MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0116f75b2dfe1d64cd9d19f4cac4d142d29792b966e40c1cbc8ded58adef679b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0116f75b2dfe1d64cd9d19f4cac4d142d29792b966e40c1cbc8ded58adef679b
SHA3-384 hash: 40620f036d87eb2c42487282b05be7134729b9058cc703dcc991e8b9b29a1b98d0d1e214cfe8f6cee02a5ae5aabf90f7
SHA1 hash: 35da107bf751c38aa888cf2a7589c932aa52c781
MD5 hash: ca3a3affef47940afa552c7afcfe47d5
humanhash: bakerloo-cardinal-yankee-edward
File name:ca3a3affef47940afa552c7afcfe47d5
Download: download sample
File size:4'983'646 bytes
First seen:2021-06-24 00:27:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 98304:zNHasxrSpS7p7laDjsF1+tl/C3KKyjuARi4hrGH5MHCOt1FhgO50F+:hHaA+pSRla0b+tl6adJi4No6lkC0F+
Threatray 5'680 similar samples on MalwareBazaar
TLSH 7B363363BB830439F5158AB998968464BC677F3907E28D272E75F30D297134378BD22B
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ca3a3affef47940afa552c7afcfe47d5
Verdict:
Suspicious activity
Analysis date:
2021-06-24 00:28:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f2a7c3d3-a9d3-477a-b3d4-a3c8ff010427

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Malware.Speedingupmypc-6718419-0
Create hunting rule

Win.Trojan.VBGeneric-6735875-0
Create hunting rule

Win.Trojan.Agent-1109049
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da395664-3da0-48c1-bb86-a24db33bdc4b
Result
Threat name:
CryptOne Mofksys
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
58 / 100
Link:
https://www.joesandbox.com/analysis/806983
Signature
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Yara detected Mofksys
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439413 Sample: G9De2lmybO Startdate: 24/06/2021 Architecture: WINDOWS Score: 58 87 Antivirus / Scanner detection for submitted sample 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 Yara detected Mofksys 2->91 93 5 other signatures 2->93 10 G9De2lmybO.exe 1 3 2->10         started        15 svchost.exe 2->15         started        17 svchost.exe 9 1 2->17         started        19 7 other processes 2->19 process3 dnsIp4 77 192.168.2.1 unknown unknown 10->77 63 C:\Windows\Resources\Themes\icsys.icn.exe, PE32 10->63 dropped 65 C:\Users\user\Desktop\g9de2lmybo.exe, PE32 10->65 dropped 103 Drops executables to the windows directory (C:\Windows) and starts them 10->103 21 icsys.icn.exe 2 10->21         started        25 g9de2lmybo.exe 2 10->25         started        105 Changes security center settings (notifications, updates, antivirus, firewall) 15->105 27 MpCmdRun.exe 15->27         started        79 127.0.0.1 unknown unknown 17->79 file5 signatures6 process7 file8 57 C:\Windows\Resources\Themes\explorer.exe, PE32 21->57 dropped 95 Drops executables to the windows directory (C:\Windows) and starts them 21->95 97 Drops PE files with benign system names 21->97 29 explorer.exe 2 15 21->29         started        59 C:\Users\user\AppData\...\g9de2lmybo.tmp, PE32 25->59 dropped 34 g9de2lmybo.tmp 32 108 25->34         started        36 conhost.exe 27->36         started        signatures9 process10 dnsIp11 81 codecmd03.googlecode.com 29->81 83 codecmd02.googlecode.com 29->83 85 2 other IPs or domains 29->85 67 C:\Windows\Resources\spoolsv.exe, PE32 29->67 dropped 111 System process connects to network (likely due to code injection or exploit) 29->111 113 Drops PE files with benign system names 29->113 38 spoolsv.exe 2 29->38         started        69 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 34->69 dropped 71 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 34->71 dropped 73 C:\Program Files (x86)\...\is-T748D.tmp, PE32 34->73 dropped 75 6 other files (none is malicious) 34->75 dropped 42 ngen.exe 34->42         started        file12 signatures13 process14 file15 61 C:\Windows\Resources\svchost.exe, PE32 38->61 dropped 99 Drops executables to the windows directory (C:\Windows) and starts them 38->99 101 Drops PE files with benign system names 38->101 44 svchost.exe 1 38->44         started        47 conhost.exe 42->47         started        49 mscorsvw.exe 42->49         started        51 mscorsvw.exe 42->51         started        53 30 other processes 42->53 signatures16 process17 signatures18 107 Detected CryptOne packer 44->107 109 Drops executables to the windows directory (C:\Windows) and starts them 44->109 55 spoolsv.exe 1 44->55         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0116f75b2dfe1d64cd9d19f4cac4d142d29792b966e40c1cbc8ded58adef679b/
Threat name:
Win32.Trojan.Variadic
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 13:18:54 UTC
AV detection:
45 of 46 (97.83%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1c14ef28ffa377c7e45d048614826ecfb30cd292e7462214be3de7e4505b56c2
1c958bc2a268ce3f104a35882f694f8bead71015937bfb99b0986400ab29d703
49656d6529c7d57485415a437cdf81e5b4ee698cb8f2551b8e135d0bab3eb2f9
57aa81416cfdbd76df2a15cb14810f8529ecab0eea978210a4ef3047f35a225e
5eb158bf47ebe6172da19eff3f5924634a91a4e10186b352ada8b027e1c3c527
60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
a0e7f1f94826fc3b58496cd60e169d49afddb6987699498174af3638db6f7fd2
afc0c4fac5a07e2fedcb05e47c0f45572fe4689b403290c8db833cad34fb1a36
d4dadc7dc5e003905cdd8f287bec1c4d751d8d9913689cb0894feb999917d791
+ 5'670 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210624-2lf8tt4rqs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/530388f3-b203-4c77-95b5-4fa599f9a514/
SH256 hash:
ffd79b359459206d05e9fb3bc2d91a98ef904566b48933c4a831980af964c8f4
MD5 hash:
3f8c3018cf37129942c2d5354f4d379b
SHA1 hash:
64feff222693f7d51407cdd06febb61e0cc619a0
Link:
https://www.unpac.me/results/530388f3-b203-4c77-95b5-4fa599f9a514/
SH256 hash:
0116f75b2dfe1d64cd9d19f4cac4d142d29792b966e40c1cbc8ded58adef679b
MD5 hash:
ca3a3affef47940afa552c7afcfe47d5
SHA1 hash:
35da107bf751c38aa888cf2a7589c932aa52c781
Link:
https://www.unpac.me/results/530388f3-b203-4c77-95b5-4fa599f9a514/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0116f75b2dfe1d64cd9d19f4cac4d142d29792b966e40c1cbc8ded58adef679b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0116f75b2dfe1d64cd9d19f4cac4d142d29792b966e40c1cbc8ded58adef679b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393043/

Comments