threat Indicators (21 rules, 42 matches)

Severity	Category	Operation	Count	Classification
5/5	Local AV	Malicious content was detected by heuristic scan	2	-
Local AV detected the sample itself as "Gen:Variant.Ransom.1660". ... VTI Actions Go to AV match Go to file details
Local AV detected the downloaded file "C:\FD1HVy\Hermes-decrypter-new.exe" as "Gen:Variant.Razy.491933". ... VTI Actions Go to AV match Go to file details
4/5	File System	Modifies content of user files	1	Ransomware
Modifies the content of multiple user files. This is an indicator for an encryption attempt. ... VTI Actions Go to Behavior
4/5	File System	Renames user files	1	Ransomware
Renames multiple user files. This is an indicator for an encryption attempt. ... VTI Actions Go to Behavior
4/5	Reputation	Known malicious URL	3	-
Contacted URL "h139975.s08.test-hf.su/SmailFile/1.jpg" is a known malicious URL. ... VTI Actions Go to Behavior
Contacted URL "h139975.s08.test-hf.su/SmailFile/Hermes-decrypter-new.exe" is a known malicious URL. ... VTI Actions Go to Behavior
Contacted URL "h139975.s08.test-hf.su" is a known malicious URL. ... VTI Actions
3/5	Anti Analysis	Tries to evade debugger	1	-
Hides Thread via API "NtSetInformationThread". ... VTI Actions Go to Behavior
3/5	Network	Reads network adapter information	1	-
Reads the network adapters' addresses by API. ... VTI Actions Go to Behavior
2/5	Anti Analysis	Tries to detect debugger	3	-
Check via API "IsDebuggerPresent". ... VTI Actions Go to Behavior
Check via API "CheckRemoteDebuggerPresent". ... VTI Actions Go to Behavior
Check via API "NtQueryInformationProcess". ... VTI Actions Go to Behavior
2/5	Anti Analysis	Tries to detect kernel debugger	1	-
Check via API "NtQuerySystemInformation". ... VTI Actions Go to Behavior
2/5	OS	Changes the desktop wallpaper.	3	-
Sets the desktop wallpaper to the file "c:\fd1hvy\ransom.jpg". ... VTI Actions Go to Behavior Go to file details
Sets the desktop wallpaper to the file "c:\fd1hvy\hermes-decrypter-new.exe". ... VTI Actions Go to Behavior Go to file details
Sets the desktop wallpaper to the file "c:\users\fd1hvy\desktop\hermes-decrypter-new.exe". ... VTI Actions Go to Behavior Go to file details
2/5	Anti Analysis	Tries to detect virtual machine	1	-
Possibly trying to detect VM via rdtsc. ... VTI Actions
2/5	Anti Analysis	Makes direct system call to possibly evade hooking based sandboxes	8	-
Makes a direct system call to "NtQueryInformationProcess". ... VTI Actions
Makes a direct system call to "NtSetInformationThread". ... VTI Actions
Makes a direct system call to "NtOpenFile". ... VTI Actions
Makes a direct system call to "NtCreateSection". ... VTI Actions
Makes a direct system call to "NtMapViewOfSection". ... VTI Actions
Makes a direct system call to "NtClose". ... VTI Actions
Makes a direct system call to "NtProtectVirtualMemory". ... VTI Actions
Makes a direct system call to "NtQueryVirtualMemory". ... VTI Actions
2/5	Reputation	Known suspicious file	2	Trojan
File "C:\Users\FD1HVy\Desktop\Hermes.exe" is a known suspicious file. ... VTI Actions Go to file details
File "C:\FD1HVy\Hermes-decrypter-new.exe" is a known suspicious file. ... VTI Actions Go to file details Go to Behavior
1/5	Network	Performs DNS request	3	-
Resolves host name "www.google.com". ... VTI Actions Go to Behavior
Resolves host name "h139975.s08.test-hf.su". ... VTI Actions Go to Behavior
Resolves host name "giftshop.host". ... VTI Actions Go to Behavior
1/5	Persistence	Installs system startup script or application	1	-
Adds "C:\FD1HVy\Hermes-decrypter-new.exe" to Windows startup via registry. ... VTI Actions Go to Behavior
1/5	Device	Monitors mouse movements and clicks	1	-
Frequently reads the state of a mouse button by API. ... VTI Actions Go to Behavior
1/5	File System	Creates an unusually large number of files	1	-
Creates an unusually large number of files. ... VTI Actions Go to file details
1/5	Network	Connects to remote host	3	-
Outgoing TCP connection to host "172.217.22.36:443". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "5.101.152.98:80". ... VTI Actions Go to Behavior
Outgoing TCP connection to host "91.227.16.118:80". ... VTI Actions Go to Behavior
1/5	Network	Downloads file	1	-
Downloads file via http from "h139975.s08.test-hf.su/SmailFile/1.jpg". ... VTI Actions Go to file details Go to Behavior
1/5	Network	Downloads executable	1	Downloader
Downloads executable via http from "h139975.s08.test-hf.su/SmailFile/Hermes-decrypter-new.exe". ... VTI Actions Go to file details Go to Behavior
1/5	Network	Connects to HTTP server	3	-
URL "h139975.s08.test-hf.su/SmailFile/1.jpg". ... VTI Actions Go to Behavior
URL "h139975.s08.test-hf.su/SmailFile/Hermes-decrypter-new.exe". ... VTI Actions Go to Behavior
URL "giftshop.host/write.php?computer_name=NQDPDE&userName=FD1HVy&password=lV5MTdp=(I8f9TR&allow=ransom". ... VTI Actions Go to Behavior
1/5	Static	Unparsable sections in file	1	-
Static analyzer was unable to completely parse the analyzed file: C:\Users\FD1HVy\Desktop\Hermes.exe. ... VTI Actions Go to file details

Screenshots

Monitored Processes

Sample Information

ID	#661271
MD5	834ff8a44652ebeb620bffe8a945de03
SHA1	97e2f8ae51c63baaf9340776666d9bed272db38f
SHA256	7558b47e44541d2417d91ce9308ada497f41fb2f550d9bc43231634fe2c1d5b9
SSDeep	98304:QzHoxAJ5v1XlxuRSptA3mz9CKfHGFUWWsgkSeL2wmidHHoWv/heIY:42Ar1VxuRSptUmz9J3kSeLCAH3/RY
ImpHash	0f95a431ac4033f952fb4eecc31cf15d
Filename	Hermes.exe
File Size	5.38 MB
Sample Type	Windows Exe (x86-32)

Analysis Information

Creation Time	2019-05-24 18:55 (UTC+2)
Analysis Duration	00:04:43
Number of Monitored Processes	3
Execution Successful
Reputation Enabled
WHOIS Enabled
Local AV Enabled
YARA Enabled
Number of AV Matches	2
Number of YARA Matches	0
Termination Reason	Timeout
Tags

Remarks (1/1)

VMRay Threat Indicators (21 rules, 42 matches)

Screenshots

Monitored Processes

Sample Information

Analysis Information

Before

After