MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f907bcaa62f240caffd9a92f0e9017f67bd8d9ea929658e74eca35763a4a0b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f907bcaa62f240caffd9a92f0e9017f67bd8d9ea929658e74eca35763a4a0b6
SHA3-384 hash: c0a786789c4bf8a10b996b9a476598a86595a7b17c157959ade1c99df80d294af30ed10772c4c38ce1614c114688743d
SHA1 hash: 992c7f715453de4e82d1066c4e9a0c2fdeb274ee
MD5 hash: 9338caecda68a8a91dba202ba14f4c33
humanhash: violet-eleven-ohio-rugby
File name:9338caecda68a8a91dba202ba14f4c33
Download: download sample
Signature CryptOne
Create hunting rule
File size:1'875'226 bytes
First seen:2022-11-16 04:35:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:v84cUkEC4Nny7UnovyXHaHIsBWdKmVwn/3b:vmUkECiJ3aos0hVwD
Threatray 2'549 similar samples on MalwareBazaar
TLSH T16B952241BDC6A9B2E5310D72161EAA21717CBE312F24CAA7D3D8A46E96310C0F735B77
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter zbetcheckin
Tags:32 CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9338caecda68a8a91dba202ba14f4c33
Verdict:
Malicious activity
Analysis date:
2022-11-16 04:38:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/74b7cea4-9744-40ce-83d0-2f82d8c578bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334615/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/637468b44cfa4744015c61bd/reports/309e99dd-ff50-447f-b66a-4bdc84cc51a3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2007b695-61a8-4829-ba4d-bb56065fde12
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1114493
Signature
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 747189 Sample: 7OPlKeuYqk.exe Startdate: 16/11/2022 Architecture: WINDOWS Score: 80 22 Antivirus detection for dropped file 2->22 24 Multi AV Scanner detection for dropped file 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 3 other signatures 2->28 9 7OPlKeuYqk.exe 3 8 2->9         started        process3 file4 20 C:\Users\user\AppData\Local\...\KD1_v2CJ.cpl, PE32 9->20 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        process7 16 rundll32.exe 14->16         started        process8 18 rundll32.exe 16->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f907bcaa62f240caffd9a92f0e9017f67bd8d9ea929658e74eca35763a4a0b6/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 04:22:52 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6ihxsvgf4sazl75tkjpb2ibp5t33dm6veuwldtu5srvoy5euc3a._file
Verdict:
malicious
Similar samples:
132061ecc922628fdf86038d740ef678172a54fe61a0b8822ae3834e8ecb15b5
CryptOne
3cf764f2d741913eaef6b66ec61e9f757bb7f053644ed6d5d534771a6ed787f6
CryptOne
4247573cc4a284836565f3109a6262cfc31ed920f82237db6fdbbc1aace0f616
CryptOne
5a769cc47976851a50ade9008b7e9216c5d92f0a4c15dbbe72ce9197773af811
CryptOne
6a4e8a5b81223afdbe0d39158cb013057e41d5ae6626e1e6c8aef0a5dfd02ca2
CryptOne
6e3f4c2e85d7fb134f7ca95e0593e76447baed8c9e2def7ae94d88bad3257189
CryptOne
8f4695a7e3322c7e86026120b7162c886d3ad1ea8221c29d47733a462faae377
CryptOne
a1365ab85683efd1a97af1b0b86e8f9f587b2c5fa9efe2f5c705d4e4e74e3ee3
CryptOne
c24acebd63f3832f4d82501dac66fd98b6056b7542e524a1cfe634c78269b607
CryptOne
+ 2'539 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221116-e7874ada7t/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6f4aabbf-583c-4b2c-9a47-2800b33c969a
Unpacked files
SH256 hash:
538ccce2dd4256c844869e089c63a69e2801bc5b83019bc672a1c103516341c6
MD5 hash:
c9853f69bbe1115f6d97e41b0de2c17d
SHA1 hash:
5d0fbd8d6f0818ab24a51981119c80e2f8d1421f
Link:
https://www.unpac.me/results/d7dfcb99-0810-4a46-b584-38aa7488e566/
SH256 hash:
1a3c9b37a0050a3e99feba43484d97912eef2d85c38478fdab45462a241332f3
MD5 hash:
cdbb3877e41a85b52d14e82dfe5de525
SHA1 hash:
068539042a7a47ac52992d5c75565ac0467c14fc
Link:
https://www.unpac.me/results/d7dfcb99-0810-4a46-b584-38aa7488e566/
SH256 hash:
6f907bcaa62f240caffd9a92f0e9017f67bd8d9ea929658e74eca35763a4a0b6
MD5 hash:
9338caecda68a8a91dba202ba14f4c33
SHA1 hash:
992c7f715453de4e82d1066c4e9a0c2fdeb274ee
Link:
https://www.unpac.me/results/d7dfcb99-0810-4a46-b584-38aa7488e566/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6f907bcaa62f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f907bcaa62f240caffd9a92f0e9017f67bd8d9ea929658e74eca35763a4a0b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe 6f907bcaa62f240caffd9a92f0e9017f67bd8d9ea929658e74eca35763a4a0b6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2412573/
Cape
Cape
https://www.capesandbox.com/analysis/334615/

Comments


Avatar
zbet commented on 2022-11-16 04:35:41 UTC

url : hxxp://pornhub-viewer.fun/331_331/setup331.exe