MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64f05e1fb698fd86a92a27ae0625d41aee90fb27ff0912cdd57f445a632ee8f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64f05e1fb698fd86a92a27ae0625d41aee90fb27ff0912cdd57f445a632ee8f3
SHA3-384 hash: a23933a129c7fd50f5413ff823d3f51b238106b779428d5e4e51a0604c2e5997da7dd46e890801d35218bc8f825a81a4
SHA1 hash: 80dc4c5c02e7d39490389f0b639e80d42ea62f24
MD5 hash: 3b0d45d7af40fbfc6366ce8c56662851
humanhash: magnesium-uniform-minnesota-twelve
File name:64f05e1fb698fd86a92a27ae0625d41aee90fb27ff0912cdd57f445a632ee8f3
Download: download sample
Signature CryptOne
Create hunting rule
File size:17'650'597 bytes
First seen:2022-10-11 07:11:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 393216:V5o4VeiYWj5C8uC8Sd59g4//CqgaDBPylTQ0aZpMd+Ctoq:VUjm4C8G59g+Ia1nZpMdD1
Threatray 4 similar samples on MalwareBazaar
TLSH T1350733122941486ED8860B700CED7D58A86F7F1C763438D622D7BAF4D771A027EA1E6F
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
dhash icon ccc0a23333b2c0cc (2 x CryptOne)
Reporter JAMESWT_WT
Tags:CryptOne exe fake outbyte drive rupdater

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.VBGeneric-6735875-0
Create hunting rule

Win.Trojan.Agent-1109049
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Searching for synchronization primitives
Setting a single autorun event
Enabling a "Do not show hidden files" option
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll swisyn virus
Link:
https://www.filescan.io/uploads/63451745b321c2e8ff63ee99/reports/24a20a6e-b638-479d-8c4f-245d88b7d82a/overview
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/214b1889-a16d-4df9-8162-3298fad96f2e
Result
Threat name:
CryptOne, Mofksys
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1087717
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Mofksys
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 720295 Sample: Pdb5q2RdXm.exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 60 74 outbyte.com 2->74 76 googlecode.l.googleusercontent.com 2->76 78 codecmd01.googlecode.com 2->78 90 Antivirus / Scanner detection for submitted sample 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Yara detected Mofksys 2->94 96 2 other signatures 2->96 11 Pdb5q2RdXm.exe 1 3 2->11         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17 injected 19 11 other processes 2->19 signatures3 process4 file5 64 C:\Windows\Resources\Themes\icsys.icn.exe, MS-DOS 11->64 dropped 66 C:\Users\user\Desktop\pdb5q2rdxm.exe, PE32 11->66 dropped 116 Drops executables to the windows directory (C:\Windows) and starts them 11->116 21 icsys.icn.exe 2 11->21         started        26 pdb5q2rdxm.exe 2 39 11->26         started        118 Changes security center settings (notifications, updates, antivirus, firewall) 15->118 28 MpCmdRun.exe 15->28         started        30 consent.exe 2 17->30         started        120 Query firmware table information (likely to detect VMs) 19->120 signatures6 process7 dnsIp8 80 192.168.2.1 unknown unknown 21->80 52 C:\Windows\Resources\Themes\explorer.exe, MS-DOS 21->52 dropped 98 Antivirus detection for dropped file 21->98 100 Machine Learning detection for dropped file 21->100 102 Drops executables to the windows directory (C:\Windows) and starts them 21->102 104 Drops PE files with benign system names 21->104 32 explorer.exe 14 21->32         started        54 C:\Users\user\AppData\Local\...\vclimg250.bpl, PE32 26->54 dropped 56 C:\Users\user\AppData\Local\...\vclie250.bpl, PE32 26->56 dropped 58 C:\Users\user\AppData\Local\...\vcl250.bpl, PE32 26->58 dropped 60 12 other malicious files 26->60 dropped 37 Installer.exe 7 26->37         started        39 conhost.exe 28->39         started        106 Writes to foreign memory regions 30->106 file9 signatures10 process11 dnsIp12 68 codecmd03.googlecode.com 32->68 70 codecmd02.googlecode.com 32->70 72 googlecode.l.googleusercontent.com 142.250.102.82, 49702, 49703, 49704 GOOGLEUS United States 32->72 50 C:\Windows\Resources\spoolsv.exe, MS-DOS 32->50 dropped 82 Antivirus detection for dropped file 32->82 84 System process connects to network (likely due to code injection or exploit) 32->84 86 Machine Learning detection for dropped file 32->86 88 Drops PE files with benign system names 32->88 41 spoolsv.exe 2 32->41         started        file13 signatures14 process15 file16 62 C:\Windows\Resources\svchost.exe, MS-DOS 41->62 dropped 108 Antivirus detection for dropped file 41->108 110 Machine Learning detection for dropped file 41->110 112 Drops executables to the windows directory (C:\Windows) and starts them 41->112 114 Drops PE files with benign system names 41->114 45 svchost.exe 2 2 41->45         started        signatures17 process18 signatures19 122 Antivirus detection for dropped file 45->122 124 Detected CryptOne packer 45->124 126 Machine Learning detection for dropped file 45->126 128 Drops executables to the windows directory (C:\Windows) and starts them 45->128 48 spoolsv.exe 1 45->48         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64f05e1fb698fd86a92a27ae0625d41aee90fb27ff0912cdd57f445a632ee8f3/
Threat name:
Win32.Trojan.Golsys
Create hunting rule
Status:
Malicious
First seen:
2022-10-07 00:23:46 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mtyf4h5wtd6ynkjke6xamjoudlxjb6zh74erftovp5cfuyzo5dzq._file
Verdict:
malicious
Similar samples:
22e6cacc4b61b0a95c6d0f85ee569e005824a07bbb409009332bfd66641e2051
CryptOne
2faea54e17be82c096325fc7a3fc5a64974b22aaa89101e9a8b4cf619733cbfe
CryptOne
37c762da99bb9a46d6d6dd217e7402b110fa0b0f6eda2796f74102b21bf281b2
CryptOne
f08f4ef5a25eb5b4cda69a00e368c26177fef73e69f3ae34e291b61784a16f82
CryptOne
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion persistence spyware stealer
Link:
https://tria.ge/reports/221011-h1h9wabgfk/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies visiblity of hidden/system files in Explorer
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7b6e32c3-05b6-456d-a8f1-1e525ec5aea4
Unpacked files
SH256 hash:
d9157561a7f17eed716c5adef43e7858c337f4bb445f52998973177bb53aa421
MD5 hash:
71983610cb287a69e4b9a20289b88ee5
SHA1 hash:
a101db269e32c03c62bd1934f90d82f7f048c0cb
Link:
https://www.unpac.me/results/5d338ae2-1a22-4ce3-8939-365671d0e4f0/
SH256 hash:
ab3d0581a61c463ad899ddc6690848a82a1c565936253d17d37ae1e98c74af1d
MD5 hash:
7e5f18b19d5948f844520ad373b1c858
SHA1 hash:
35543175401bef22975c89891a4487ae78039892
Link:
https://www.unpac.me/results/5d338ae2-1a22-4ce3-8939-365671d0e4f0/
SH256 hash:
420e397d83ce387873c563246229176c9e1a9e47b01104762d9c1fe6f448d9b5
MD5 hash:
f7e28b6d4038e1642abdb46c2ddbb738
SHA1 hash:
e6c7ff1488aa006b976b49a999807192dea76d0a
Link:
https://www.unpac.me/results/5d338ae2-1a22-4ce3-8939-365671d0e4f0/
SH256 hash:
8ea8cbc9d6695fda9c171809d995750dad6b368b7f18e493d20b029a14aacb0d
MD5 hash:
b257637fa9454b764a492412fbd469b6
SHA1 hash:
d29772f628f511438cd1e8d971ea8d672c485a30
Link:
https://www.unpac.me/results/5d338ae2-1a22-4ce3-8939-365671d0e4f0/
SH256 hash:
020dfd6b1bb25b683182ef0fbca93cf43fcadf27df3b0d42de7f81f6f32fa3ab
MD5 hash:
ac809ebd240a35b07b7d2d7c27e6c8ac
SHA1 hash:
663f5ea6a7d0addf78b2a5b11b36075ad43ac150
Link:
https://www.unpac.me/results/5d338ae2-1a22-4ce3-8939-365671d0e4f0/
SH256 hash:
8b7a43124dc6ed1b594c7d3f7efbfe5a84f6fd8a7aa7b7db8ef46961c59d6988
MD5 hash:
cbc9757fc0c28c3500ec6b311a623d56
SHA1 hash:
095c3eefe7ea9abc67382a0f1bde2f3989b3726a
Link:
https://www.unpac.me/results/5d338ae2-1a22-4ce3-8939-365671d0e4f0/
SH256 hash:
451de1fe42036a57a871046a22957f64e8d527adc680aa46faf0f74da700f35b
MD5 hash:
c3a76c2571b85d47790d6cb372d71c73
SHA1 hash:
301edcc09fe4ad0da083e1bde979004161b552eb
Link:
https://www.unpac.me/results/5d338ae2-1a22-4ce3-8939-365671d0e4f0/
SH256 hash:
0b4fc51171f0e057784a7e3290f6406fed0599832418eeef9dfe307730e8b2b5
MD5 hash:
b14e9cd1c4bc4d199082114cd36128ca
SHA1 hash:
84c252dde5ea12ba81a9fa8c0ba63bd9b5760852
Link:
https://www.unpac.me/results/5d338ae2-1a22-4ce3-8939-365671d0e4f0/
SH256 hash:
64f05e1fb698fd86a92a27ae0625d41aee90fb27ff0912cdd57f445a632ee8f3
MD5 hash:
3b0d45d7af40fbfc6366ce8c56662851
SHA1 hash:
80dc4c5c02e7d39490389f0b639e80d42ea62f24
Link:
https://www.unpac.me/results/5d338ae2-1a22-4ce3-8939-365671d0e4f0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/64f05e1fb698/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64f05e1fb698fd86a92a27ae0625d41aee90fb27ff0912cdd57f445a632ee8f3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments