MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41048ad1af4c1173bbf058d96feccc42ede7b0b54616079615da633fbea47da1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41048ad1af4c1173bbf058d96feccc42ede7b0b54616079615da633fbea47da1
SHA3-384 hash: a038674adc68b817b9b5f09d56af2950e05d5b53b9529190aaf342fe9f002453460957a3ec645511ef8431ce6597e211
SHA1 hash: 2d768f585d4e338fad8b67ebb9d635927986a150
MD5 hash: 9e26c058d2d636b73acd346be0d72d3b
humanhash: november-sink-solar-golf
File name:file
Download: download sample
Signature CryptOne
Create hunting rule
File size:2'342'912 bytes
First seen:2022-10-22 09:40:38 UTC
Last seen:2022-10-22 11:27:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eeca625c22453d3d4d8ad4ffeb916092 (1 x CryptOne, 1 x RedLineStealer)
ssdeep 24576:jnooq4srp3F03uzd4RkU6WW6IVIlUEfX5il9e/wONbzDvswxMxvG:jpH3uzq6pIlUohXRzDv0
Threatray 52 similar samples on MalwareBazaar
TLSH T174B5E09CFAC4BF57CC678AB7916085B041F9CD9A6742D36BD469873B7C843AC0E93086
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
7.1% (.EXE) Clipper DOS Executable (2018/12)
Reporter andretavare5
Tags:CryptOne exe


Avatar
andretavare5
Sample downloaded from https://www.asimeformacion.es/12/AnlzrTrdng235965.exe

Intelligence

File Origin
# of uploads :
47
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-10-22 09:57:41 UTC
Tags:
loader
Link:
https://app.any.run/tasks/0d0153e6-a50e-4062-b277-5098fbae17a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322605/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file in the system32 subdirectories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6353bab166721ebd9b2f6b37/reports/5de39abf-20e6-4528-b203-2bf6c45fbac1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c8270f3c-23b4-4028-9558-5cc97e353dd0
Result
Threat name:
CryptOne, RedLine, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1095431
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected VMProtect packer
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected CryptOne packer
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 728072 Sample: file.exe Startdate: 22/10/2022 Architecture: WINDOWS Score: 100 128 Malicious sample detected (through community Yara rule) 2->128 130 Antivirus detection for dropped file 2->130 132 Multi AV Scanner detection for dropped file 2->132 134 10 other signatures 2->134 11 file.exe 4 2->11         started        15 dllhost.exe 2->15         started        17 explorer.exe 2->17         started        19 2 other processes 2->19 process3 file4 88 C:\Users\user\AppData\Local\...\file.exe.log, CSV 11->88 dropped 148 Drops PE files with benign system names 11->148 150 Injects a PE file into a foreign processes 11->150 21 file.exe 2 9 11->21         started        26 conhost.exe 11->26         started        152 Multi AV Scanner detection for dropped file 15->152 154 Machine Learning detection for dropped file 15->154 28 conhost.exe 15->28         started        156 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->156 30 WerFault.exe 10 17->30         started        32 WerFault.exe 19->32         started        34 conhost.exe 19->34         started        signatures5 process6 dnsIp7 92 94.26.226.51, 49685, 80 PTC-YEMENNETYE Russian Federation 21->92 94 blackhk1.beget.tech 5.101.153.227, 49686, 80 BEGET-ASRU Russian Federation 21->94 96 bilalenterprise.com 65.108.125.117 ALABANZA-BALTUS United States 21->96 80 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 21->80 dropped 82 C:\Users\user\AppData\...\explorer.exe, PE32+ 21->82 dropped 84 C:\Users\user\AppData\...\LFF27A8FA7JE0BI.exe, PE32 21->84 dropped 86 4 other malicious files 21->86 dropped 146 Creates multiple autostart registry keys 21->146 36 1CE4AJ6HH8IJ55H.exe 4 21->36         started        39 cmd.exe 1 21->39         started        41 LFF27A8FA7JE0BI.exe 21->41         started        43 3 other processes 21->43 file8 signatures9 process10 dnsIp11 136 Multi AV Scanner detection for dropped file 36->136 138 Machine Learning detection for dropped file 36->138 140 Injects a PE file into a foreign processes 36->140 47 1CE4AJ6HH8IJ55H.exe 36->47         started        51 explorer.exe 39->51         started        53 LFF27A8FA7JE0BI.exe 41->53         started        98 iplogger.org 148.251.234.83 HETZNER-ASDE Germany 43->98 100 192.168.2.1 unknown unknown 43->100 90 C:\Users\user\AppData\Local\Temp\bSjDD.cpl, PE32 43->90 dropped 142 Antivirus detection for dropped file 43->142 144 May check the online IP address of the machine 43->144 56 control.exe 43->56         started        58 FGH05G95ID52DIG.exe 43->58         started        file12 signatures13 process14 dnsIp15 102 t.me 149.154.167.99 TELEGRAMRU United Kingdom 47->102 104 116.202.186.42 HETZNER-ASDE Germany 47->104 112 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 47->112 114 Tries to harvest and steal browser information (history, passwords, etc) 47->114 116 Tries to steal Crypto Currency Wallets 47->116 60 cmd.exe 47->60         started        118 Antivirus detection for dropped file 51->118 120 Multi AV Scanner detection for dropped file 51->120 122 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 51->122 126 2 other signatures 51->126 62 WerFault.exe 17 9 51->62         started        106 passport.yandex.ru 213.180.204.24 YANDEXRU Russian Federation 53->106 108 yandex.ru 77.88.55.50 YANDEXRU Russian Federation 53->108 110 2 other IPs or domains 53->110 78 C:\Users\user\AppData\Roaming\...\dllhost.exe, PE32 53->78 dropped 124 Creates multiple autostart registry keys 53->124 64 rundll32.exe 56->64         started        66 FGH05G95ID52DIG.exe 58->66         started        file16 signatures17 process18 process19 68 conhost.exe 60->68         started        70 taskkill.exe 60->70         started        72 timeout.exe 60->72         started        74 rundll32.exe 64->74         started        process20 76 rundll32.exe 74->76         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41048ad1af4c1173bbf058d96feccc42ede7b0b54616079615da633fbea47da1/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-21 08:23:46 UTC
File Type:
PE (.Net Exe)
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iecivunpjqixho7qldmw73gmilw6pmfviylapfqv3jrt7pvepwqq._file
Verdict:
malicious
Similar samples:
248755caac15d22ead0ec7146322f12adb6fda31370a18aa2bbf0e131b59d373
CryptOne
90c5b903eca32489371d63daa32c9e8175b2cdd93666650141aac513c384a1b3
CryptOne
9ad275ee92086bd7851865d47f89253b32da528bd8e9b8df7797070291ea90d3
CryptOne
af60abc8f32a47fe154e7f5a9e6910200f944524f437f45686f53ad4c49b0098
CryptOne
c992ef827d88ae7a24a9ae36ab7406ad9366f4783d258c8ac3957a2ab54c3d83
CryptOne
f460aba4130701652e226e6059f5501065b6e6673ffb72aea0a1918af1c6a922
CryptOne
ff61d680efc0206c1e90570dd0ec53a0d69eb4a2a7c7e1239d4d38a0541e6646
CryptOne
+ 42 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
miner persistence vmprotect
Link:
https://tria.ge/reports/221022-lnrx2acbe3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Detectes Phoenix Miner Payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f4744e31-784a-4273-be18-6cd69a6c8ce2
Unpacked files
SH256 hash:
77307340e844d2c53102747cda2f5291874ac8fd41ec65f92e4ee03fa63e676f
MD5 hash:
408c466e9f4ab085ac75a6cef926f682
SHA1 hash:
1da5ff998c896d37dfed5dc64a7d2a66572c4c8b
Link:
https://www.unpac.me/results/f29b5e1a-2332-4ab5-b411-702003334676/
SH256 hash:
41048ad1af4c1173bbf058d96feccc42ede7b0b54616079615da633fbea47da1
MD5 hash:
9e26c058d2d636b73acd346be0d72d3b
SHA1 hash:
2d768f585d4e338fad8b67ebb9d635927986a150
Link:
https://www.unpac.me/results/f29b5e1a-2332-4ab5-b411-702003334676/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/41048ad1af4c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41048ad1af4c1173bbf058d96feccc42ede7b0b54616079615da633fbea47da1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/322605/
  
URLhaus
https://urlhaus.abuse.ch/url/2381702/

Comments