MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b265d895bc741cc6619dd51ca854038b4e002ad27f2d5a25b9633fa16506f5be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b265d895bc741cc6619dd51ca854038b4e002ad27f2d5a25b9633fa16506f5be
SHA3-384 hash: 6b922e45d838a5301050d07c41f963c5f4793b6e35accc7e8acde78bd80612aa787dd95902d862fd548f3686fcc0a258
SHA1 hash: 318746a89f22e66204e38177c22d6323e180e0cc
MD5 hash: 564bfc8497cdd7edce893461572d25c1
humanhash: mexico-failed-nine-juliet
File name:564bfc8497cdd7edce893461572d25c1.exe
Download: download sample
Signature CryptOne
Create hunting rule
File size:1'740'121 bytes
First seen:2022-11-25 16:55:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:ChvJVJdMs00DcYV9FHQTZ+YiLv3PMHmNurR2OW9AI+mTrKuMLQcSz2MLF9Pm7TwE:S3dgs9FTrUGY3c+mTSLQciF9Pm7TwBMx
Threatray 2'621 similar samples on MalwareBazaar
TLSH T186852211FDC155B3E6B2193246386760283C7D201F24EEEFA3E4699E99761C0AE21F77
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
564bfc8497cdd7edce893461572d25c1.exe
Verdict:
Malicious activity
Analysis date:
2022-11-25 16:59:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5ec58b9b-454a-4670-a8e2-e4db376baf53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338515/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37098799.28291.25939.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6380f3a3536377388865ce96/reports/8bf0918a-6ec6-4137-baa4-9ec0d85b2b8d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6759d10f-6961-4be1-8ea8-08f25ae505a2
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1121281
Signature
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b265d895bc741cc6619dd51ca854038b4e002ad27f2d5a25b9633fa16506f5be/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-25 16:56:12 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjs5rfn4oqommym52uokqvadrnhaakwsp4wvujnzmm72czig6w7a._file
Verdict:
malicious
Similar samples:
07a775e0ce0b693e7fe1b7b0175b2951f52bef2ae0ca2d150efc0f40079c735a
CryptOne
0a3719034534630aa13dfff817954b553ced8877c06110351b09a0591994e321
CryptOne
33ad97412d0ea51dd14c970ea67a92b237b28de04add5ecc3f64f9696fb3ed1c
CryptOne
65de7f369ef7a90554d6bdda6905bfea516a75e08515d52399e5d7a5653a7a53
CryptOne
6eb6b5bbe6d91549da0f12fb62da2a6be6370839192de6f1b21b6baea974958f
CryptOne
8500f1744e517dfa7e8f0e08aeea29ca2625695ee2b90653a007edd1be838f54
CryptOne
aa0ca7d10df1c45dce9aaab1813c4da0af731b35455c7de79136bef551411d3d
CryptOne
af9ae71f474011620aadead96851b27773982f9c2ea41763d9c5d839b361cddb
CryptOne
ecb1dd5f5cc10c3150c827f018f56a5e131d5382f3e72aab68c488e85849c60e
CryptOne
+ 2'611 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221125-vfpblsbf36/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1de2dabf-8cfa-4eff-b623-ce9ee9c6a5c4
Unpacked files
SH256 hash:
1cc56badcb772305c81b44abde93167d6bd42a8fd8ec0114e71aef2db9a18c95
MD5 hash:
55d54d6d44b2676ac50930c14dffbacb
SHA1 hash:
23139a573c58d9303ca16b79451bbef150297b7b
Link:
https://www.unpac.me/results/bc09d512-87c1-4e5c-82a0-2af2a53cb2cb/
SH256 hash:
716382d3e8082fe6b8633dbf451bdae134dc3ab5a077025f077590a7c0794bff
MD5 hash:
e3f691a70c04934de42c3450a7ae8a69
SHA1 hash:
d37713020eec136ce386bbd1c6f6ce57e9eaa7b5
Link:
https://www.unpac.me/results/bc09d512-87c1-4e5c-82a0-2af2a53cb2cb/
SH256 hash:
b265d895bc741cc6619dd51ca854038b4e002ad27f2d5a25b9633fa16506f5be
MD5 hash:
564bfc8497cdd7edce893461572d25c1
SHA1 hash:
318746a89f22e66204e38177c22d6323e180e0cc
Link:
https://www.unpac.me/results/bc09d512-87c1-4e5c-82a0-2af2a53cb2cb/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b265d895bc74/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b265d895bc741cc6619dd51ca854038b4e002ad27f2d5a25b9633fa16506f5be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe b265d895bc741cc6619dd51ca854038b4e002ad27f2d5a25b9633fa16506f5be

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2432932/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/338515/

Comments