MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ca51190ba7eaccc49fe4f9194a9200eddd97b794564694a383dca290127e6b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ca51190ba7eaccc49fe4f9194a9200eddd97b794564694a383dca290127e6b5
SHA3-384 hash: 85920ab45843689db974753b6938ccd3cab03d469fc69f1d60fd4d19f9809fc993dcbd7e35601364c74bc3bdfb2b55da
SHA1 hash: 0db03c4102679941ce1646a7bbfe0c9c85adddfa
MD5 hash: 0b2bf9dfc116cf80d9d08645d714bf84
humanhash: romeo-lion-alpha-moon
File name:0b2bf9dfc116cf80d9d08645d714bf84.exe
Download: download sample
File size:2'065'173 bytes
First seen:2022-01-15 08:36:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 24576:08qXhDyUY86Lm7ddrdYUDzVfJw+Jsv5zCDH0gjMUHRae4uDJAG/ENV3QbPM:084cExdjVfJ5sv5z2MeJ+G/ENOg
Threatray 1'144 similar samples on MalwareBazaar
TLSH T108A50309A143E27BFCFD08B7445081D4C29C7FAA7B128DCDE97AD58A151F482B7B2D86
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0b2bf9dfc116cf80d9d08645d714bf84.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-15 08:55:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a456c0da-0bda-46db-923c-9fd9339cbaaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219463/
Detection(s):
SecuriteInfo.com.Heur.3264.19485.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
DNS request
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4254/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay replace.exe setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/61e287b4e997359713f1587c/reports/d233f2f3-9352-4c65-8931-f9dfba6214b6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/921094
Signature
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Shell32 DLL Execution in Suspicious Directory
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553571 Sample: 1Qgrhi0ufw.exe Startdate: 15/01/2022 Architecture: WINDOWS Score: 64 22 Antivirus detection for dropped file 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Sigma detected: Suspicious Call by Ordinal 2->26 28 Sigma detected: Shell32 DLL Execution in Suspicious Directory 2->28 9 1Qgrhi0ufw.exe 3 8 2->9         started        process3 file4 20 C:\Users\user\AppData\Local\Temp\vYNR.cpl, PE32 9->20 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        process7 16 rundll32.exe 14->16         started        process8 18 rundll32.exe 16->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ca51190ba7eaccc49fe4f9194a9200eddd97b794564694a383dca290127e6b5/
Threat name:
Win32.Ransomware.CerberCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-15 08:38:15 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3aa947c9f9eafb67064ea9cf2f0d1ec335a301a81e89f24faefefec3f6a0a2a3
7147f6e289cc0c676b4d679a1c013d4cb0f399594acd5bdd2774911a5bca317a
8393c3c10fcfaad79ef8ae38575d1b26aa2d3ae45fb6ed47b4f506f7abda6b1b
951049989eb772c71ec4fa9f0685ab45cae755ca5d34cf3089fd791999fafa1c
ab7553549ec32422ee868e71eb96fae87439a4c1333e400d455f31d0b74c8ef2
c54ca1df46d817348c9bdf18f857459d7ca05c51f7f309e4d4de085136e3ed76
f2433dfba69148a0c3a5a5951d360b6c3c045090de06f11e273f13ccd01c42f3
+ 1'134 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220115-kh6nkadde9/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
3ca51190ba7eaccc49fe4f9194a9200eddd97b794564694a383dca290127e6b5
MD5 hash:
0b2bf9dfc116cf80d9d08645d714bf84
SHA1 hash:
0db03c4102679941ce1646a7bbfe0c9c85adddfa
Link:
https://www.unpac.me/results/2676eaa5-c5b9-4a36-a8d7-1ddbb9b6df69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ca51190ba7eaccc49fe4f9194a9200eddd97b794564694a383dca290127e6b5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219463/

Comments