MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fa7977427298708c795293c12fefc41483e4f37485685549130b4ad1bdac554. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fa7977427298708c795293c12fefc41483e4f37485685549130b4ad1bdac554
SHA3-384 hash: 61ad5a05480d29d15966a9339643d1e2ea970b81abc8f0e0af06e2f172354b75933ec4f83b326f791853d1b9114eb82d
SHA1 hash: c1baa50000127cd3260652444694f25ae9532b4a
MD5 hash: 6ea76bdd96b89028f654972bfb4adb8a
humanhash: robert-black-september-uranus
File name:Hesap Hareketleri 17-02-2025.exe
Download: download sample
Signature CryptOne
Create hunting rule
File size:1'740'235 bytes
First seen:2025-02-17 02:56:26 UTC
Last seen:2025-02-17 08:48:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (21 x SnakeKeylogger, 13 x MassLogger, 11 x CryptOne)
ssdeep 49152:dYlu0c++OCvkGs9FayQz/yNHVJdpP4BP9CpY9:yAB3vkJ9Bqj8C
Threatray 73 similar samples on MalwareBazaar
TLSH T1EC85C012B7DCC265C66692B2BE29B741BE7B3C210670BC4B1F941E797870222727D71B
TrID 33.9% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
23.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
17.7% (.EXE) InstallShield setup (43053/19/16)
12.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.3% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika pebin
File icon (PE):PE icon
dhash icon 65626363c383e261 (2 x SnakeKeylogger, 1 x MassLogger, 1 x AveMariaRAT)
Reporter threatcat_ch
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
576
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Hesap Hareketleri 17-02-2025.exe
Verdict:
Malicious activity
Analysis date:
2025-02-17 02:58:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/56d5fc8a-b0fc-44c8-afa3-f9c380464aaa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b2a677a0fd713c335b5696
Tags:
autorun autoit emotet swisyn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Launching a process
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Trojan.Swisyn
Link:
https://www.hybrid-analysis.com/sample/7fa7977427298708c795293c12fefc41483e4f37485685549130b4ad1bdac554
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1363bb9d-e099-4536-ac70-4eb3c6f0f9f8
Result
Threat name:
CryptOne, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1616657
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Drops VBS files to the startup folder
Found malware configuration
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Drops script at startup location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Interactive AT Job
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Dropper
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1616657 Sample: Hesap Hareketleri 17-02-2025.exe Startdate: 17/02/2025 Architecture: WINDOWS Score: 100 91 176.65.144.154 PALTEL-ASPALTELAutonomousSystemPS Germany 2->91 93 zxq.net 2->93 95 6 other IPs or domains 2->95 113 Found malware configuration 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 Antivirus detection for dropped file 2->117 119 14 other signatures 2->119 12 Hesap Hareketleri 17-02-2025.exe 1 4 2->12         started        16 explorer.exe 2->16         started        signatures3 process4 file5 85 C:\Users\...\hesap hareketleri 17-02-2025.exe, PE32 12->85 dropped 87 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 12->87 dropped 157 Installs a global keyboard hook 12->157 18 icsys.icn.exe 4 12->18         started        22 hesap hareketleri 17-02-2025.exe 6 12->22         started        signatures6 process7 file8 73 C:\Windows\System\explorer.exe, PE32 18->73 dropped 121 Antivirus detection for dropped file 18->121 123 Drops PE files with benign system names 18->123 125 Installs a global keyboard hook 18->125 24 explorer.exe 1 52 18->24         started        75 C:\Users\user\AppData\Local\...\extrorsal.exe, PE32 22->75 dropped 127 Binary is likely a compiled AutoIt script file 22->127 29 extrorsal.exe 22->29         started        signatures9 process10 dnsIp11 97 vccmd01.zxq.net 51.81.194.202, 443, 49734, 49735 OVHFR United States 24->97 99 142.251.173.82, 49733, 49745, 49750 GOOGLEUS United States 24->99 101 googlecode.l.googleusercontent.com 64.233.167.82, 49731, 49732, 49741 GOOGLEUS United States 24->101 81 C:\Windows\System\spoolsv.exe, PE32 24->81 dropped 143 Antivirus detection for dropped file 24->143 145 System process connects to network (likely due to code injection or exploit) 24->145 147 Creates an undocumented autostart registry key 24->147 155 2 other signatures 24->155 31 spoolsv.exe 3 24->31         started        83 C:\Users\user\AppData\...\extrorsal.vbs, data 29->83 dropped 149 Binary is likely a compiled AutoIt script file 29->149 151 Drops VBS files to the startup folder 29->151 153 Switches to a custom stack to bypass stack traces 29->153 35 extrorsal.exe 29->35         started        37 svchost.exe 29->37         started        file12 signatures13 process14 file15 89 C:\Windows\System\svchost.exe, PE32 31->89 dropped 103 Antivirus detection for dropped file 31->103 105 Drops executables to the windows directory (C:\Windows) and starts them 31->105 107 Drops PE files with benign system names 31->107 109 Installs a global keyboard hook 31->109 39 svchost.exe 134 5 31->39         started        111 Binary is likely a compiled AutoIt script file 35->111 43 extrorsal.exe 35->43         started        45 svchost.exe 35->45         started        signatures16 process17 file18 77 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 39->77 dropped 79 C:\Users\user\AppData\Local\stsys.exe, PE32 39->79 dropped 129 Antivirus detection for dropped file 39->129 131 Detected CryptOne packer 39->131 133 Creates an undocumented autostart registry key 39->133 141 3 other signatures 39->141 47 spoolsv.exe 39->47         started        50 at.exe 39->50         started        52 at.exe 39->52         started        56 22 other processes 39->56 135 Binary is likely a compiled AutoIt script file 43->135 137 Writes to foreign memory regions 43->137 139 Maps a DLL or memory area into another process 43->139 54 svchost.exe 43->54         started        signatures19 process20 signatures21 58 conhost.exe 50->58         started        60 conhost.exe 52->60         started        161 Drops executables to the windows directory (C:\Windows) and starts them 54->161 163 Installs a global keyboard hook 54->163 62 explorer.exe 54->62         started        65 conhost.exe 56->65         started        67 conhost.exe 56->67         started        69 conhost.exe 56->69         started        71 19 other processes 56->71 process22 signatures23 159 Installs a global keyboard hook 62->159
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7fa7977427298708c795293c12fefc41483e4f37485685549130b4ad1bdac554
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7fa7977427298708c795293c12fefc41483e4f37485685549130b4ad1bdac554/
Threat name:
Win32.Trojan.Golsys
Create hunting rule
Status:
Malicious
First seen:
2025-02-17 00:55:04 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
34 of 37 (91.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6tzo5bhfgdqrr4vfe6bf7x4ifed4tzxjblikvergc2k2g62yvka._file
Verdict:
malicious
Label(s):
mofksys
Create hunting rule
unknown_loader_036
Create hunting rule
Similar samples:
640b9f47f147b0d38fbcacb6aa057f67a32f8aa3fa4dfc45a83ef439319317a6
CryptOne
c8da1a4a776aba5100c4dc921d3c048088bcc9bded8676237454c8fa0d51cf9d
CryptOne
d4409a190a74dd98d16c9818b60040256a024733be1e9f151dd46e3c4243abcb
CryptOne
e750cd8aa7d3db023bcdfcf44b7f223d5717dc62c915a228f7e77a431a34aa58
CryptOne
error
CryptOne
fc4b96c08701cd086a981e6a3cf8e76f6da3377d08f2f081dc46c4228096b7ed
CryptOne
+ 63 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence
Link:
https://tria.ge/reports/250217-dfmpcaxpaw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Executes dropped EXE
Loads dropped DLL
Boot or Logon Autostart Execution: Active Setup
Downloads MZ/PE file
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Verdict:
Malicious
Tags:
trojan Win.Malware.Swisyn-7610494-0
YARA:
Windows_Generic_Threat_2bb7fbe3
Link:
https://app.threat.zone/submission/4d9dba2f-0985-4023-b550-01373747cca2
Unpacked files
SH256 hash:
7fa7977427298708c795293c12fefc41483e4f37485685549130b4ad1bdac554
MD5 hash:
6ea76bdd96b89028f654972bfb4adb8a
SHA1 hash:
c1baa50000127cd3260652444694f25ae9532b4a
Link:
https://www.unpac.me/results/27b17e97-1c26-40e7-876d-791f252b4114/
SH256 hash:
a9a22ccf2aaea20b3733e5b1dafe96b64b4a0041933ab7fa4ddc4561fc188156
MD5 hash:
ecad7d2b0e43cac01e3bfe796916afeb
SHA1 hash:
b70c5a72b706b6e9a9d2884df6bb46fa5f022696
Detections:
AutoIT_Compiled
Create hunting rule
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/27b17e97-1c26-40e7-876d-791f252b4114/
SH256 hash:
b7ee0c1c80ec81e37e7f6541c573b428e85b8aba28d8e270ee3f74f2cd8f829b
MD5 hash:
3bc29d8867cbd7b37c22689a3e6a71bd
SHA1 hash:
4e225ad17e2941fac5792b4114d7eac6d88de1f1
Detections:
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Link:
https://www.unpac.me/results/27b17e97-1c26-40e7-876d-791f252b4114/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7fa797742729/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_2bb7fbe3
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

CryptOne

Executable exe 7fa7977427298708c795293c12fefc41483e4f37485685549130b4ad1bdac554

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaCopyBytes
MSVBVM60.DLL::__vbaSetSystemError
MSVBVM60.DLL::__vbaExitProc
MSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen

Comments