MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e1b3e39610c4af7924e0b1d34dedc0dd29d8da4752d97f9a6dc16a0b674057e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e1b3e39610c4af7924e0b1d34dedc0dd29d8da4752d97f9a6dc16a0b674057e
SHA3-384 hash: f63e043c4c07372ea85acf5c6d49b51991ce5e299fb752c389b16adf628949aaa79cf4ed0fd19080f7bea8d4e998a895
SHA1 hash: 677e1d81b106416ad3fc126be3a1153371b400c7
MD5 hash: bf0cb9501b8a95e8524d0e9acaf69b07
humanhash: potato-washington-friend-lake
File name:bf0cb9501b8a95e8524d0e9acaf69b07
Download: download sample
Signature CryptOne
Create hunting rule
File size:2'052'100 bytes
First seen:2022-11-20 08:36:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 033fc3209214566af0e06e5863a94256 (5 x CryptOne)
ssdeep 49152:/eZBYBfJXAEgQlICaaTJhZHAoq6vnwGkA/aPCV3d:/eZBYBfKEmV81qgcASo
Threatray 1'954 similar samples on MalwareBazaar
TLSH T1CB952312B7D484B2D5631C324E342732AABDB9701F868DCFC784199EAD305C26E2776B
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b3b3b371716b93b3 (25 x CryptOne, 12 x RemcosRAT, 6 x RedLineStealer)
Reporter zbetcheckin
Tags:32 CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bf0cb9501b8a95e8524d0e9acaf69b07
Verdict:
Malicious activity
Analysis date:
2022-11-20 08:38:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b34b6f8-7cb3-4233-b422-920b37edf0a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336349/
Detection(s):
SecuriteInfo.com.Trojan.Ciusky.Gen.6.13535.7007.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6379e732fe7e1beee2418eff/reports/f72e16f4-c3c9-4cd0-9d0e-83ddf5a598aa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0b0feae8-8a9b-458c-90e9-e3aabcc37099
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1117524
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e1b3e39610c4af7924e0b1d34dedc0dd29d8da4752d97f9a6dc16a0b674057e/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-20 08:37:15 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pynt4olbbrfppesobmotjxw4bxjj3dneouwzp6ng3qlkbntuav7a._file
Verdict:
malicious
Similar samples:
1608dd48e7863935e8fac270049bfb7ea9d622538082ce76d28c1677e53e90bf
CryptOne
476a7e4c2495b79b64e20453751128f72379373127153204f2d9ce951d4d9bf4
CryptOne
562058da0bee84ec90b8f9e53f84893f18be4c87f4199db986cb8637c2a525da
CryptOne
996c4e5418405912b929e7916def0a6c0aaedf77065ec5725f4782b00fb1464e
CryptOne
a62d084b20038628de0a95906a8e9fed08ef5d345de795bc438eaeacbd6123af
CryptOne
d5234d480c203df8e7f07086c0fb4c39a6a11909dfe2e5e33b98cb382d2e1964
CryptOne
d66671894b4128adf6ff365ef0769f831bfe4738c7452f1e094b0e35dda94b8a
CryptOne
ef87eac9116238891e4267d49e2e26e9d613205a23ebf64cffe4af2f1b949e83
CryptOne
+ 1'944 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221120-kh522ahg5s/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c1a109bb-10cf-4e54-9b1d-df6758a8e542
Unpacked files
SH256 hash:
4c1148be7dd1e2d3130c6c0be773c93478212615ad1ef303fcd4003bb12e1b1d
MD5 hash:
4f0a020c3763f633fc4502273897f3a6
SHA1 hash:
5a179f5ea7b210eadb0c18442d7120d0d217de10
Link:
https://www.unpac.me/results/b3b2a585-9141-463b-a52c-28fa40b44d64/
SH256 hash:
44335fd013013fad66d1f2155055099a6f34cdd2aa56851aeca22c3623bf6c1c
MD5 hash:
4aeb33760c937a9ebacc87b56c48f86f
SHA1 hash:
ccfc67b67aebc71554b05d27c93eda2957d90cf0
Link:
https://www.unpac.me/results/b3b2a585-9141-463b-a52c-28fa40b44d64/
SH256 hash:
7e1b3e39610c4af7924e0b1d34dedc0dd29d8da4752d97f9a6dc16a0b674057e
MD5 hash:
bf0cb9501b8a95e8524d0e9acaf69b07
SHA1 hash:
677e1d81b106416ad3fc126be3a1153371b400c7
Link:
https://www.unpac.me/results/b3b2a585-9141-463b-a52c-28fa40b44d64/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e1b3e39610c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe 7e1b3e39610c4af7924e0b1d34dedc0dd29d8da4752d97f9a6dc16a0b674057e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2427357/
Cape
Cape
https://www.capesandbox.com/analysis/336349/

Comments


Avatar
zbet commented on 2022-11-20 08:36:44 UTC

url : hxxp://cityoftransformation.com/16/data64_4.exe