Threat name:
CryptOne, GCleaner, SnappyClient, Stealc
Alert
Classification:
troj.adwa.spyw.expl.evad.mine
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Hijacks the control flow in another process
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Potentially malicious time measurement code found
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Disable power options
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses powercfg.exe to modify the power settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected CryptOne packer
Yara detected Powershell decode and execute
Yara detected SnappyClient
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
behaviorgraph
top1
dnsIp2
2
Behavior Graph
ID:
1937464
Sample:
setup_euone.bin.exe
Startdate:
04/07/2026
Architecture:
WINDOWS
Score:
100
153
45.91.200.135
PODAONLV
Netherlands
2->153
155
185.156.73.98
FDN3UA
Netherlands
2->155
157
4 other IPs or domains
2->157
173
Suricata IDS alerts
for network traffic
2->173
175
Found malware configuration
2->175
177
Malicious sample detected
(through community Yara
rule)
2->177
179
30 other signatures
2->179
14
setup_euone.bin.exe
2->14
started
17
updater.exe
2->17
started
20
powershell.exe
2->20
started
signatures3
process4
file5
233
Overwrites code with
unconditional jumps
- possibly settings
hooks in foreign process
14->233
235
Hijacks the control
flow in another process
14->235
237
Contains functionality
to inject code into
remote processes
14->237
247
4 other signatures
14->247
22
svchost.exe
38
14->22
started
131
C:\Windows\Temp\mkozkjcwhknq.sys, PE32+
17->131
dropped
239
Antivirus detection
for dropped file
17->239
241
Multi AV Scanner detection
for dropped file
17->241
243
Tries to detect sandboxes
and other dynamic analysis
tools (window names)
17->243
249
7 other signatures
17->249
27
powershell.exe
17->27
started
29
cmd.exe
17->29
started
31
sc.exe
17->31
started
33
sc.exe
17->33
started
245
Creates files in the
system32 config directory
20->245
35
conhost.exe
20->35
started
signatures6
process7
dnsIp8
167
158.94.209.95, 49712, 49714, 49716
OMEGATECH-ASSC
Netherlands
22->167
169
drive.usercontent.google.com
142.251.215.161, 443, 49710, 49721
GOOGLE-GoogleLLCUS
United States
22->169
139
C:\Users\user\AppData\...\sU3fAeAuQRb9V.exe, PE32+
22->139
dropped
141
C:\Users\user\AppData\...\xmlslM8AKnTq.exe, PE32+
22->141
dropped
143
C:\Users\user\AppData\...\dQGhg3AtPT26.exe, PE32+
22->143
dropped
145
6 other malicious files
22->145
dropped
195
System process connects
to network (likely due
to code injection or
exploit)
22->195
197
Unusual module load
detection (module proxying)
22->197
37
9gR3RtSLwbz.exe
1
16
22->37
started
42
B0PSyNYQtK.exe
1
22->42
started
44
dQGhg3AtPT26.exe
22->44
started
56
4 other processes
22->56
199
Loading BitLocker PowerShell
Module
27->199
46
conhost.exe
27->46
started
48
conhost.exe
29->48
started
50
wusa.exe
29->50
started
52
conhost.exe
31->52
started
54
conhost.exe
33->54
started
file9
signatures10
process11
dnsIp12
161
juj.realmadridiran.news
172.67.189.111, 443, 49719, 49724
CLOUDFLARENET-CloudflareIncUS
Canada
37->161
163
dutalogambone.com
109.106.254.249, 49733, 80
AS-HOSTINGERCY
Singapore
37->163
165
telegram.me
149.154.167.99, 443, 49717
TELEGRAMVG
United Kingdom
37->165
133
C:\Users\user\AppData\Local\...\4ff4a178.exe, PE32
37->133
dropped
135
C:\Users\user\AppData\Local\...\0be9fca7.exe, PE32+
37->135
dropped
181
Antivirus detection
for dropped file
37->181
183
Multi AV Scanner detection
for dropped file
37->183
185
Tries to harvest and
steal Putty / WinSCP
information (sessions,
passwords, etc)
37->185
193
8 other signatures
37->193
58
cmd.exe
37->58
started
60
cmd.exe
37->60
started
137
C:\Users\user\AppData\Local\959827.vbs, ASCII
42->137
dropped
187
Contains functionality
to registers a callback
to get notified when
the system is suspended
or resumed (often done
by Miners)
42->187
189
Potentially malicious
time measurement code
found
42->189
191
Wscript called in batch
mode (surpress errors)
42->191
62
wscript.exe
1
42->62
started
65
conhost.exe
56->65
started
67
conhost.exe
56->67
started
69
conhost.exe
56->69
started
71
conhost.exe
56->71
started
file13
signatures14
process15
signatures16
73
0be9fca7.exe
58->73
started
76
conhost.exe
58->76
started
78
4ff4a178.exe
60->78
started
81
conhost.exe
60->81
started
251
Suspicious powershell
command line found
62->251
253
Wscript starts Powershell
(via cmd or directly)
62->253
255
Windows Scripting host
queries suspicious COM
object (likely to drop
second stage)
62->255
257
2 other signatures
62->257
83
powershell.exe
14
15
62->83
started
process17
dnsIp18
201
Antivirus detection
for dropped file
73->201
203
Multi AV Scanner detection
for dropped file
73->203
205
Suspicious powershell
command line found
73->205
221
4 other signatures
73->221
86
powershell.exe
73->86
started
147
C:\ProgramData\Chrome141\Chrome140.exe, PE32
78->147
dropped
207
Detected unpacking (changes
PE section rights)
78->207
209
Hides threads from debuggers
78->209
211
Tries to detect sandboxes
/ dynamic malware analysis
system (registry check)
78->211
159
62.60.226.243, 49720, 80
FEMOITGB
Germany
83->159
213
Writes to foreign memory
regions
83->213
215
Suspicious execution
chain found
83->215
217
Found suspicious powershell
code related to unpacking
or dynamic code loading
83->217
219
Injects a PE file into
a foreign processes
83->219
88
RegAsm.exe
83->88
started
92
conhost.exe
83->92
started
file19
signatures20
process21
dnsIp22
94
0be9fca7.exe
86->94
started
98
conhost.exe
86->98
started
171
64.224.17.118, 49723, 80
VIRTUO-12651980CANADAINCCA
Belgium
88->171
223
Tries to harvest and
steal browser information
(history, passwords,
etc)
88->223
225
Writes to foreign memory
regions
88->225
227
Allocates memory in
foreign processes
88->227
229
6 other signatures
88->229
100
chrome.exe
88->100
started
102
chrome.exe
88->102
started
104
chrome.exe
88->104
started
signatures23
process24
file25
149
C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+
94->149
dropped
151
C:\Windows\System32\drivers\etc\hosts, ASCII
94->151
dropped
259
Modifies the context
of a thread in another
process (thread injection)
94->259
261
Modifies the hosts file
94->261
263
Adds a directory exclusion
to Windows Defender
94->263
265
5 other signatures
94->265
106
powershell.exe
94->106
started
109
cmd.exe
94->109
started
111
sc.exe
94->111
started
113
13 other processes
94->113
signatures26
process27
signatures28
231
Loading BitLocker PowerShell
Module
106->231
115
conhost.exe
106->115
started
117
conhost.exe
109->117
started
119
wusa.exe
109->119
started
121
conhost.exe
111->121
started
123
conhost.exe
113->123
started
125
conhost.exe
113->125
started
127
conhost.exe
113->127
started
129
9 other processes
113->129
process29
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.