MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1688a5d18382601fb6cc692f38d748d80662ef99609062d4a34236d1f15bc58f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1688a5d18382601fb6cc692f38d748d80662ef99609062d4a34236d1f15bc58f
SHA3-384 hash: f1460965d597a582c83b3e0d4b7d955a799e230f034c5b4184daac6699140277dcaf211165caf49939ebe470da98c8e3
SHA1 hash: 727139a2cad0de9a65d1492f1b4105317866bc5f
MD5 hash: e60a3661d72d0ecb83bc254dab127227
humanhash: mountain-fifteen-glucose-undress
File name:1688a5d18382601fb6cc692f38d748d80662ef99609062d4a34236d1f15bc58f
Download: download sample
File size:2'664'672 bytes
First seen:2021-03-29 07:09:00 UTC
Last seen:2021-03-29 07:48:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ba4cc0afb12afe0a3f885ae6696404ed (1 x ArkeiStealer)
ssdeep 49152:ag6rPO37fzH4A6hanqNCTBS0wp/cFWw9BZ:D6rPO37fzH4A6h09Ii59
Threatray 588 similar samples on MalwareBazaar
TLSH 13C5D032F2A28873D2731E769D4783914576BF183F34A49736E91F0C6E782817A272D2
Reporter JAMESWT_WT
Tags:LTD SERVICES LIMITED signed

Code Signing Certificate

Organisation:LTD SERVICES LIMITED
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-03-18T00:00:00Z
Valid to:2022-03-18T23:59:59Z
Serial number: 7d36cbb64bc9add17ba71737d3ecceca
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 05be3171ca7272803d139ca13b16c24a3dd22917b1b8d6d0fd5401e63a79dd27
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cracksole.com/
Verdict:
Malicious activity
Analysis date:
2021-03-27 11:07:42 UTC
Tags:
opendir trojan
Link:
https://app.any.run/tasks/13ff5eb4-77c9-4ee5-b9f9-6344677a458a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127478/
Detection(s):
PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a custom TCP request
DNS request
Sending a UDP request
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2422848f-8e6d-40e8-9105-ad666f9fd01b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/656510
Signature
Detected unpacking (changes PE section rights)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1688a5d18382601fb6cc692f38d748d80662ef99609062d4a34236d1f15bc58f/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2021-03-28 02:13:31 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8
3d3095586bf72d6b631e44681654c68707a6f07987b02e367e7d88ac9ddab77c
411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3
4ce173da12efcf686dd4a7fec6678fc6c0e2cae352a3dd327bdfa478c18589e4
6cb53f11cd0977599235f756ad6883050db78dab6936da5113729a61cd93036c
7e88f1c425154e6fff6d031aaaa4d8bb4c8ff131e429f44310fd936bfc08b357
92ddc88d7c1bde849c18747f4fcd526c240a81efe9c74ee1dcaa4a72ecc9ac3a
aa9692c1769e25297176b847f4274570c56c4d74f4577608bd036e72d82d5bdb
d0b2bc00645de803a4e9df303539995ee8f781631684b04fe67ee7e01bcf9c21
+ 578 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/210329-1rjp6825zn/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
CryptBot
Unpacked files
SH256 hash:
ffee418630863c5ba63d37ab65a2617fa8c64f1c5c774e0f2f2c072cab5cb931
MD5 hash:
579b668588c5b873231f697c18aec4d7
SHA1 hash:
d3e322d5b867abed9cc10487e5c14b541b173d65
Link:
https://www.unpac.me/results/65827403-f139-464c-81a1-bc8055378cac/
SH256 hash:
1688a5d18382601fb6cc692f38d748d80662ef99609062d4a34236d1f15bc58f
MD5 hash:
e60a3661d72d0ecb83bc254dab127227
SHA1 hash:
727139a2cad0de9a65d1492f1b4105317866bc5f
Link:
https://www.unpac.me/results/65827403-f139-464c-81a1-bc8055378cac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1688a5d18382601fb6cc692f38d748d80662ef99609062d4a34236d1f15bc58f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127478/

Comments