MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cf764f2d741913eaef6b66ec61e9f757bb7f053644ed6d5d534771a6ed787f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cf764f2d741913eaef6b66ec61e9f757bb7f053644ed6d5d534771a6ed787f6
SHA3-384 hash: e3fd13f3a04ae4a1e9f65a8f4b3afc7243d5a460a2560acf44b01318a5be498d507d8e6f6abc7aca4087d54b64a86b02
SHA1 hash: fe0a4e2e131b9129ab5986751d6393f4193e20da
MD5 hash: da231af4101fc708d55def7ebc044ae7
humanhash: indigo-potato-fish-fillet
File name:da231af4101fc708d55def7ebc044ae7.exe
Download: download sample
Signature CryptOne
Create hunting rule
File size:1'885'396 bytes
First seen:2022-11-11 10:18:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:UDWHSb4N70eHVzPuZeBIJM9yxPaiGtDL+cjwRvRjunuN/G7BraqBvhV5OgV4d3oJ:v84HHl8eBmMiGmDunuorVlmGN7
TLSH T152952301BA815572DA215E77563A5A21A93C7C201B38CFDBB7E46A1DDA310C0BB35FB3
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
da231af4101fc708d55def7ebc044ae7.exe
Verdict:
Malicious activity
Analysis date:
2022-11-11 10:34:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/359a485d-2393-4ab7-bf19-ccf4df5a8497

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/332401/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/51292/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/636e219d20a0b4943a8ee1ed/reports/388c4175-4fca-4db0-b29f-3e1d0ab5a496/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a595c4d9-b13b-4b26-bb19-a3620df3e87a
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1111201
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 743898 Sample: uPEPkVM2FJ.exe Startdate: 11/11/2022 Architecture: WINDOWS Score: 72 22 Multi AV Scanner detection for dropped file 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected CryptOne packer 2->26 28 2 other signatures 2->28 9 uPEPkVM2FJ.exe 8 2->9         started        process3 file4 20 C:\Users\user\AppData\Local\Temp\fQ3iU.Xv0, PE32 9->20 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        process7 16 rundll32.exe 14->16         started        process8 18 rundll32.exe 16->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3cf764f2d741913eaef6b66ec61e9f757bb7f053644ed6d5d534771a6ed787f6/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-11 08:26:47 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
23 of 42 (54.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ht3wj4wxigit5lxwwzxmmhu7ov53p4ctmrhnnvovgr3ru3wxq73a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221111-mcjb7aee23/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1381388e-801a-4ac4-82d7-712695e1ca5b
Unpacked files
SH256 hash:
3ec50485742910fac01d0a01cc4c8120b75601c158ddaee8aa42f5afcbc2a563
MD5 hash:
a24c0a18686fab641351d37913789e74
SHA1 hash:
57e49a4bf9af9932710990d5ec5c288562b7f346
Link:
https://www.unpac.me/results/6452afc1-3dda-4a23-8d56-c0aaafa137b7/
SH256 hash:
6ee1a421853d20b8b74dcc600a6859be9fbcb83c8958ace4c90b73d03dc64b1a
MD5 hash:
9302c93d2de38b5d0b68b8f67ed0f930
SHA1 hash:
551421be599698588f446d18e914ce3fc427126c
Link:
https://www.unpac.me/results/6452afc1-3dda-4a23-8d56-c0aaafa137b7/
SH256 hash:
3cf764f2d741913eaef6b66ec61e9f757bb7f053644ed6d5d534771a6ed787f6
MD5 hash:
da231af4101fc708d55def7ebc044ae7
SHA1 hash:
fe0a4e2e131b9129ab5986751d6393f4193e20da
Link:
https://www.unpac.me/results/6452afc1-3dda-4a23-8d56-c0aaafa137b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3cf764f2d741913eaef6b66ec61e9f757bb7f053644ed6d5d534771a6ed787f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe 3cf764f2d741913eaef6b66ec61e9f757bb7f053644ed6d5d534771a6ed787f6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2405501/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/332401/

Comments