MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45b9c1f49df2f13c878a39b37df28a41b1be765654d55b891868f33e32eb30fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45b9c1f49df2f13c878a39b37df28a41b1be765654d55b891868f33e32eb30fd
SHA3-384 hash: 1fc0a02b7cb6ed2d5262595dc026bb227fdbf69f5caf4dfd38ca08728b96814f2aaa38ade814a377c61aeea38d2a3046
SHA1 hash: a4cc17af77919d491ec273d7099cc1dac53cd2fd
MD5 hash: fcaab4578288993509eab370cd8fa357
humanhash: johnny-seventeen-london-oven
File name:fcaab4578288993509eab370cd8fa357
Download: download sample
File size:162'890 bytes
First seen:2021-06-24 11:24:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVX5X2SCoD:UVqoCl/YgjxEufVU0TbTyDDalRhsoD
Threatray 5'122 similar samples on MalwareBazaar
TLSH C7F31A27BE50853EE901C5F26876E629BB260E3A5BA1ED077295BF013AB504375F130F
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fcaab4578288993509eab370cd8fa357
Verdict:
No threats detected
Analysis date:
2021-06-24 11:26:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/770b03fd-5c2a-465d-914c-27e3daa1f7c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167988/
Detection(s):
Win.Trojan.VBGeneric-6735875-0
Create hunting rule

Win.Trojan.Agent-1109049
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73ff59e6-41ce-4247-81b4-6b5f525d627d
Result
Threat name:
CryptOne Mofksys
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807411
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Yara detected Mofksys
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439822 Sample: 1M7v308HK6 Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 67 Antivirus / Scanner detection for submitted sample 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected Mofksys 2->71 73 5 other signatures 2->73 10 1M7v308HK6.exe 1 3 2->10         started        15 explorer.exe 1 2->15         started        17 svchost.exe 1 2->17         started        19 4 other processes 2->19 process3 dnsIp4 51 192.168.2.1 unknown unknown 10->51 45 C:\Windows\Resources\Themes\icsys.icn.exe, MS-DOS 10->45 dropped 47 C:\Users\user\Desktop\1m7v308hk6.exe, PE32 10->47 dropped 91 Drops executables to the windows directory (C:\Windows) and starts them 10->91 21 icsys.icn.exe 2 10->21         started        25 1m7v308hk6.exe 10->25         started        file5 signatures6 process7 file8 43 C:\Windows\Resources\Themes\explorer.exe, MS-DOS 21->43 dropped 83 Antivirus detection for dropped file 21->83 85 Machine Learning detection for dropped file 21->85 87 Drops executables to the windows directory (C:\Windows) and starts them 21->87 89 Drops PE files with benign system names 21->89 27 explorer.exe 2 14 21->27         started        signatures9 process10 dnsIp11 53 codecmd03.googlecode.com 27->53 55 codecmd02.googlecode.com 27->55 57 2 other IPs or domains 27->57 49 C:\Windows\Resources\spoolsv.exe, MS-DOS 27->49 dropped 93 Antivirus detection for dropped file 27->93 95 System process connects to network (likely due to code injection or exploit) 27->95 97 Machine Learning detection for dropped file 27->97 99 Drops PE files with benign system names 27->99 32 spoolsv.exe 2 27->32         started        file12 signatures13 process14 file15 41 C:\Windows\Resources\svchost.exe, MS-DOS 32->41 dropped 59 Antivirus detection for dropped file 32->59 61 Machine Learning detection for dropped file 32->61 63 Drops executables to the windows directory (C:\Windows) and starts them 32->63 65 Drops PE files with benign system names 32->65 36 svchost.exe 2 32->36         started        signatures16 process17 signatures18 75 Antivirus detection for dropped file 36->75 77 Detected CryptOne packer 36->77 79 Machine Learning detection for dropped file 36->79 81 Drops executables to the windows directory (C:\Windows) and starts them 36->81 39 spoolsv.exe 1 36->39         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45b9c1f49df2f13c878a39b37df28a41b1be765654d55b891868f33e32eb30fd/
Threat name:
Win32.Worm.Mofksys
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 11:24:21 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
32672928863af3e154d0e2cc454c5fd31f217a3bfabc7acff2223bb72a5bbe6f
603b8b4a8d2fedea549b4f06b345da9234a06ceab9366175c8de484df155a2b9
6c094a18d2ab75c95ffc39399cece2eebdb8064f91cec40226be037fb20f64d9
7e6cda4ef7fb776128b314c7a1c2938abffc2ab3def50eac650f2b49a59dc573
90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9
9e963186264d8f04f86916921e1f197bd98bd7305af779247c9ff4632d05900b
a2bd87a81b3cc4f40cc8f1e6ba1111a010ad3970b4dff9e98c729142af28b823
b23274e47a003476681da8925f2c15ff1c7ef988cabf76dbf1e5799a914a3ab1
b603bb5bf05a55c7687cbfa64566cb5608947284b8eaf0da2b1b6d282fee3ecd
c7c2520fd55045ea01727074499c9c691a7a7c18cdc3602edc6cdc316ce45dc1
+ 5'112 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210624-v8wgevqw2a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
f9f5b3d57857a08197c9f1e4df887399d2b3a996d41917a70a6c70e58b7c7fd0
MD5 hash:
001bed1d76683842c1a1d66692ebdf83
SHA1 hash:
1c5aff60561c163a8dbf5ae5ff4c104efdb7be85
Link:
https://www.unpac.me/results/4f036ee1-b6d5-4bf6-a31c-8eafcdd9947c/
SH256 hash:
45b9c1f49df2f13c878a39b37df28a41b1be765654d55b891868f33e32eb30fd
MD5 hash:
fcaab4578288993509eab370cd8fa357
SHA1 hash:
a4cc17af77919d491ec273d7099cc1dac53cd2fd
Link:
https://www.unpac.me/results/4f036ee1-b6d5-4bf6-a31c-8eafcdd9947c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45b9c1f49df2f13c878a39b37df28a41b1be765654d55b891868f33e32eb30fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 45b9c1f49df2f13c878a39b37df28a41b1be765654d55b891868f33e32eb30fd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1394473/
Cape
Cape
https://www.capesandbox.com/analysis/167988/

Comments