MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 476a7e4c2495b79b64e20453751128f72379373127153204f2d9ce951d4d9bf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 476a7e4c2495b79b64e20453751128f72379373127153204f2d9ce951d4d9bf4
SHA3-384 hash: 07321e6848bbe7a337d16dcf71fabac292c87b711160ae3ea371d5e8a29d052dff2e03f57cd3e45675c8191cea9a9eb3
SHA1 hash: 56ae34ee39cae887a559e9d006d5f43c51cb89dd
MD5 hash: 631f70675eb06a211321944a2e742623
humanhash: mango-jig-hamper-freddie
File name:631f70675eb06a211321944a2e742623
Download: download sample
Signature CryptOne
Create hunting rule
File size:2'453'793 bytes
First seen:2022-10-23 18:46:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 033fc3209214566af0e06e5863a94256 (5 x CryptOne)
ssdeep 49152:/eZBYBfJXAEgnUe9Altwt12Uo6mrhAivwOcE4hPJadZVB7w:/eZBYBfKEgn3N3/GdwOO4PC
Threatray 1'259 similar samples on MalwareBazaar
TLSH T151B523027BC94873EE6319322B295B67BE3CF8301F559EC7DB91986E5C219C09732762
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b3b3b371716b93b3 (25 x CryptOne, 12 x RemcosRAT, 6 x RedLineStealer)
Reporter zbetcheckin
Tags:32 CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
263f815d775c9ac14a76ed66ca74f148.exe
Verdict:
Malicious activity
Analysis date:
2022-10-23 17:51:57 UTC
Tags:
loader opendir trojan rat redline
Link:
https://app.any.run/tasks/08ffcfc8-fb94-4387-932a-fc7c1eab0846

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323054/
Detection(s):
SecuriteInfo.com.Trojan.Ciusky.Gen.6.13535.7007.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/44770/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63558c2b898b0652a4b97bc6/reports/f854f6d9-fc1e-44c5-80eb-752a917c3756/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7db14b20-f355-4663-901f-fed6b729ad81
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1096007
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 728648 Sample: KEuyq9yOnM.exe Startdate: 23/10/2022 Architecture: WINDOWS Score: 88 22 Antivirus detection for dropped file 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for dropped file 2->26 28 4 other signatures 2->28 9 KEuyq9yOnM.exe 3 8 2->9         started        process3 file4 20 C:\Users\user\AppData\Local\Temp\18BnTN.cpl, PE32 9->20 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        process7 16 rundll32.exe 14->16         started        process8 18 rundll32.exe 16->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/476a7e4c2495b79b64e20453751128f72379373127153204f2d9ce951d4d9bf4/
Threat name:
Win32.Infostealer.QBot
Create hunting rule
Status:
Malicious
First seen:
2022-10-23 19:28:05 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i5vh4tbesw3zwzhcarjxkeji64rxsnzre4ktebhs3hhjkhkntp2a._file
Verdict:
malicious
Similar samples:
10f1d986b6f2654efc7755aa433247b63228ce237a97f9eb29bfb74d0b602acd
CryptOne
2709f083327060b896501645e3263462cf0e329645e41f6d4556276904c51856
CryptOne
301a3e665000c99ab655a74dbf9408de24875866528be4f6d28e83490c19305b
CryptOne
3a0597925d2b7686d2386591f60a7abe686c0e10e2e164405270cc0d83e4b128
CryptOne
51986665322a79945ae565a363862e8007b3be459855f27c11c062da0eb59db8
CryptOne
996c4e5418405912b929e7916def0a6c0aaedf77065ec5725f4782b00fb1464e
CryptOne
d66671894b4128adf6ff365ef0769f831bfe4738c7452f1e094b0e35dda94b8a
CryptOne
e9f669028697238e2a9a181b9e409909695d03eccd09a35db30729fb51952527
CryptOne
ef87eac9116238891e4267d49e2e26e9d613205a23ebf64cffe4af2f1b949e83
CryptOne
+ 1'249 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221023-xe7gxabhgp/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
f3c0a82522b1805c527571e0ac8e7f2dbba8c1b1cafc61c23c77422804978c46
MD5 hash:
ba04e489b9c4b722e9a678d43b073028
SHA1 hash:
0c12b8769b69dbfd6d5ff54502fe4f7396b32421
Link:
https://www.unpac.me/results/15af3d8f-f48c-4e58-bb89-a5d91405d5ea/
SH256 hash:
92c0515956cdfdc74f253feace228cdf8f6aac0f4f2dc805068c4a85d76dccbc
MD5 hash:
5d98f967d67a42e4bb080da3bc63d817
SHA1 hash:
63b1869f146f6c521ae4cf1487b4647a5eebc9cc
Link:
https://www.unpac.me/results/15af3d8f-f48c-4e58-bb89-a5d91405d5ea/
SH256 hash:
476a7e4c2495b79b64e20453751128f72379373127153204f2d9ce951d4d9bf4
MD5 hash:
631f70675eb06a211321944a2e742623
SHA1 hash:
56ae34ee39cae887a559e9d006d5f43c51cb89dd
Link:
https://www.unpac.me/results/15af3d8f-f48c-4e58-bb89-a5d91405d5ea/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/476a7e4c2495/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/476a7e4c2495b79b64e20453751128f72379373127153204f2d9ce951d4d9bf4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe 476a7e4c2495b79b64e20453751128f72379373127153204f2d9ce951d4d9bf4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2381947/
Cape
Cape
https://www.capesandbox.com/analysis/323054/

Comments


Avatar
zbet commented on 2022-10-23 18:46:40 UTC

url : hxxp://bilalenterprise.com/16/data64_6.exe