MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryToy


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997
SHA3-384 hash: 4b82e586d7f60160401009f32ac11baf64bab88929bc583da5c966958d1dce629c6905327c13add035f8fb19f0b43c23
SHA1 hash: a071690fa220c12e9b5fa85e70dc3e7c42b30893
MD5 hash: 2102422fdf58e1f1ea628e864576f437
humanhash: sad-two-green-cardinal
File name:HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997
Download: download sample
Signature CryToy
Create hunting rule
File size:568'952 bytes
First seen:2022-09-24 09:39:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:gfp3lxis8EdrQso5hnyRIAPQJno5hnyRIAQg:gfp36sN5snUPjnUQg
Threatray 2'967 similar samples on MalwareBazaar
TLSH T1FBC4D0273359BA16D1EE1D3FB9DE01360B6DBD8225338E347E29238D5482385A94F6CD
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 271959694d6513a6 (2 x CryToy)
Reporter petikvx
Tags:CryToy exe Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
465
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2.exe
Verdict:
Malicious activity
Analysis date:
2021-06-28 16:28:04 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/a97b1b21-6254-4b1e-8c10-55f23bab927b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312846/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Moving a file to the Program Files subdirectory
Searching for the window
Creating a file in the %temp% subdirectories
Creating a file in the Windows subdirectories
Launching a process
Сreating synchronization primitives
Creating a window
Changing a file
Setting a global event handler
Creating a file
Creating a process from a recently created file
Forced system process termination
Moving a recently created file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Launching cmd.exe command interpreter
Moving a file to the %AppData% subdirectory
Reading critical registry keys
Blocking the Windows Defender launch
Changing the Windows explorer settings
Stealing user critical data
Encrypting user's files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/632ed0eeda5bfff0bb71dd58/reports/d276b6ff-57cd-4a09-85d8-624d1baa7ca4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3cac70e-6054-4298-b660-1ce6ef00848c
Result
Threat name:
CryToy, TrojanRansom
Create hunting rule
Detection:
malicious
Classification:
rans.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1076442
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Delete shadow copy via WMIC
Tries to detect virtualization through RDTSC time measurements
Uses bcdedit to modify the Windows boot settings
Yara detected Costura Assembly Loader
Yara detected CryToy Ransomware
Yara detected RansomwareGeneric
Yara detected TrojanRansom
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708984 Sample: n7bxmvS8Mh.exe Startdate: 24/09/2022 Architecture: WINDOWS Score: 100 71 Antivirus / Scanner detection for submitted sample 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 10 other signatures 2->77 8 cmd.exe 1 2->8         started        11 n7bxmvS8Mh.exe 7 2->11         started        14 wbengine.exe 2->14         started        16 3 other processes 2->16 process3 file4 87 May disable shadow drive data (uses vssadmin) 8->87 89 Deletes shadow drive data (may be related to ransomware) 8->89 91 Uses bcdedit to modify the Windows boot settings 8->91 93 Deletes the backup plan of Windows 8->93 18 g5gdis5r.exe 4 8->18         started        22 conhost.exe 8->22         started        63 C:\Windows\Temp\g5gdis5r.exe, PE32 11->63 dropped 65 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 11->65 dropped 67 C:\Windows\Temp\tomfuz0l.inf, Windows 11->67 dropped 69 C:\Users\user\AppData\...\n7bxmvS8Mh.exe.log, ASCII 11->69 dropped 95 Tries to detect virtualization through RDTSC time measurements 11->95 24 cmstp.exe 8 7 11->24         started        97 Creates files inside the volume driver (system volume information) 14->97 26 conhost.exe 16->26         started        signatures5 process6 file7 55 C:\...\LuUxAYUXcD.exe (copy), PE32 18->55 dropped 57 C:\Users\user\Desktop\...\BPMLNOBVSB.jpg, data 18->57 dropped 59 C:\Users\user\Desktop59WTVCDUMOB.docx, data 18->59 dropped 61 C:\Users\user\Desktop\BPMLNOBVSB.jpg, data 18->61 dropped 79 Antivirus detection for dropped file 18->79 81 Multi AV Scanner detection for dropped file 18->81 83 Protects its processes via BreakOnTermination flag 18->83 85 3 other signatures 18->85 28 cmd.exe 18->28         started        31 powershell.exe 20 18->31         started        33 powershell.exe 19 18->33         started        35 12 other processes 18->35 signatures8 process9 signatures10 99 May disable shadow drive data (uses vssadmin) 28->99 101 Deletes shadow drive data (may be related to ransomware) 28->101 103 Uses bcdedit to modify the Windows boot settings 28->103 105 Deletes the backup plan of Windows 28->105 37 conhost.exe 28->37         started        39 vssadmin.exe 28->39         started        51 7 other processes 28->51 41 conhost.exe 31->41         started        43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        49 conhost.exe 35->49         started        53 9 other processes 35->53 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997/
Threat name:
ByteCode-MSIL.PUA.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2021-06-28 18:42:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
20 of 25 (80.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=776dzuyeukahiytwup5fqcqi6ppgviw3iglmfdv5dsifmb66bglq._file
Verdict:
malicious
Similar samples:
3411ffa29608d19dc77f53571010425fc94abd5dac92d6c2abffab6eb468c0ea
CryToy
34cfa360c2efd052e71a29f2091723206cf2a74dc87c64b1d617e822f69b7180
CryToy
40fa2841472cc954499bfa367343a445a348ec9312744bdfb32cc671489eccc7
CryToy
6d8dd5a564523b6f8597dd9009a74395bb48e5e1a85947157ced38034b20b6d4
CryToy
99d9fe42d05e4c368933ec8586627943545b16598a6112e45c01c5552e68ab20
CryToy
9ad27fa8bb7d8258fb1e572c94d107181ba2314a4db4d3222c3e0dc407493b45
CryToy
b3847c94d840dd53c3ba7248734424f06715deacf6dd6ebb727c2f1a7de4c945
CryToy
c06a0e78bbdb7eb777ee46932da052fc2bc4efc2987e63bad29d2177cdcb7cb4
CryToy
f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca
CryToy
+ 2'957 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
agilenet evasion ransomware trojan
Link:
https://tria.ge/reports/220924-lm7l4aahh5/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Windows security modification
Deletes backup catalog
Executes dropped EXE
Modifies extensions of user files
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
Modifies Windows Defender Real-time Protection settings
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/68cc09f2-8782-4a09-891c-8389a42c3c62
Unpacked files
SH256 hash:
fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997
MD5 hash:
2102422fdf58e1f1ea628e864576f437
SHA1 hash:
a071690fa220c12e9b5fa85e70dc3e7c42b30893
Link:
https://www.unpac.me/results/ebbba6ab-b5c7-4d7c-a8a0-04c853294ff1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Agile.NET / CliSecure
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest7
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/312846/

Comments