MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81c2ce98187e55391b67b181ba9f4e26ff2593bef4a02aefa46fe602b3c48381. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CryptOne

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	81c2ce98187e55391b67b181ba9f4e26ff2593bef4a02aefa46fe602b3c48381
SHA3-384 hash:	439496a986eaf22fdce817b52dbc92d7b2630f62a2166a6079cc28d3483b287dea454f42ea72a92040114f28cf3f61ed
SHA1 hash:	5f67b46fc4a0a1cfd4225efe01752e0aa51bee88
MD5 hash:	fa72a95a0d9f7e98657f71a5b6c529ed
humanhash:	carbon-alabama-iowa-harry
File name:	fa72a95a0d9f7e98657f71a5b6c529ed.exe
Download:	download sample
Signature	CryptOne Create hunting rule
File size:	1'546'666 bytes
First seen:	2023-07-10 12:07:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	91e96141ed5dbe3bc541c8aad7ff3c38 (22 x CryptOne, 7 x njrat, 5 x DCRat)
ssdeep	24576:pLllLl7CEt0CNkkf5a7jSxhteO+s86k93qvGUx79Y0sMzvYi995pG8lnB8ooiYXS:BllLt0CNkk4mxhteO+H6MsGUx7arqvh9
Threatray	49 similar samples on MalwareBazaar
TLSH	T128652260BAC588B0D8A619351AE08771AB3DBC311F768EEB17441B5E9F311D1D83A7B3
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	abuse_ch
Tags:	CryptOne exe

Intelligence

File Origin

# of uploads :

1

# of downloads :

290

Origin country :

NL

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

fa72a95a0d9f7e98657f71a5b6c529ed.exe

Verdict:

Malicious activity

Analysis date:

2023-07-10 12:11:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/95fea716-f293-4185-bc0e-b8184d3ea6a4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/413551/

Detection(s):

SecuriteInfo.com.Variant.Fugrafa.267521.30514.22927.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% directory

Launching a process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/96923/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm greyware lolbin overlay packed replace setupapi shdocvw shell32

Link:

https://www.filescan.io/uploads/64abf4ad4b573cca625dc0e3/reports/ed74038e-8640-40b4-b640-95135e1a9218/overview

Verdict:

Malicious

Labled as:

Trojan.Agent

Link:

https://www.hybrid-analysis.com/sample/81c2ce98187e55391b67b181ba9f4e26ff2593bef4a02aefa46fe602b3c48381

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0a976950-02c3-4fa4-8fc3-43afee06d0cf

Result

Threat name:

CryptOne

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1270085

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/81c2ce98187e55391b67b181ba9f4e26ff2593bef4a02aefa46fe602b3c48381/

Threat name:

Win32.Trojan.Uztuby

Status:

Malicious

First seen:

2023-07-10 12:08:11 UTC

File Type:

PE (Exe)

Extracted files:

18

AV detection:

14 of 38 (36.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qhbm5gaypzktsg3hwga3vh2oe37sle566sqcv35en7tafm6eqoaq._file

Verdict:

malicious

Similar samples:

014e574ce2454214c7aa61d94ebb9be669ead513d2bb60b9fdf527907c088792

0baf82e29d938f8ce86d56784d4249181155983eecbfdae1f7324705b152da7b

22d63c0ca31019e77eb995fed035cac211e6d82e24e6d54105e26adc0c2d0373

278305d714746ff033e5b15a7b93a26ec56fbf9f32a8b0cd036b352667fe8c34

3d46e0a434a318139ea0d258b25d1aeb6675c1221fced184970b0f5e59e76cbd

6aa12fc8b880af7f1ba4edc944be0cc79a0cc4b58adc5439c4263870531b61d2

9eabc737fcd4b9e3ee124a01cc30943e31d92a64e177be4e096d42b85359fe17

de4cd2e5d0d0969ef21f93c4f33dad620c8383b24d2dd8c361403d69b20178f0

e4c701c10cc4eeceb1e344e31e05eda5683d40ccb39e0b8473d7750227287063

+ 39 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230710-pax4nsab34/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Loads dropped DLL

Unpacked files

SH256 hash:

81c2ce98187e55391b67b181ba9f4e26ff2593bef4a02aefa46fe602b3c48381

MD5 hash:

fa72a95a0d9f7e98657f71a5b6c529ed

SHA1 hash:

5f67b46fc4a0a1cfd4225efe01752e0aa51bee88

Link:

https://www.unpac.me/results/a24a9f8e-42b6-4840-8c8d-c8f6b8e0fbbc/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/413551/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample