MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0f03beb2deb788f046bfe4e6ffcb120af1bdf0bfa538dbd262e560034ca2241. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0f03beb2deb788f046bfe4e6ffcb120af1bdf0bfa538dbd262e560034ca2241
SHA3-384 hash: 9be7d620d363ffa1333bb9226606473659fd71401f7a81e785d93d96fdc06698fd84a86f0996cb0d230115ca3e1eb6b0
SHA1 hash: 7060770a9c5fb7a2be4b94c0375b2eb6b79a2ccd
MD5 hash: 039c220499e81869412e2dac17a6df7f
humanhash: october-texas-wolfram-seventeen
File name:039c220499e81869412e2dac17a6df7f.exe
Download: download sample
Signature CryptOne
Create hunting rule
File size:1'444'845 bytes
First seen:2023-03-17 19:03:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e92b2275a730f59940462780c383a1b0 (26 x CryptOne, 3 x Loki, 2 x Mimic)
ssdeep 24576:VLeTtjJF5HrKwx/NGBgD05Xp61lAZOHh/4M1Z+gIN8TePXU7L5bzHvESvA3VfA:VLYgwV081lsOHh/H1Z+gI6SPXebzHvEw
Threatray 135 similar samples on MalwareBazaar
TLSH T10D652251BAC1C8B0E572117A1AFA9630A67DBD2157BACDDB43487B1E9B301D0D336B32
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
039c220499e81869412e2dac17a6df7f.exe
Verdict:
Malicious activity
Analysis date:
2023-03-17 19:08:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cac2b9f5-07e8-40db-919b-f77e00c19141

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375223/
Detection(s):
SecuriteInfo.com.Trojan.Uztuby.4.132.18606.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/73675/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
comodo greyware overlay packed qakbot setupapi.dll shdocvw.dll shell32.dll virus
Link:
https://www.filescan.io/uploads/6414b9a7da1bbe29caf8df45/reports/a13d4e69-30a6-4893-b4ab-e5a25169d8ff/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b0f03beb2deb788f046bfe4e6ffcb120af1bdf0bfa538dbd262e560034ca2241
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9c2f956c-c0be-4c15-bf76-a76b736bbfd2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1196181
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0f03beb2deb788f046bfe4e6ffcb120af1bdf0bfa538dbd262e560034ca2241/
Threat name:
Win32.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2023-03-17 19:04:11 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
13 of 39 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wdydx2zn5n4i6bdl7zhg77frecxrxxyl7jjy3pjgfzlaangkejaq._file
Verdict:
malicious
Similar samples:
0202f7b45fc04e6271c7abc863560b9581ab0d467ff3ff28f6ae0a94aae488d8
CryptOne
1b679b7b07daff5acfafb8d134126a28e748fb29f600219112ddd5f53fb3ebf5
CryptOne
1fb00fc30c88df39e9dc56e684518f61a5573d0a863b3bed34e420da9341d1e6
CryptOne
2c8718c2665ed9d280daf5fd102686229b39cb10b174eda0cb0204f6a7e01d52
CryptOne
865f3de4a49a6fc637e637d6f165ae6c7c8f8be8d7a79145ada708d82cd41a75
CryptOne
a326643a0b0666727cd5d38637313526ef28e12d9fd042549b9607bd1d2e0421
CryptOne
a8020408f00e293d2dcd91b42c4edeedbfb479e09f56e7aa2c8ebb32223f6f71
CryptOne
b3f0f7a4e82ca5428630483ed701ccb0acda8bb279d7d0f6772bdec88e25e909
CryptOne
be15602eb67ae71bba0dd98c4bca1e9e3afccbf6cc1eb90bed6dda268253be69
CryptOne
f0fe2595be5afe285d9b8d2d906c9ef9b11ea2905193ef1d6e252c9ccf2c2cf2
CryptOne
+ 125 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230317-xqyddahf67/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
b0f03beb2deb788f046bfe4e6ffcb120af1bdf0bfa538dbd262e560034ca2241
MD5 hash:
039c220499e81869412e2dac17a6df7f
SHA1 hash:
7060770a9c5fb7a2be4b94c0375b2eb6b79a2ccd
Link:
https://www.unpac.me/results/f45aeee3-bb30-4470-9520-51354d680fce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0f03beb2deb788f046bfe4e6ffcb120af1bdf0bfa538dbd262e560034ca2241

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe b0f03beb2deb788f046bfe4e6ffcb120af1bdf0bfa538dbd262e560034ca2241

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2534708/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/375223/

Comments