MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c14ef28ffa377c7e45d048614826ecfb30cd292e7462214be3de7e4505b56c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c14ef28ffa377c7e45d048614826ecfb30cd292e7462214be3de7e4505b56c2
SHA3-384 hash: 138039c5e5e7460397616deffcf51a8d71013f8027756526fcb830241269f9caef95d5e15be455df793117c95be3e9c3
SHA1 hash: 8ba08bee1481577a605d58e47bc3483ba9cd1914
MD5 hash: 241f6c3a796c81ddbe536d734f2b83cd
humanhash: cat-aspen-item-carbon
File name:241f6c3a796c81ddbe536d734f2b83cd
Download: download sample
File size:1'733'873 bytes
First seen:2021-06-23 23:56:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 49152:3uyy06gy0KVs7ytPuuburqP+tnmISF5lDe4Sr62:L6g0VGKfAm1F5lDe4Sr62
Threatray 5'762 similar samples on MalwareBazaar
TLSH 198512232A5454BEF021C5F99C529A9EF7757E260BB09F0B5353AE421A3260339FD31B
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
241f6c3a796c81ddbe536d734f2b83cd
Verdict:
Suspicious activity
Analysis date:
2021-06-24 00:00:14 UTC
Tags:
installer
Link:
https://app.any.run/tasks/c04d9fc1-2b24-46e7-a8c9-57b05fe33f86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.VBGeneric-6735875-0
Create hunting rule

Win.Trojan.Agent-1109049
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e39f83d9-feb8-4321-bf0a-49ee5a9767b2
Result
Threat name:
CryptOne Mofksys
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/806957
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Yara detected Mofksys
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439368 Sample: EKUz6M814W Startdate: 24/06/2021 Architecture: WINDOWS Score: 64 75 Antivirus / Scanner detection for submitted sample 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Yara detected Mofksys 2->79 81 5 other signatures 2->81 10 EKUz6M814W.exe 1 3 2->10         started        15 svchost.exe 2->15         started        17 svchost.exe 9 1 2->17         started        19 10 other processes 2->19 process3 dnsIp4 65 192.168.2.1 unknown unknown 10->65 59 C:\Windows\Resources\Themes\icsys.icn.exe, PE32 10->59 dropped 61 C:\Users\user\Desktop\ekuz6m814w.exe, PE32+ 10->61 dropped 99 Drops executables to the windows directory (C:\Windows) and starts them 10->99 21 icsys.icn.exe 2 10->21         started        25 ekuz6m814w.exe 1 65 10->25         started        101 Changes security center settings (notifications, updates, antivirus, firewall) 15->101 27 MpCmdRun.exe 15->27         started        67 127.0.0.1 unknown unknown 17->67 file5 signatures6 process7 file8 47 C:\Windows\Resources\Themes\explorer.exe, PE32 21->47 dropped 83 Antivirus detection for dropped file 21->83 85 Machine Learning detection for dropped file 21->85 87 Drops executables to the windows directory (C:\Windows) and starts them 21->87 89 Drops PE files with benign system names 21->89 29 explorer.exe 14 21->29         started        49 C:\Program Files\WinRAR\Zip64.SFX, PE32+ 25->49 dropped 51 C:\Program Files\WinRAR\Zip.SFX, PE32 25->51 dropped 53 C:\Program Files\WinRAR\WinRAR.exe, PE32+ 25->53 dropped 55 23 other files (none is malicious) 25->55 dropped 34 Uninstall.exe 217 11 25->34         started        36 conhost.exe 27->36         started        signatures9 process10 dnsIp11 69 codecmd03.googlecode.com 29->69 71 codecmd02.googlecode.com 29->71 73 2 other IPs or domains 29->73 63 C:\Windows\Resources\spoolsv.exe, PE32 29->63 dropped 103 Antivirus detection for dropped file 29->103 105 System process connects to network (likely due to code injection or exploit) 29->105 107 Machine Learning detection for dropped file 29->107 109 Drops PE files with benign system names 29->109 38 spoolsv.exe 2 29->38         started        file12 signatures13 process14 file15 57 C:\Windows\Resources\svchost.exe, PE32 38->57 dropped 91 Drops executables to the windows directory (C:\Windows) and starts them 38->91 93 Drops PE files with benign system names 38->93 42 svchost.exe 2 2 38->42         started        signatures16 process17 signatures18 95 Detected CryptOne packer 42->95 97 Drops executables to the windows directory (C:\Windows) and starts them 42->97 45 spoolsv.exe 1 42->45         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c14ef28ffa377c7e45d048614826ecfb30cd292e7462214be3de7e4505b56c2/
Threat name:
Win32.Trojan.Variadic
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 13:18:54 UTC
AV detection:
45 of 46 (97.83%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0327a45e02fb39e68d8fa5aa7f37290b5bc2fed4b65e6b34592ac07186b0f7bd
1c958bc2a268ce3f104a35882f694f8bead71015937bfb99b0986400ab29d703
57aa81416cfdbd76df2a15cb14810f8529ecab0eea978210a4ef3047f35a225e
60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
81be23ce8636c948e1ac5c966ee5c34f738f8dc20aa85acedbca48f92e1ff363
92c9586c472eb0346e2e1423f5707e99667c7bb03f5497145b22fc1a9b3a9b77
a6ab3a1ec39d3a4c0660bbfdbe8cbbdd89d9278cca176d7bff77d7aab00dd7ed
bcaac39113bd17158fe86a77328f97e9c3fa14860c9c4449a8ae0768c85243f4
f8abb401812eafff1ca24fbafc67d5cdb34ba384da284b55d5350a5300fb7757
+ 5'752 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210623-6haprj4qv6/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
1c14ef28ffa377c7e45d048614826ecfb30cd292e7462214be3de7e4505b56c2
MD5 hash:
241f6c3a796c81ddbe536d734f2b83cd
SHA1 hash:
8ba08bee1481577a605d58e47bc3483ba9cd1914
Link:
https://www.unpac.me/results/aa2b3a3f-6228-4c96-9923-f563374c68bb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c14ef28ffa377c7e45d048614826ecfb30cd292e7462214be3de7e4505b56c2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1c14ef28ffa377c7e45d048614826ecfb30cd292e7462214be3de7e4505b56c2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1392953/

Comments