MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1608dd48e7863935e8fac270049bfb7ea9d622538082ce76d28c1677e53e90bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1608dd48e7863935e8fac270049bfb7ea9d622538082ce76d28c1677e53e90bf
SHA3-384 hash: 8855f8f6059a8873b4ccf1b389993286a8e0a4d5ba565012b9eafa340d13e15f717c541192d50f9af83c6678b1c0f4bd
SHA1 hash: dc1cd7009bcb4e7e8d014409e5023af6165b3c1c
MD5 hash: e01d6a3a208f7a7c56a9ca01ef73462e
humanhash: undress-robert-purple-snake
File name:e01d6a3a208f7a7c56a9ca01ef73462e.exe
Download: download sample
Signature CryptOne
Create hunting rule
File size:2'450'366 bytes
First seen:2022-11-08 07:47:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 033fc3209214566af0e06e5863a94256 (5 x CryptOne)
ssdeep 49152:oeZB+BfJXAEr0CYmlKk1dk8EsadwnHeLFzkd9mFg2jTe/L8n:oeZB+BfKEACYmAzjdwqzkiFzf4L8n
Threatray 1'849 similar samples on MalwareBazaar
TLSH T1AAB5230177C15873CEB20EB25A309BA6E5BEBC704F25C5CB67D89C1DAD320E14A77626
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b3b3b371716b93b3 (25 x CryptOne, 12 x RemcosRAT, 6 x RedLineStealer)
Reporter abuse_ch
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e01d6a3a208f7a7c56a9ca01ef73462e.exe
Verdict:
Malicious activity
Analysis date:
2022-11-08 07:53:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e189ff07-e87d-4ed6-b988-c591cacbee16

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/330408/
Detection(s):
SecuriteInfo.com.Trojan.Ciusky.Gen.6.13535.7007.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/49991/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/636a09b64965a861c71fbaf3/reports/4e027bb8-b288-4dc8-b21e-215c2b760e67/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0dbe92cd-4182-42a4-9308-2016bdfb8d83
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1108029
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 740691 Sample: 65ukCaGIj2.exe Startdate: 08/11/2022 Architecture: WINDOWS Score: 88 22 Antivirus detection for dropped file 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for dropped file 2->26 28 4 other signatures 2->28 9 65ukCaGIj2.exe 3 8 2->9         started        process3 file4 20 C:\Users\user\AppData\Local\Temp\5v44~E.cpl, PE32 9->20 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        process7 16 rundll32.exe 14->16         started        process8 18 rundll32.exe 16->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1608dd48e7863935e8fac270049bfb7ea9d622538082ce76d28c1677e53e90bf/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 20:08:04 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
23 of 40 (57.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cyen2shhqy4tl2h2yjyajg73p2u5mistqcbm45wsrqlhpzj6sc7q._file
Verdict:
malicious
Similar samples:
10f1d986b6f2654efc7755aa433247b63228ce237a97f9eb29bfb74d0b602acd
CryptOne
2709f083327060b896501645e3263462cf0e329645e41f6d4556276904c51856
CryptOne
3a0597925d2b7686d2386591f60a7abe686c0e10e2e164405270cc0d83e4b128
CryptOne
476a7e4c2495b79b64e20453751128f72379373127153204f2d9ce951d4d9bf4
CryptOne
51986665322a79945ae565a363862e8007b3be459855f27c11c062da0eb59db8
CryptOne
996c4e5418405912b929e7916def0a6c0aaedf77065ec5725f4782b00fb1464e
CryptOne
d66671894b4128adf6ff365ef0769f831bfe4738c7452f1e094b0e35dda94b8a
CryptOne
e9f669028697238e2a9a181b9e409909695d03eccd09a35db30729fb51952527
CryptOne
ef87eac9116238891e4267d49e2e26e9d613205a23ebf64cffe4af2f1b949e83
CryptOne
+ 1'839 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221108-jm4t4agdbq/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c5c8323b-ecd1-4dc9-92e0-108a02ecdd4b
Unpacked files
SH256 hash:
14f9f16927b9fdec39b5b8a25db7a622ba9eedfc1149751eebe468d912a2cf53
MD5 hash:
aab0ca7db4cd05139f3e80ea95d2e1fe
SHA1 hash:
2751a5fc3f2b9b04ceeab5a6419fbcc844f08aa3
Link:
https://www.unpac.me/results/4b85d639-bd70-479e-a287-38b97c313390/
SH256 hash:
2de06544a657cd09cf4e4033b592817df8ac0e78616110ff98a849c3bc28303d
MD5 hash:
5ca5b841185268d3182862e4073c161c
SHA1 hash:
bc70feb926d779d04ad0e1f6d45713de8b8831a2
Link:
https://www.unpac.me/results/4b85d639-bd70-479e-a287-38b97c313390/
SH256 hash:
1608dd48e7863935e8fac270049bfb7ea9d622538082ce76d28c1677e53e90bf
MD5 hash:
e01d6a3a208f7a7c56a9ca01ef73462e
SHA1 hash:
dc1cd7009bcb4e7e8d014409e5023af6165b3c1c
Link:
https://www.unpac.me/results/4b85d639-bd70-479e-a287-38b97c313390/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1608dd48e786/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1608dd48e7863935e8fac270049bfb7ea9d622538082ce76d28c1677e53e90bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe 1608dd48e7863935e8fac270049bfb7ea9d622538082ce76d28c1677e53e90bf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2401723/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/330408/

Comments