MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40335fc69c45b3fefab11dfd6e562fbdcb2f2153ced916ddc68f44eecaab3d72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40335fc69c45b3fefab11dfd6e562fbdcb2f2153ced916ddc68f44eecaab3d72
SHA3-384 hash: d1520b823cc7353547105ac9668238dae0cb0effce8e2cb0000779ccb33a714e4f513aa262b99f0a717468566105ccf0
SHA1 hash: f82730129624648bc1a459935ab1b21e902e55f6
MD5 hash: 03fe82e54ce8f863a4a52ebba3d9eddd
humanhash: low-alabama-florida-sodium
File name:03fe82e54ce8f863a4a52ebba3d9eddd.exe
Download: download sample
Signature CryptOne
Create hunting rule
File size:2'214'294 bytes
First seen:2022-11-16 18:09:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:TlBfJXAEG+GSF4jgZFtUjW/vhJIdPubDK6jU1w+uqjkHmaiM:TlBfKE7VbUa/vYRUDK6j+VQxd
Threatray 2'572 similar samples on MalwareBazaar
TLSH T169A52311B9C19872C9B31E385A756E11A53D7CA00F68CE9FA3E8482CEE791C17739673
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b3b3b371716b93b3 (25 x CryptOne, 12 x RemcosRAT, 6 x RedLineStealer)
Reporter abuse_ch
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
03fe82e54ce8f863a4a52ebba3d9eddd.exe
Verdict:
Malicious activity
Analysis date:
2022-11-16 18:17:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/660d9cfb-8aaf-4d81-b6dc-072c006e5d25

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335002/
Detection(s):
SecuriteInfo.com.Trojan.Uztuby.4.17760.4241.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6375277e07c3f5e84a017caf/reports/a1b90759-1e20-4830-9443-7fab2f73cc4e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dcde4f12-adb8-45d9-a031-2639d5729712
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1115159
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 747855 Sample: PzIq8pyVxV.exe Startdate: 16/11/2022 Architecture: WINDOWS Score: 88 22 Antivirus detection for dropped file 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for dropped file 2->26 28 4 other signatures 2->28 9 PzIq8pyVxV.exe 3 8 2->9         started        process3 file4 20 C:\Users\user\AppData\Local\Temp\5mR~.cpl, PE32 9->20 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        process7 16 rundll32.exe 14->16         started        process8 18 rundll32.exe 16->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40335fc69c45b3fefab11dfd6e562fbdcb2f2153ced916ddc68f44eecaab3d72/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 13:31:05 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iazv7ru4iwz756vrdx6w4vrpxxfs6iktz3mrnxogr5co5svlhvza._file
Verdict:
malicious
Similar samples:
03d65713f4af0362ffbabf2ac5a0eedbbb640e47b501e939d08080c86d083afd
CryptOne
41d6f0977590e08c50b69579e57d4fde515ce214d958b700b18d36318b44e4db
CryptOne
4b1ffe4df1fa405add5439e82aca1f7c49070d5f7935fe0d50fa653d754b630c
CryptOne
4c3d353918e33a12f20eb6fa3640159baae150de48b1457d3141733e286ec577
CryptOne
6f27690e2304704aeb7f583859da9bb4466817b3d9a63cc3d7aaceb695ca843a
CryptOne
7a5f2afe726768008f80860aa992e56e01cb609d6a0510348a528182ae4ad8d1
CryptOne
cd92100b5eee9f485facad22250d11ba811455710d2ca07e731f4d19741a571d
CryptOne
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
CryptOne
eb83685ce62e4b88847bde48a5ba0607fb6a37d359a70be5fdd33a5bec71bb5e
CryptOne
f9ca14fcdffeb48b11ea026812ac0a7dc941f27e0c1384dc8e9b83b18de4c2a7
CryptOne
+ 2'562 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221116-wr2xhscc63/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ccaf505e-6d3c-4b72-83d7-1b79b8984010
Unpacked files
SH256 hash:
846e64c4c6dd46db778e43424d984ffa685302ae2a3b617d8804d32d68d37f7a
MD5 hash:
37584929a2a241a1f1c252870ab474e4
SHA1 hash:
85449dcfe9039453f9bcf33c3a6fbee084be74a7
Link:
https://www.unpac.me/results/8452592f-339d-4c7e-94cf-d79cf12dfdc9/
SH256 hash:
5ef9dda9c89bca87c85986bd8064852880c390beae39b9e5ded52c90176f30cd
MD5 hash:
a00b89f3e02beb51c38e6bf92a2e1808
SHA1 hash:
2f05410586b87409185074c45fbb5122c36dd262
Link:
https://www.unpac.me/results/8452592f-339d-4c7e-94cf-d79cf12dfdc9/
SH256 hash:
40335fc69c45b3fefab11dfd6e562fbdcb2f2153ced916ddc68f44eecaab3d72
MD5 hash:
03fe82e54ce8f863a4a52ebba3d9eddd
SHA1 hash:
f82730129624648bc1a459935ab1b21e902e55f6
Link:
https://www.unpac.me/results/8452592f-339d-4c7e-94cf-d79cf12dfdc9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40335fc69c45b3fefab11dfd6e562fbdcb2f2153ced916ddc68f44eecaab3d72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe 40335fc69c45b3fefab11dfd6e562fbdcb2f2153ced916ddc68f44eecaab3d72

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/335002/
  
URLhaus
https://urlhaus.abuse.ch/url/2412573/
  
Delivery method
Distributed via web download

Comments