MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 835d2c5f855fe8db6d262b1704d87b27478f917a69d96e3afbbad3af5a571755. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 835d2c5f855fe8db6d262b1704d87b27478f917a69d96e3afbbad3af5a571755
SHA3-384 hash: 66a3db4956033bb7917d97a8c83c98f4031caa266209e5f338f9b2cbd040c0e4b096bf5b23a4fe478ab4553004a95074
SHA1 hash: 187e6f91209006a88b5e4262f4f62320b8217724
MD5 hash: 9c037d603e0666daf2107d74f65dbc5f
humanhash: fillet-winter-sink-king
File name:9c037d603e0666daf2107d74f65dbc5f.exe
Download: download sample
Signature CryptOne
Create hunting rule
File size:1'766'755 bytes
First seen:2022-11-09 07:06:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 24576:zry2uXzmwLkMd2PNUt/gKs5ISG5qi1hBrsaEZHM4Ym0crbuJVc+Je7Gk4m:zunYMd2PNDKsqh2Zso4JVcdGe
Threatray 2'310 similar samples on MalwareBazaar
TLSH T15D8523417ED2C4B1E57319341AACEB30653DBC210F39CA8B63A46E7D5F341C1A63A7A6
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-08 18:49:43 UTC
Tags:
trojan amadey loader stealer
Link:
https://app.any.run/tasks/ce225211-2de2-4206-acba-62d5e71999c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331012/
Detection(s):
Win.Malware.Qakbot-9952520-1
Create hunting rule

SecuriteInfo.com.Trojan.Uztuby.4.21386.15255.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/50404/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/636b519b83b66bc0f0422816/reports/4ee84d35-d00e-4d6c-888e-880edce169fa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4044d63e-fd9b-4b11-9013-4d921fca63d2
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1108998
Signature
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 741660 Sample: AMUNToW56S.exe Startdate: 09/11/2022 Architecture: WINDOWS Score: 84 23 Antivirus detection for dropped file 2->23 25 Multi AV Scanner detection for dropped file 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 3 other signatures 2->29 9 AMUNToW56S.exe 3 8 2->9         started        process3 file4 21 C:\Users\user\AppData\Local\Temp\Xpsb.cpl, PE32 9->21 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        signatures7 31 Contains functionality to detect sleep reduction / modifications 14->31 17 rundll32.exe 14->17         started        process8 process9 19 rundll32.exe 17->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/835d2c5f855fe8db6d262b1704d87b27478f917a69d96e3afbbad3af5a571755/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-08 19:40:31 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qnosyx4fl7unw3jgfmlqjwd3e5dy7el2nhmw4ox3xlj26wsxc5kq._file
Verdict:
malicious
Similar samples:
190f4fb1b115015c5953c32d83b90e4574b371611ca78f6d37f6c0839b7be9b5
CryptOne
2df4e3a4d7b6e5f33ef54c73ff86ffc76d8667ff587756a2887bf91687ab46a9
CryptOne
56f958f289d5af36088cf03190de09be80dc84e6bb71b5b9ab6439c9e7f1152d
CryptOne
666be9b4c4842a088d58cb60056335bab68c1745aef6ef843d0506a35cc7484e
CryptOne
bf714f661724be71712eba1e8c6660a08e39b2deb3aaa09631fc568ebf7c0d83
CryptOne
c3bd2da0149a8c2a98a4e8ec4d8ca2fcadd1be76a6cc99850babaca6ff6fbb27
CryptOne
f19dff408fd65268a61ec79e52e8c19780d7364b20560eac8a09f12d14487e19
CryptOne
+ 2'300 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221109-hxmswseeh7/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
0e0f3ada513a72b449e14c4ce36b14568a0a0a2c3489c531b1654459adbc8a5b
MD5 hash:
25be605235e353ae141cf94f469225eb
SHA1 hash:
b6a0ac318e46d79585ca98a7b507d93f55a725de
Link:
https://www.unpac.me/results/638724d1-d41c-4026-99c2-a0dae3365905/
SH256 hash:
3708a137a7f6ae58389448990a354faa5760060242e19735a3f702d0f2a37b0b
MD5 hash:
21dfea8d194a4dd0529a8c9b9e683cce
SHA1 hash:
e2fb2df90321c2c1c7c01b55a19ae3ef196c6f7a
Link:
https://www.unpac.me/results/638724d1-d41c-4026-99c2-a0dae3365905/
SH256 hash:
835d2c5f855fe8db6d262b1704d87b27478f917a69d96e3afbbad3af5a571755
MD5 hash:
9c037d603e0666daf2107d74f65dbc5f
SHA1 hash:
187e6f91209006a88b5e4262f4f62320b8217724
Link:
https://www.unpac.me/results/638724d1-d41c-4026-99c2-a0dae3365905/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/835d2c5f855f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/835d2c5f855fe8db6d262b1704d87b27478f917a69d96e3afbbad3af5a571755

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/331012/

Comments