MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7272fd88ca6f3948088238f8a82fa073afcba8c4c7f2ac76ef889e937a10b8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7272fd88ca6f3948088238f8a82fa073afcba8c4c7f2ac76ef889e937a10b8a
SHA3-384 hash: e6e063e8843dd34a69ffb3d37e7c4ec0c35dfa5a21374ba3bd70b0026c47f83243e9c61f4d9c6ef927779bc53aeb5642
SHA1 hash: 6a345bbb0e726a810978ad6b1322552f5d7d1200
MD5 hash: c7bc6e25baa935d0fbdd4173a580970c
humanhash: edward-fruit-cup-triple
File name:c7bc6e25baa935d0fbdd4173a580970c
Download: download sample
Signature CryptOne
Create hunting rule
File size:1'956'945 bytes
First seen:2022-11-30 00:06:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:TlBfJXAEGGwr8JLann8ihxVe4VQojep+fCuY8rjRpajtc:TlBfKED28J+n8Ue4VQojW+NY8rn5
Threatray 2'649 similar samples on MalwareBazaar
TLSH T17E952302BE814C73D1711D304D395B59AE7D78300F68DAEFA3A44A1EBE752D0AB39663
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b3b3b371716b93b3 (25 x CryptOne, 12 x RemcosRAT, 6 x RedLineStealer)
Reporter zbetcheckin
Tags:32 CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c7bc6e25baa935d0fbdd4173a580970c
Verdict:
Malicious activity
Analysis date:
2022-11-30 00:08:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2b048814-eedf-427a-9d56-7da1cd68683c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339833/
Detection(s):
SecuriteInfo.com.Trojan.Uztuby.4.17760.4241.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63869ea800c584752ee29a4c/reports/aa4d92d7-5f0e-4c2e-bba2-851ec618d8ff/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f070ba1f-4b50-4ff2-813a-2e87d4e1fc2b
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1123588
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756312 Sample: de2uNCkW41.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 88 22 Antivirus detection for dropped file 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for dropped file 2->26 28 4 other signatures 2->28 9 de2uNCkW41.exe 3 8 2->9         started        process3 file4 20 C:\Users\user\AppData\Local\Temp\dBSa.cpl, PE32 9->20 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        process7 16 rundll32.exe 14->16         started        process8 18 rundll32.exe 16->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7272fd88ca6f3948088238f8a82fa073afcba8c4c7f2ac76ef889e937a10b8a/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-29 23:28:46 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u4ts7wemu3zzjaeieohyvax2a45pzoumjr7svr3o7ce6sn5bbofa._file
Verdict:
malicious
Similar samples:
2fbf3507320d77ce68ad429c66ddcf0d53cedcb3cf8396c1057c820737bf9e11
CryptOne
40335fc69c45b3fefab11dfd6e562fbdcb2f2153ced916ddc68f44eecaab3d72
CryptOne
41d6f0977590e08c50b69579e57d4fde515ce214d958b700b18d36318b44e4db
CryptOne
4c3d353918e33a12f20eb6fa3640159baae150de48b1457d3141733e286ec577
CryptOne
6f27690e2304704aeb7f583859da9bb4466817b3d9a63cc3d7aaceb695ca843a
CryptOne
8c0429806e000a09e006beb89f6d438c458b565e500980a0301fda4f817922e1
CryptOne
adbce9992523240b7244b9f73dc2b8fbe0b575a3c34a0fd34d9385fc800651b9
CryptOne
deaf22c4cadd171ef59fc8e6299d26bd4679b965d24097a48e1cf8f283a0eb89
CryptOne
eb83685ce62e4b88847bde48a5ba0607fb6a37d359a70be5fdd33a5bec71bb5e
CryptOne
+ 2'639 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221130-aebc5sba53/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
8e913d24fd4df342e9b6b8cca41d8082f3521d0f2cafff2a980a97981e172155
MD5 hash:
0e7d02bdab4cee0bb40a6093206521f4
SHA1 hash:
c8a10fe4ff5d889476f0bddbd3d4e5a319eec408
Link:
https://www.unpac.me/results/23d03234-d3cf-428a-b3f4-37456c8b5ab7/
SH256 hash:
5901260a3cb69d0a45c38eaf7deaf2c4218a4bc5b0ffebd419b41000c2baa54e
MD5 hash:
3d09d5563a62f171afea068633b4f97b
SHA1 hash:
d36e5ac6da251ff89a75b20aa5cf1f5902026a2e
Link:
https://www.unpac.me/results/23d03234-d3cf-428a-b3f4-37456c8b5ab7/
SH256 hash:
a7272fd88ca6f3948088238f8a82fa073afcba8c4c7f2ac76ef889e937a10b8a
MD5 hash:
c7bc6e25baa935d0fbdd4173a580970c
SHA1 hash:
6a345bbb0e726a810978ad6b1322552f5d7d1200
Link:
https://www.unpac.me/results/23d03234-d3cf-428a-b3f4-37456c8b5ab7/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a7272fd88ca6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7272fd88ca6f3948088238f8a82fa073afcba8c4c7f2ac76ef889e937a10b8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe a7272fd88ca6f3948088238f8a82fa073afcba8c4c7f2ac76ef889e937a10b8a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2432932/
Cape
Cape
https://www.capesandbox.com/analysis/339833/

Comments


Avatar
zbet commented on 2022-11-30 00:06:47 UTC

url : hxxp://77.73.134.245/new/linda5.exe