MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d8dd5a564523b6f8597dd9009a74395bb48e5e1a85947157ced38034b20b6d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryToy


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d8dd5a564523b6f8597dd9009a74395bb48e5e1a85947157ced38034b20b6d4
SHA3-384 hash: 14a92925bfec218f9b292132a176af8f5ab1c4ba41a164c2029379d70fa054cc014ca88807589e0af65406efe7fbb1a9
SHA1 hash: b91c567f479223b7a65fbe44e3429be08fde275a
MD5 hash: 0c6298d91e5f0a3317dc6db20dad3609
humanhash: west-coffee-glucose-oklahoma
File name:HEUR-Trojan.MSIL.Agent.gen-6d8dd5a564523b6f8597dd9009a74395bb48e5e1a85947157ced38034b20b6d4
Download: download sample
Signature CryToy
Create hunting rule
File size:569'080 bytes
First seen:2022-09-24 09:39:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:gfp3lxis8EdrQso5hnyRIAPQJno5hnyRIAQq:gfp36sN5snUPjnUQq
Threatray 3'153 similar samples on MalwareBazaar
TLSH T198C4D0273359BA16D1EE1D3FB9DE01360B6DBD8225338E347E29238D5482385A94F6CD
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 271959694d6513a6 (2 x CryToy)
Reporter petikvx
Tags:CryToy exe Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
464
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1.exe
Verdict:
Malicious activity
Analysis date:
2021-06-29 12:18:49 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/d3868950-4456-4c42-8887-315effb0038a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312844/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the Windows subdirectories
Launching a process
Сreating synchronization primitives
Creating a window
Searching for the window
Changing a file
Setting a global event handler
Creating a file
Creating a process from a recently created file
Forced system process termination
Moving a recently created file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Launching cmd.exe command interpreter
Moving a file to the %AppData% subdirectory
Reading critical registry keys
Moving a file to the Program Files subdirectory
Blocking the Windows Defender launch
Changing the Windows explorer settings
Stealing user critical data
Deleting volume shadow copies
Encrypting user's files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
filecoder overlay packed
Link:
https://www.filescan.io/uploads/632ed0eb87e2da2da1031e3b/reports/cef9fe5a-76ed-454d-ac9c-47574c725cd6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d32ff0d-bd8c-4a8f-9a9f-78d97697f7ce
Result
Threat name:
CryToy
Create hunting rule
Detection:
malicious
Classification:
rans.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1076444
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Delete shadow copy via WMIC
Tries to detect virtualization through RDTSC time measurements
Uses bcdedit to modify the Windows boot settings
Writes many files with high entropy
Yara detected Costura Assembly Loader
Yara detected CryToy Ransomware
Yara detected RansomwareGeneric
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708986 Sample: bAuiCxmAoF.exe Startdate: 24/09/2022 Architecture: WINDOWS Score: 100 74 Antivirus / Scanner detection for submitted sample 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 9 other signatures 2->80 8 cmd.exe 1 2->8         started        11 bAuiCxmAoF.exe 7 2->11         started        14 wbengine.exe 2->14         started        17 3 other processes 2->17 process3 dnsIp4 90 May disable shadow drive data (uses vssadmin) 8->90 92 Deletes shadow drive data (may be related to ransomware) 8->92 94 Uses bcdedit to modify the Windows boot settings 8->94 96 Deletes the backup plan of Windows 8->96 19 5wzjdlyi.exe 4 8->19         started        23 conhost.exe 8->23         started        64 C:\Windows\Temp\5wzjdlyi.exe, PE32 11->64 dropped 66 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 11->66 dropped 68 C:\Windows\Temp\peiisola.inf, Windows 11->68 dropped 70 C:\Users\user\AppData\...\bAuiCxmAoF.exe.log, ASCII 11->70 dropped 98 Tries to detect virtualization through RDTSC time measurements 11->98 25 cmstp.exe 8 7 11->25         started        72 192.168.2.1 unknown unknown 14->72 100 Creates files inside the volume driver (system volume information) 14->100 27 conhost.exe 17->27         started        file5 signatures6 process7 file8 56 C:\ProgramData\Microsoft\...\edb00001.log, DOS 19->56 dropped 58 C:\ProgramData\Microsoft\...\RunTime.xml, COM 19->58 dropped 60 C:\...\RunTime.xml.cryt0y (copy), COM 19->60 dropped 62 33 other malicious files 19->62 dropped 82 Antivirus detection for dropped file 19->82 84 Multi AV Scanner detection for dropped file 19->84 86 Protects its processes via BreakOnTermination flag 19->86 88 4 other signatures 19->88 29 cmd.exe 19->29         started        32 powershell.exe 19 19->32         started        34 powershell.exe 19 19->34         started        36 12 other processes 19->36 signatures9 process10 signatures11 102 May disable shadow drive data (uses vssadmin) 29->102 104 Deletes shadow drive data (may be related to ransomware) 29->104 106 Uses bcdedit to modify the Windows boot settings 29->106 108 Deletes the backup plan of Windows 29->108 38 conhost.exe 29->38         started        40 vssadmin.exe 29->40         started        52 7 other processes 29->52 42 conhost.exe 32->42         started        44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        48 conhost.exe 36->48         started        50 conhost.exe 36->50         started        54 9 other processes 36->54 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d8dd5a564523b6f8597dd9009a74395bb48e5e1a85947157ced38034b20b6d4/
Threat name:
ByteCode-MSIL.Ransomware.FileCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-06-28 18:42:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nwg5ljleki5w7bmx3wiatj2dsw5urzpbvbmuofl45u4agszaw3ka._file
Verdict:
malicious
Similar samples:
3411ffa29608d19dc77f53571010425fc94abd5dac92d6c2abffab6eb468c0ea
CryToy
34cfa360c2efd052e71a29f2091723206cf2a74dc87c64b1d617e822f69b7180
CryToy
40fa2841472cc954499bfa367343a445a348ec9312744bdfb32cc671489eccc7
CryToy
99d9fe42d05e4c368933ec8586627943545b16598a6112e45c01c5552e68ab20
CryToy
9ad27fa8bb7d8258fb1e572c94d107181ba2314a4db4d3222c3e0dc407493b45
CryToy
b3847c94d840dd53c3ba7248734424f06715deacf6dd6ebb727c2f1a7de4c945
CryToy
c06a0e78bbdb7eb777ee46932da052fc2bc4efc2987e63bad29d2177cdcb7cb4
CryToy
f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca
CryToy
fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997
CryToy
+ 3'143 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
agilenet evasion ransomware trojan
Link:
https://tria.ge/reports/220924-lm7l4aahh3/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Windows security modification
Deletes backup catalog
Executes dropped EXE
Modifies extensions of user files
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
Modifies Windows Defender Real-time Protection settings
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d55df87d-9588-4ccb-afea-30915c34f217
Unpacked files
SH256 hash:
56a561aedfd04386557cd53df3b778630a9ae7bf24920e072effeaecfe749327
MD5 hash:
aeebd2a95115e0ee5bdc517e3c0cbdaa
SHA1 hash:
1a98c5635cd5a7dc3c312792803ef09fa8bd2157
Link:
https://www.unpac.me/results/7f0e16ea-0b66-4275-9d25-01526a393912/
SH256 hash:
6d8dd5a564523b6f8597dd9009a74395bb48e5e1a85947157ced38034b20b6d4
MD5 hash:
0c6298d91e5f0a3317dc6db20dad3609
SHA1 hash:
b91c567f479223b7a65fbe44e3429be08fde275a
Link:
https://www.unpac.me/results/7f0e16ea-0b66-4275-9d25-01526a393912/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6d8dd5a56452/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6d8dd5a564523b6f8597dd9009a74395bb48e5e1a85947157ced38034b20b6d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Agile.NET / CliSecure
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest7
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/312844/

Comments