MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68b4c66699cc30fb74ee54da6ea2e141f8c8ada5cdd438236d0be79bb5f6514e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68b4c66699cc30fb74ee54da6ea2e141f8c8ada5cdd438236d0be79bb5f6514e
SHA3-384 hash: 925bed7d636cd6e1a7644c8a4f4c3e810e80e003e0852aace9189fe5986caf74517b02c56750d70d75d3c909e067eb57
SHA1 hash: 84be66e8cc63c99175da3b4e296c342f3db0f345
MD5 hash: abe851ecc1df39b4002bc9f9d911a2a2
humanhash: twelve-leopard-edward-fish
File name:abe851ecc1df39b4002bc9f9d911a2a2.exe
Download: download sample
Signature CryptOne
Create hunting rule
File size:1'928'761 bytes
First seen:2022-11-11 10:18:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 49152:4unDPXJCMPCIPC9TdkBNleSafIdHkkA1XSKvxtb1I54k:4KDPZzPDPAwlWgdHV0x/Ib
Threatray 2'311 similar samples on MalwareBazaar
TLSH T16B95232279D05471D577143AA6F5A734293DFC216F3888DBA3582F1D8A301D2BA39BB3
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
abe851ecc1df39b4002bc9f9d911a2a2.exe
Verdict:
Malicious activity
Analysis date:
2022-11-11 10:21:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/26d22975-00cd-4d81-8cca-f2f1a808ae4c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/332399/
Detection(s):
SecuriteInfo.com.Trojan.Uztuby.4.21386.15255.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/51291/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/636e219b82dd9f2e265389c9/reports/7f5e4dd0-b7ba-4520-a106-8af19fc8c54a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4455df06-c540-4f73-b866-0e56cba11f4c
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1111203
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 743901 Sample: aguSHxPxSS.exe Startdate: 11/11/2022 Architecture: WINDOWS Score: 72 22 Multi AV Scanner detection for dropped file 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected CryptOne packer 2->26 28 2 other signatures 2->28 9 aguSHxPxSS.exe 3 8 2->9         started        process3 file4 20 C:\Users\user\AppData\Local\Temp\s5NA.cpl, PE32 9->20 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        process7 16 rundll32.exe 14->16         started        process8 18 rundll32.exe 16->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68b4c66699cc30fb74ee54da6ea2e141f8c8ada5cdd438236d0be79bb5f6514e/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-10 15:10:29 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nc2mmzuzzqypw5hoktng5ixbih4mrlnfzxkdqi3nbptzxnpwkfha._file
Verdict:
malicious
Similar samples:
2df4e3a4d7b6e5f33ef54c73ff86ffc76d8667ff587756a2887bf91687ab46a9
CryptOne
56f958f289d5af36088cf03190de09be80dc84e6bb71b5b9ab6439c9e7f1152d
CryptOne
666be9b4c4842a088d58cb60056335bab68c1745aef6ef843d0506a35cc7484e
CryptOne
72aebf59fb0ae3273d59d9e240c481e2875ce4cd2606ac398866d40375976037
CryptOne
835d2c5f855fe8db6d262b1704d87b27478f917a69d96e3afbbad3af5a571755
CryptOne
b30ce43f28704e02b07399433e0da63b476097f51a06848077ed9bc9c01d0dc2
CryptOne
bf714f661724be71712eba1e8c6660a08e39b2deb3aaa09631fc568ebf7c0d83
CryptOne
c3bd2da0149a8c2a98a4e8ec4d8ca2fcadd1be76a6cc99850babaca6ff6fbb27
CryptOne
f19dff408fd65268a61ec79e52e8c19780d7364b20560eac8a09f12d14487e19
CryptOne
+ 2'301 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221111-mch2eshc4t/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/70cf6a14-bfa3-4f43-b7d6-9624d481af84
Unpacked files
SH256 hash:
6cf04e11a1ae8c4c94963701a6af0288398e7494d8d957a3db29ae27968ffa1c
MD5 hash:
cf76ab7ccb47d6b62caae06a191fcd2b
SHA1 hash:
d8755497e0bcc5b87ac088fd42597447d3fed6b7
Link:
https://www.unpac.me/results/720d47a5-9d30-40f8-a532-be0ffcfb8962/
SH256 hash:
80a58cc1b621a7f80e0f52704ac14c6124dddd82bd03e80ad7c118fa655d4241
MD5 hash:
1803fc101d4dda4644a0d1cae723dfef
SHA1 hash:
69afba6a7bb5d1393d3bd8ea1b111c33bf86df80
Link:
https://www.unpac.me/results/720d47a5-9d30-40f8-a532-be0ffcfb8962/
SH256 hash:
68b4c66699cc30fb74ee54da6ea2e141f8c8ada5cdd438236d0be79bb5f6514e
MD5 hash:
abe851ecc1df39b4002bc9f9d911a2a2
SHA1 hash:
84be66e8cc63c99175da3b4e296c342f3db0f345
Link:
https://www.unpac.me/results/720d47a5-9d30-40f8-a532-be0ffcfb8962/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68b4c66699cc30fb74ee54da6ea2e141f8c8ada5cdd438236d0be79bb5f6514e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe 68b4c66699cc30fb74ee54da6ea2e141f8c8ada5cdd438236d0be79bb5f6514e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2405964/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/332399/

Comments