MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f4695a7e3322c7e86026120b7162c886d3ad1ea8221c29d47733a462faae377. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f4695a7e3322c7e86026120b7162c886d3ad1ea8221c29d47733a462faae377
SHA3-384 hash: 4783b0c10ddcc439d42b85e74dcfaa0f91b458383dd64a15f0625291982eb2c26e224ca2d744242c5d57d1326070aac7
SHA1 hash: bec3197fa5cede4ee2d5d4b919dc00d21af8f21d
MD5 hash: 4efe91621f32f250e8472d9f6f261b71
humanhash: leopard-saturn-mockingbird-happy
File name:4efe91621f32f250e8472d9f6f261b71.exe
Download: download sample
Signature CryptOne
Create hunting rule
File size:1'793'885 bytes
First seen:2022-11-11 10:21:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:t84/cJ2QM9JHImq6eGKZVxp8Be2fyYfO8l+sX:tVcJ27O6eGyVxGBe1Y3sI
Threatray 2'477 similar samples on MalwareBazaar
TLSH T1668523427DC194B2C6752C75596AB362203DBD202F20CEAF53A89E2DEE711C1AB35773
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4efe91621f32f250e8472d9f6f261b71.exe
Verdict:
Malicious activity
Analysis date:
2022-11-11 10:26:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/82ba12d3-8b40-4b96-b5ab-b063d300356c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/332421/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/51302/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/636e225037a53af3a7f560db/reports/46a53fb1-a220-4ff8-a70e-879920c5b792/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b39aa2ca-9678-4dfc-844f-364048fd0426
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1111167
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 743862 Sample: PSkNp4ENxa.exe Startdate: 11/11/2022 Architecture: WINDOWS Score: 72 25 Multi AV Scanner detection for dropped file 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected CryptOne packer 2->29 31 2 other signatures 2->31 9 PSkNp4ENxa.exe 8 2->9         started        process3 dnsIp4 23 192.168.2.1 unknown unknown 9->23 21 C:\Users\user\AppData\Local\Temp\soibSo.x, PE32 9->21 dropped 13 control.exe 1 9->13         started        file5 process6 process7 15 rundll32.exe 13->15         started        process8 17 rundll32.exe 15->17         started        process9 19 rundll32.exe 17->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f4695a7e3322c7e86026120b7162c886d3ad1ea8221c29d47733a462faae377/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-11 08:33:41 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5djlj7dgiwh5bqcmeqlofrmrbwtvupkqiq4fhkhom5eml5k4n3q._file
Verdict:
malicious
Similar samples:
0b9f5277e6d3a78fa0b945cf233c515059680e1440ccc32b5595a7fe1907a6c6
CryptOne
132061ecc922628fdf86038d740ef678172a54fe61a0b8822ae3834e8ecb15b5
CryptOne
4247573cc4a284836565f3109a6262cfc31ed920f82237db6fdbbc1aace0f616
CryptOne
5a769cc47976851a50ade9008b7e9216c5d92f0a4c15dbbe72ce9197773af811
CryptOne
6a4e8a5b81223afdbe0d39158cb013057e41d5ae6626e1e6c8aef0a5dfd02ca2
CryptOne
6e3f4c2e85d7fb134f7ca95e0593e76447baed8c9e2def7ae94d88bad3257189
CryptOne
8c8a4db691bc7fffd379eab27c0336621f553982006b196c39be8f4e3f29e85f
CryptOne
a1365ab85683efd1a97af1b0b86e8f9f587b2c5fa9efe2f5c705d4e4e74e3ee3
CryptOne
c24acebd63f3832f4d82501dac66fd98b6056b7542e524a1cfe634c78269b607
CryptOne
+ 2'467 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221111-mea4laee48/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d58512cc-4070-48de-9626-e8c42fd36819
Unpacked files
SH256 hash:
3ec50485742910fac01d0a01cc4c8120b75601c158ddaee8aa42f5afcbc2a563
MD5 hash:
a24c0a18686fab641351d37913789e74
SHA1 hash:
57e49a4bf9af9932710990d5ec5c288562b7f346
Link:
https://www.unpac.me/results/e628089b-1216-4502-9bc4-aedc27890e2c/
SH256 hash:
c3188883b7ad9facd96ddeb06900360e0e6f6fbae84e529a2ff0772e2422d7e9
MD5 hash:
fb201a1c4838149bb28a9c035ac24ac7
SHA1 hash:
f97c3804216ae946ff77f4ff30b04114765f2f7a
Link:
https://www.unpac.me/results/e628089b-1216-4502-9bc4-aedc27890e2c/
SH256 hash:
8f4695a7e3322c7e86026120b7162c886d3ad1ea8221c29d47733a462faae377
MD5 hash:
4efe91621f32f250e8472d9f6f261b71
SHA1 hash:
bec3197fa5cede4ee2d5d4b919dc00d21af8f21d
Link:
https://www.unpac.me/results/e628089b-1216-4502-9bc4-aedc27890e2c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f4695a7e3322c7e86026120b7162c886d3ad1ea8221c29d47733a462faae377

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe 8f4695a7e3322c7e86026120b7162c886d3ad1ea8221c29d47733a462faae377

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2405501/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/332421/

Comments