MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22e6cacc4b61b0a95c6d0f85ee569e005824a07bbb409009332bfd66641e2051. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22e6cacc4b61b0a95c6d0f85ee569e005824a07bbb409009332bfd66641e2051
SHA3-384 hash: 272a61e1d7967115c764e968dc2f8128e994a3391bcd1d11667ba3a2f0560b41f82fab451f7e01826aef6ab6bbd5881f
SHA1 hash: b7c0fe95486dc54d22db26754a0673eea7886e51
MD5 hash: 74b775941bf4e5c5da8e98d35c9a88d2
humanhash: washington-nitrogen-sierra-mexico
File name:22e6cacc4b61b0a95c6d0f85ee569e005824a07bbb409009332bfd66641e2051
Download: download sample
Signature CryptOne
Create hunting rule
File size:18'390'312 bytes
First seen:2022-10-11 07:11:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 393216:L+GdyNmTfJDdcKZs46HxaNDudh3H7Hkj9CsnRbh1uQ7oiTlni6X3p+uci:L+GdyNMtSKZsvx8DuL3jCEsnRlBni6XD
Threatray 4 similar samples on MalwareBazaar
TLSH T1430733026950402AC9420B710CEDBC18A46F7F1C3676B8E665E3B3F8D7326167E65E6F
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
dhash icon ccc0a23333b2c0cc (2 x CryptOne)
Reporter JAMESWT_WT
Tags:CryptOne exe fake outbyte drive rupdater

Intelligence

File Origin
# of uploads :
1
# of downloads :
406
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.VBGeneric-6735875-0
Create hunting rule

Win.Trojan.Agent-1109049
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Searching for synchronization primitives
Enabling the 'hidden' option for recently created files
DNS request
Connecting to a non-recommended domain
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Setting a single autorun event
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6345174c0aa036a7dfcdce29/reports/0ef612c4-20c0-4034-ace0-c00613d0d83b/overview
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e702d61b-7da3-4cf9-b1d4-9a893419312f
Result
Threat name:
CryptOne, Mofksys
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1087713
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Mofksys
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 720291 Sample: XD1VfNqrYH.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 64 74 outbyte.com 2->74 86 Antivirus / Scanner detection for submitted sample 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 Yara detected Mofksys 2->90 92 2 other signatures 2->92 11 XD1VfNqrYH.exe 1 3 2->11         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17 injected 19 13 other processes 2->19 signatures3 process4 file5 64 C:\Windows\Resources\Themes\icsys.icn.exe, MS-DOS 11->64 dropped 66 C:\Users\user\Desktop\xd1vfnqryh.exe, PE32 11->66 dropped 112 Drops executables to the windows directory (C:\Windows) and starts them 11->112 21 icsys.icn.exe 2 11->21         started        26 xd1vfnqryh.exe 2 39 11->26         started        114 Changes security center settings (notifications, updates, antivirus, firewall) 15->114 28 MpCmdRun.exe 15->28         started        30 consent.exe 2 17->30         started        116 Query firmware table information (likely to detect VMs) 19->116 signatures6 process7 dnsIp8 76 192.168.2.1 unknown unknown 21->76 52 C:\Windows\Resources\Themes\explorer.exe, MS-DOS 21->52 dropped 94 Antivirus detection for dropped file 21->94 96 Multi AV Scanner detection for dropped file 21->96 98 Machine Learning detection for dropped file 21->98 102 2 other signatures 21->102 32 explorer.exe 14 21->32         started        54 C:\Users\user\AppData\Local\...\vclimg250.bpl, PE32 26->54 dropped 56 C:\Users\user\AppData\Local\...\vclie250.bpl, PE32 26->56 dropped 58 C:\Users\user\AppData\Local\...\vcl250.bpl, PE32 26->58 dropped 60 12 other malicious files 26->60 dropped 37 Installer.exe 7 26->37         started        39 conhost.exe 28->39         started        100 Writes to foreign memory regions 30->100 file9 signatures10 process11 dnsIp12 68 codecmd03.googlecode.com 32->68 70 codecmd02.googlecode.com 32->70 72 2 other IPs or domains 32->72 50 C:\Windows\Resources\spoolsv.exe, MS-DOS 32->50 dropped 78 Antivirus detection for dropped file 32->78 80 System process connects to network (likely due to code injection or exploit) 32->80 82 Machine Learning detection for dropped file 32->82 84 Drops PE files with benign system names 32->84 41 spoolsv.exe 2 32->41         started        file13 signatures14 process15 file16 62 C:\Windows\Resources\svchost.exe, MS-DOS 41->62 dropped 104 Antivirus detection for dropped file 41->104 106 Machine Learning detection for dropped file 41->106 108 Drops executables to the windows directory (C:\Windows) and starts them 41->108 110 Drops PE files with benign system names 41->110 45 svchost.exe 2 2 41->45         started        signatures17 process18 signatures19 118 Antivirus detection for dropped file 45->118 120 Detected CryptOne packer 45->120 122 Machine Learning detection for dropped file 45->122 124 Drops executables to the windows directory (C:\Windows) and starts them 45->124 48 spoolsv.exe 1 45->48         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22e6cacc4b61b0a95c6d0f85ee569e005824a07bbb409009332bfd66641e2051/
Threat name:
Win32.Trojan.Golsys
Create hunting rule
Status:
Malicious
First seen:
2022-05-10 01:11:47 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
25 of 25 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eltmvtclmgyksxdnb6c64vu6abmcjid3xnajacjtfp6wmza6ebiq._file
Verdict:
malicious
Similar samples:
2faea54e17be82c096325fc7a3fc5a64974b22aaa89101e9a8b4cf619733cbfe
CryptOne
37c762da99bb9a46d6d6dd217e7402b110fa0b0f6eda2796f74102b21bf281b2
CryptOne
989ca7508d256332e873b3d6eaf03156f1c77806dc820a900da0ab48ea360d52
CryptOne
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion persistence spyware stealer
Link:
https://tria.ge/reports/221011-h1jweabgfl/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies visiblity of hidden/system files in Explorer
Gathering data
Unpacked files
SH256 hash:
55537e86213a590af7a4050e3ab331cd6fc91bbb836ab93a581e842a402f5aed
MD5 hash:
5377191903a3ebb70f9be539908346c2
SHA1 hash:
1e2f7856996d34bca622502eb42376b791f4ab37
Link:
https://www.unpac.me/results/013d4270-75d4-4c96-be8b-a9a586f79ea6/
SH256 hash:
007f224736b061bf9cfece0a7bcfeb6a0d5825b92fb8a7c2e5cb609fa2dde6ac
MD5 hash:
5eabaff8da497ac7d22532d3567fa64b
SHA1 hash:
c209a157f8a2e19cabbf6ca74fc44e398cf54a80
Link:
https://www.unpac.me/results/013d4270-75d4-4c96-be8b-a9a586f79ea6/
SH256 hash:
243a22200a7d50b707d46a9d477d3bacb4140fba2ce8c7741018f8f3728ff785
MD5 hash:
a4b7ba1de489857006a84f4a06062a95
SHA1 hash:
97b52924f564cdeb011c2d237955778a45be8183
Link:
https://www.unpac.me/results/013d4270-75d4-4c96-be8b-a9a586f79ea6/
SH256 hash:
8b1581762878919be1d5c6de8adec50cd66d04c5a5d018839635b88d09b141fa
MD5 hash:
095a1bb200a663d7bcc4b56490e478a9
SHA1 hash:
e1d719e7d26ef1aa96bd6c90b3ebfc1c0c4fbb10
Link:
https://www.unpac.me/results/013d4270-75d4-4c96-be8b-a9a586f79ea6/
SH256 hash:
de68b313e3bc8e076d772e486188300586f1886cb68deda2fd771f2268ac6981
MD5 hash:
f790b276903933bf96aa9b19c3d9e1c1
SHA1 hash:
1710e22a2d31928967d06e2a2740701c893736bf
Link:
https://www.unpac.me/results/013d4270-75d4-4c96-be8b-a9a586f79ea6/
SH256 hash:
7c42ac11e12c00473e445f1ccd7902be9b16cd8a75585eec1e230fa6a6488cd0
MD5 hash:
04444e332ddcc66e402becdcc5707daa
SHA1 hash:
3d54f6e116270235c5591c36cdb3e2cbfd86936f
Link:
https://www.unpac.me/results/013d4270-75d4-4c96-be8b-a9a586f79ea6/
SH256 hash:
22e6cacc4b61b0a95c6d0f85ee569e005824a07bbb409009332bfd66641e2051
MD5 hash:
74b775941bf4e5c5da8e98d35c9a88d2
SHA1 hash:
b7c0fe95486dc54d22db26754a0673eea7886e51
Link:
https://www.unpac.me/results/013d4270-75d4-4c96-be8b-a9a586f79ea6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/22e6cacc4b61/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22e6cacc4b61b0a95c6d0f85ee569e005824a07bbb409009332bfd66641e2051

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments