MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0740255f7b53654e2486e1275ae2e7d6c11d072849045c143f530c7b4c4fd1cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0740255f7b53654e2486e1275ae2e7d6c11d072849045c143f530c7b4c4fd1cf
SHA3-384 hash: 01a1febbc1af945da8681532193effeea722267c97972db7b003e1e9060bdd4c613c35b83e669c83d0aa192a7e8078c8
SHA1 hash: 02ef335fcea84e72db8f01e0db963227c7f4e043
MD5 hash: e8530662f3da98c34aa3b3d9e0434a4a
humanhash: emma-victor-winner-apart
File name:temp-woofer.exe
Download: download sample
Signature CryptOne
Create hunting rule
File size:14'219'398 bytes
First seen:2025-04-16 09:36:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 196608:tfbrUJU+ss0fhcfaUh8rCg9wE2HFqp+TwftnFkLIcDjs7aNbHO/bL/JPDOLCthvw:xbcUBxanmrCFEaPwftFkUcDjIzLRfPz0
Threatray 23 similar samples on MalwareBazaar
TLSH T1C5E623D71ED68298C017DC702FC787F6A1C666D980FA5A5F3AC3AC093470E4759892BB
TrID 42.6% (.EXE) Win32 Executable (generic) (4504/4/1)
19.4% (.ICL) Windows Icons Library (generic) (2059/9)
18.9% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 00928e8e8686b800 (21 x Mofksys, 9 x CryptOne, 5 x Amadey)
Reporter zhuzhu0009
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
479
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
temp-woofer.exe
Verdict:
Malicious activity
Analysis date:
2025-04-16 08:10:13 UTC
Tags:
jeefo
Link:
https://app.any.run/tasks/c428897f-14fa-4168-9815-4ce86f424ec2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2427/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ff65e2954c9c53de0b9c4f
Tags:
trojware swisyn spawn virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Setting a single autorun event
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto overlay packed packed packed packer_detected visual_basic
Link:
https://www.filescan.io/uploads/67ff7a4290767142c3d6e6bc/reports/b340c2f4-6ed2-451a-84d3-bd13f8fb9f59/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0740255f7b53654e2486e1275ae2e7d6c11d072849045c143f530c7b4c4fd1cf
Result
Verdict:
MALICIOUS
Malware family:
MOFKSYS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/098335cc-4716-4739-8daa-312984d8c63c
Result
Threat name:
CryptOne, Mofksys
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1666209
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Mofksys
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1666209 Sample: temp-woofer.exe Startdate: 16/04/2025 Architecture: WINDOWS Score: 100 62 googlecode.l.googleusercontent.com 2->62 64 codecmd03.googlecode.com 2->64 66 2 other IPs or domains 2->66 76 Antivirus / Scanner detection for submitted sample 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 6 other signatures 2->82 11 temp-woofer.exe 1 3 2->11         started        15 svchost.exe 2->15 injected 17 svchost.exe 2->17         started        19 6 other processes 2->19 signatures3 process4 dnsIp5 56 C:\Windows\Resources\Themes\icsys.icn.exe, MS-DOS 11->56 dropped 58 C:\Users\user\Desktop\temp-woofer.exe, PE32+ 11->58 dropped 98 Drops executables to the windows directory (C:\Windows) and starts them 11->98 22 icsys.icn.exe 3 11->22         started        26 temp-woofer.exe 11->26         started        100 Injects code into the Windows Explorer (explorer.exe) 15->100 28 consent.exe 2 15->28         started        30 explorer.exe 1 15->30         started        32 svchost.exe 15->32         started        102 Changes security center settings (notifications, updates, antivirus, firewall) 17->102 34 MpCmdRun.exe 17->34         started        68 127.0.0.1 unknown unknown 19->68 file6 signatures7 process8 file9 54 C:\Windows\Resources\Themes\explorer.exe, MS-DOS 22->54 dropped 90 Antivirus detection for dropped file 22->90 92 Drops PE files with benign system names 22->92 36 explorer.exe 15 22->36         started        94 Found direct / indirect Syscall (likely to bypass EDR) 26->94 96 Writes to foreign memory regions 28->96 41 conhost.exe 34->41         started        signatures10 process11 dnsIp12 70 googlecode.l.googleusercontent.com 142.250.9.82, 49688, 49691, 49694 GOOGLEUS United States 36->70 72 172.217.215.82, 49690, 49693, 49698 GOOGLEUS United States 36->72 74 64.233.177.82, 49689, 49692, 49695 GOOGLEUS United States 36->74 52 C:\Windows\Resources\spoolsv.exe, MS-DOS 36->52 dropped 84 Antivirus detection for dropped file 36->84 86 System process connects to network (likely due to code injection or exploit) 36->86 88 Drops PE files with benign system names 36->88 43 spoolsv.exe 3 36->43         started        file13 signatures14 process15 file16 60 C:\Windows\Resources\svchost.exe, MS-DOS 43->60 dropped 104 Antivirus detection for dropped file 43->104 106 Multi AV Scanner detection for dropped file 43->106 108 Drops PE files with benign system names 43->108 47 svchost.exe 2 2 43->47         started        signatures17 process18 signatures19 110 Antivirus detection for dropped file 47->110 112 Multi AV Scanner detection for dropped file 47->112 114 Detected CryptOne packer 47->114 116 Drops executables to the windows directory (C:\Windows) and starts them 47->116 50 spoolsv.exe 1 47->50         started        process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0740255f7b53654e2486e1275ae2e7d6c11d072849045c143f530c7b4c4fd1cf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0740255f7b53654e2486e1275ae2e7d6c11d072849045c143f530c7b4c4fd1cf/
Threat name:
Win32.Trojan.Golsys
Create hunting rule
Status:
Malicious
First seen:
2025-04-16 08:10:13 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a5ackx33knsu4jeg4etvvyxh23ar2bzijecfyfb7kmghwtcp2hhq._file
Verdict:
malicious
Label(s):
mofksys
Create hunting rule
Similar samples:
0071fd8f074a69e3145106a3a8607844e5bdafe96ad70e307d5b54c0094a0103
CryptOne
0d237244a7f008094c4aceb20d24d34549f6e3781451efa79c2bdb0351836777
CryptOne
1707efe35749f4477db431f041481a46dd48d22431e6846f4e13bff760dc4033
CryptOne
424184864024bb1e9569e634f670ce8a8f0467af692068a2edd4dc4f91454afa
CryptOne
5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4
CryptOne
676a40f2c599ffe574343860e190a7c293ade8e32cd83b66f6ff6f8d4c0b3a53
CryptOne
88a02c1118bdb8e67a28ced14695f26c41b69da56c8e028b0e1bf3f7b9b6314f
CryptOne
b43b684261e61c83d19cadb916bff7d115ae34d3d69c4e4afbcc11b6a5a3ca43
CryptOne
b7974dfd10dea3d89979b441677202d9be7d5c9eab26df59b9d7afe27f56a290
CryptOne
error
CryptOne
f7112f236e9bae2fa1ca721ee1979d55c530944e6dfa42bc58b25072f2fa1025
CryptOne
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence
Link:
https://tria.ge/reports/250416-lljhwazxex/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Executes dropped EXE
Modifies visiblity of hidden/system files in Explorer
Verdict:
Malicious
Tags:
Win.Trojan.VBGeneric-6735875-0
YARA:
n/a
Link:
https://app.threat.zone/submission/d25bc60a-4981-4711-8c85-e831e42be97a
Unpacked files
SH256 hash:
0740255f7b53654e2486e1275ae2e7d6c11d072849045c143f530c7b4c4fd1cf
MD5 hash:
e8530662f3da98c34aa3b3d9e0434a4a
SHA1 hash:
02ef335fcea84e72db8f01e0db963227c7f4e043
Link:
https://www.unpac.me/results/1fd8c6fd-0a92-4d62-a543-5e6d53622bf0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0740255f7b53/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_7526f106
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_cbe3313a
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/c428897f-14fa-4168-9815-4ce86f424ec2
Cape
Cape
https://www.capesandbox.com/analysis/2427/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaCopyBytes
MSVBVM60.DLL::__vbaSetSystemError
MSVBVM60.DLL::__vbaExitProc
MSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen

Comments