MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2fd5c125959b12813cfc0fa6826dbb87825fc6e5b3ec1196cb7a2408b9c2e38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2fd5c125959b12813cfc0fa6826dbb87825fc6e5b3ec1196cb7a2408b9c2e38
SHA3-384 hash: 4086f4a52df67b9130d2c426ae48d86d8be73d32941daf14de0cd164f80dfee2a9ed6f3eeeb31d97a2fe4c9ec08f3a1a
SHA1 hash: b24e31c107a1ef747bf62cd07ca5144576a5fd0f
MD5 hash: eeb2ee196792e22e5c9dd12422720eb9
humanhash: mexico-snake-king-east
File name:eeb2ee196792e22e5c9dd12422720eb9.exe
Download: download sample
Signature CryptOne
Create hunting rule
File size:1'730'852 bytes
First seen:2022-12-12 17:23:48 UTC
Last seen:2022-12-12 18:30:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b4070734502a100c8f90bbd445995533 (11 x CryptOne, 5 x DCRat, 2 x njrat)
ssdeep 24576:hG/t/8uPVDmXBsB/DnexXvw+TVJwxjxUm+sBf1eQhQaVWoXI4aKoee5ecV9Jbq3q:4u4minedwsJOxT1eQhTWV4aKjeNDq3q
Threatray 2'085 similar samples on MalwareBazaar
TLSH T173852301BAC184B2D1621D324739AB11B87DBD206F75DFEB27941B5EEE716C0CB217A2
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
eeb2ee196792e22e5c9dd12422720eb9.exe
Verdict:
Malicious activity
Analysis date:
2022-12-12 17:29:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/58d38d7a-aa8c-475f-b876-51b8560e445a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345582/
Detection(s):
SecuriteInfo.com.Trojan.Uztuby.2.30064.31296.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/639763b70c6473d1671aa7f6/reports/b2d2fd6c-ee8e-4530-b7fe-936afc53cadc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/00b65575-6332-4a7a-9e9b-846b897b4f3d
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1132922
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2fd5c125959b12813cfc0fa6826dbb87825fc6e5b3ec1196cb7a2408b9c2e38/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-12-12 09:55:47 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
18 of 41 (43.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ul6vyeszlgysqe6pyd5gqjw3xb4cl7dolm7mcglmw6rebc44fy4a._file
Verdict:
malicious
Similar samples:
09051ade3d7c8bc6be358107b584eba08fdec0214cfd7c99e4b56f3e1e66d2b5
CryptOne
342d78d9fce8746086118d55415082dd511dd6b0eeaae7800701131e54988678
CryptOne
408c78bbd01630d88293c29b2dd137277d76cfb8c34dfc3de52e3f70f92d0d38
CryptOne
63df14fbd01c02c496cac0a6bb6822fa7d4627a780d7ec03dea57c991170cddd
CryptOne
7df3aa465df1bb133f97a69ed8a066c90a7c5f9fc8aeabb7517f71cd9c147d97
CryptOne
bd5502b3b91005d62013d1821b3a0a3c6c4fcd8e493e57c5088968304dbc035c
CryptOne
e7579f40e1a8f43b9d2114b022cec4e497be4dbc03c5df91c493b7a1cb23109f
CryptOne
f09f54a8c694a8b026051b90fd0f92040d952b75446af726de55522ef1e13dda
CryptOne
f47fae36937dabb1c97098581deb76302b10f5abdf77971626813dd158af341c
CryptOne
fc59a736bdcb8725ac257500a7548408b909925719b0025665a851ce1419cc30
CryptOne
+ 2'075 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221212-vyp1vseg6w/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e0959603-bbe4-4a3a-823a-0345ba53b680
Unpacked files
SH256 hash:
f39721f7fa288f222233844a741edbe3ba7e6c305c1da8e8e2b243d6bbfd375f
MD5 hash:
cc5143a7b4666098f3ad549d763ed105
SHA1 hash:
40a5fcdcc84f8dd9322133f22314764d61285b98
Link:
https://www.unpac.me/results/5bbd0683-a7a0-45c4-a0c0-d7cdd9466a96/
SH256 hash:
4dbc812c6c69c530f53d64bcec6345db56e78c065578792660d42a494c854be4
MD5 hash:
158ec782ca13661a5886e9f45a2d3b40
SHA1 hash:
48603648af85f1b26d9730212a92f7501800b500
Link:
https://www.unpac.me/results/5bbd0683-a7a0-45c4-a0c0-d7cdd9466a96/
SH256 hash:
a2fd5c125959b12813cfc0fa6826dbb87825fc6e5b3ec1196cb7a2408b9c2e38
MD5 hash:
eeb2ee196792e22e5c9dd12422720eb9
SHA1 hash:
b24e31c107a1ef747bf62cd07ca5144576a5fd0f
Link:
https://www.unpac.me/results/5bbd0683-a7a0-45c4-a0c0-d7cdd9466a96/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a2fd5c125959/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2fd5c125959b12813cfc0fa6826dbb87825fc6e5b3ec1196cb7a2408b9c2e38

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe a2fd5c125959b12813cfc0fa6826dbb87825fc6e5b3ec1196cb7a2408b9c2e38

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2454346/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/345582/

Comments