MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e6cda4ef7fb776128b314c7a1c2938abffc2ab3def50eac650f2b49a59dc573. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e6cda4ef7fb776128b314c7a1c2938abffc2ab3def50eac650f2b49a59dc573
SHA3-384 hash: 463182a21fbc11ffb4e7523603572f85d8b203b849b74d090752b0cb0ee178917f2c3758a2597a5687d7d79c372fb491
SHA1 hash: 501155c0f66e09470476cdb1e175e7edd518d59e
MD5 hash: cd36c6d6d7e84c635e4c44ac5981733e
humanhash: nineteen-delta-georgia-massachusetts
File name:cd36c6d6d7e84c635e4c44ac5981733e
Download: download sample
File size:3'228'350 bytes
First seen:2021-06-24 11:12:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 49152:tOXz87xAK/Ti6bOw+qOqe+YtYzAxAH+fsb72Gmu5QpQBdtNhBr1+1tUT5:o8dA8C5H+hXH+n307Bd5Br1J
Threatray 4'555 similar samples on MalwareBazaar
TLSH 98E523236912D43BC8A441FCA41DBBBCB56E1E31D794AD2B756ABED0397241338E520F
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cd36c6d6d7e84c635e4c44ac5981733e
Verdict:
No threats detected
Analysis date:
2021-06-24 11:16:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0eadb00d-1e24-4f85-bec6-70998fc6e694

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167984/
Detection(s):
Win.Trojan.VBGeneric-6735875-0
Create hunting rule

Win.Trojan.Agent-1109049
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/516db961-688d-4057-8174-3ad6dce48bca
Result
Threat name:
CryptOne Mofksys
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807395
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected CryptOne packer
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Yara detected Mofksys
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439806 Sample: 8uSUge1NdI Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 67 Antivirus / Scanner detection for submitted sample 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected Mofksys 2->71 73 6 other signatures 2->73 10 8uSUge1NdI.exe 1 3 2->10         started        15 explorer.exe 1 2->15         started        17 svchost.exe 1 2->17         started        19 4 other processes 2->19 process3 dnsIp4 51 192.168.2.1 unknown unknown 10->51 45 C:\Windows\Resources\Themes\icsys.icn.exe, MS-DOS 10->45 dropped 47 C:\Users\user\Desktop\8usuge1ndi.exe, PE32 10->47 dropped 91 Drops executables to the windows directory (C:\Windows) and starts them 10->91 21 icsys.icn.exe 2 10->21         started        25 8usuge1ndi.exe 10->25         started        file5 signatures6 process7 file8 43 C:\Windows\Resources\Themes\explorer.exe, MS-DOS 21->43 dropped 83 Antivirus detection for dropped file 21->83 85 Machine Learning detection for dropped file 21->85 87 Drops executables to the windows directory (C:\Windows) and starts them 21->87 89 Drops PE files with benign system names 21->89 27 explorer.exe 2 14 21->27         started        signatures9 process10 dnsIp11 53 codecmd03.googlecode.com 27->53 55 codecmd02.googlecode.com 27->55 57 3 other IPs or domains 27->57 49 C:\Windows\Resources\spoolsv.exe, MS-DOS 27->49 dropped 93 Antivirus detection for dropped file 27->93 95 System process connects to network (likely due to code injection or exploit) 27->95 97 Machine Learning detection for dropped file 27->97 99 Drops PE files with benign system names 27->99 32 spoolsv.exe 2 27->32         started        file12 signatures13 process14 file15 41 C:\Windows\Resources\svchost.exe, MS-DOS 32->41 dropped 59 Antivirus detection for dropped file 32->59 61 Machine Learning detection for dropped file 32->61 63 Drops executables to the windows directory (C:\Windows) and starts them 32->63 65 Drops PE files with benign system names 32->65 36 svchost.exe 2 32->36         started        signatures16 process17 signatures18 75 Antivirus detection for dropped file 36->75 77 Detected CryptOne packer 36->77 79 Machine Learning detection for dropped file 36->79 81 Drops executables to the windows directory (C:\Windows) and starts them 36->81 39 spoolsv.exe 1 36->39         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e6cda4ef7fb776128b314c7a1c2938abffc2ab3def50eac650f2b49a59dc573/
Threat name:
Win32.Worm.Mofksys
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 11:13:19 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
28 of 28 (100.00%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
32672928863af3e154d0e2cc454c5fd31f217a3bfabc7acff2223bb72a5bbe6f
5553a7b6943f4c1435ec14ecb41b95029d6f2a94f7f415f660c14bd8b68ab7f9
603b8b4a8d2fedea549b4f06b345da9234a06ceab9366175c8de484df155a2b9
6c094a18d2ab75c95ffc39399cece2eebdb8064f91cec40226be037fb20f64d9
7c1eae5e28280689e8db038813d781a47158b6d76f849aeb0c204058dfe94590
9e963186264d8f04f86916921e1f197bd98bd7305af779247c9ff4632d05900b
a2bd87a81b3cc4f40cc8f1e6ba1111a010ad3970b4dff9e98c729142af28b823
b23274e47a003476681da8925f2c15ff1c7ef988cabf76dbf1e5799a914a3ab1
b603bb5bf05a55c7687cbfa64566cb5608947284b8eaf0da2b1b6d282fee3ecd
e6f4e3b6915c4f1da7393240c506c9b233695e2ec03034d595843ef7463a6331
+ 4'545 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence vmprotect
Link:
https://tria.ge/reports/210624-lm4knsn5r6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
7e6cda4ef7fb776128b314c7a1c2938abffc2ab3def50eac650f2b49a59dc573
MD5 hash:
cd36c6d6d7e84c635e4c44ac5981733e
SHA1 hash:
501155c0f66e09470476cdb1e175e7edd518d59e
Link:
https://www.unpac.me/results/b499e1f9-7d15-4a21-85ef-d084b12a152e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e6cda4ef7fb776128b314c7a1c2938abffc2ab3def50eac650f2b49a59dc573

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 7e6cda4ef7fb776128b314c7a1c2938abffc2ab3def50eac650f2b49a59dc573

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1394453/
Cape
Cape
https://www.capesandbox.com/analysis/167984/

Comments