MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 032c59d8a9364ce30ded3ef4aa5cd6b6d632d1fcd994c03de02088db247e7d2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	032c59d8a9364ce30ded3ef4aa5cd6b6d632d1fcd994c03de02088db247e7d2d
SHA3-384 hash:	10b04d9caa5c778df72d59040978001f767c1d07bc7f088a6421b3464a4b36f35770840c9439e33ab61b4a2d46c498aa
SHA1 hash:	5e85fe7bddfd0dc0da4f11162b911a0c86765455
MD5 hash:	ad6a2cddcf2d8955ecec900cb2432aff
humanhash:	north-romeo-lima-network
File name:	ad6a2cddcf2d8955ecec900cb2432aff.bin
Download:	download sample
File size:	137'584 bytes
First seen:	2023-03-11 17:44:20 UTC
Last seen:	2023-03-11 19:32:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	42c33bd1a58284475b1c911a0256f875 (2 x RedLineStealer, 1 x RecordBreaker)
ssdeep	1536:93KuYpOqh2zQhwJUYxogXnJkaryJN2xK50ZysRBqT3WrBvJyXg+wr02xvw9XJ5y2:93KrOr0C5M2xK2ZyiB23qJogbxvwg2
Threatray	2 similar samples on MalwareBazaar
TLSH	T1BBD3591332888175E5BDD7F86195AA35A9BC623027DF514FAB5C02EF0D11BF062BC62B
TrID	39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.5% (.SCR) Windows screen saver (13097/50/3) 13.3% (.EXE) Win64 Executable (generic) (10523/12/4) 8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	bin exe

Intelligence

File Origin

# of uploads :

# of downloads :

213

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ad6a2cddcf2d8955ecec900cb2432aff.bin

Verdict:

Suspicious activity

Analysis date:

2023-03-11 17:45:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/05768046-533d-42b0-a805-e23393a62109

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/373600/

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.20890.24497.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Reading critical registry keys

Sending a custom TCP request

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/72709/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

SystemUptime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/640cbe20c7fa23d27f72da5f/reports/5d08eb29-7154-4a39-b394-7cd706f5cd54/overview

Verdict:

Malicious

Labled as:

Kryptik.HRTM trojan

Link:

https://www.hybrid-analysis.com/sample/032c59d8a9364ce30ded3ef4aa5cd6b6d632d1fcd994c03de02088db247e7d2d

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d361ff3b-bdcf-4373-9c8e-14d8e550154c

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1191774

Signature

Allocates memory in foreign processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/032c59d8a9364ce30ded3ef4aa5cd6b6d632d1fcd994c03de02088db247e7d2d/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2023-03-11 18:14:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=amwftwfjgzgogdpnh32kuxgww3ldfup43gkmappaecenwjd6puwq._file

Verdict:

malicious

f476c1562bd503892b3219dff369a6f0a20eb667484237d380645d65dfd5a765

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230311-wbp8sace41/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

7cdae8e3531a0ad631e07f351cb485065a697a147c431b5ddf97facfbfc10bf0

MD5 hash:

41f39df6d7243675e36805d9a591c350

SHA1 hash:

ed58960de43c9527505d1f15d4809dcab98d3d4a

Link:

https://www.unpac.me/results/b4c54db3-ed0d-4be4-b830-5a7b9373640d/

SH256 hash:

032c59d8a9364ce30ded3ef4aa5cd6b6d632d1fcd994c03de02088db247e7d2d

MD5 hash:

ad6a2cddcf2d8955ecec900cb2432aff

SHA1 hash:

5e85fe7bddfd0dc0da4f11162b911a0c86765455

Link:

https://www.unpac.me/results/b4c54db3-ed0d-4be4-b830-5a7b9373640d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/032c59d8a936/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/032c59d8a9364ce30ded3ef4aa5cd6b6d632d1fcd994c03de02088db247e7d2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/373600/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample