MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3bd2da0149a8c2a98a4e8ec4d8ca2fcadd1be76a6cc99850babaca6ff6fbb27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3bd2da0149a8c2a98a4e8ec4d8ca2fcadd1be76a6cc99850babaca6ff6fbb27
SHA3-384 hash: f569e1eba64a4ff394bc1dd90c6c4d2e9223ea496c8a9d49c6f9d11b669a34e21b86bf191d928a9299609a46853cede0
SHA1 hash: 04811efcac15000fab0cb7583b9476b3207a3d13
MD5 hash: bca27f15c3ed6319a0fd8950518741f2
humanhash: tennessee-oregon-seven-oranges
File name:file
Download: download sample
Signature CryptOne
Create hunting rule
File size:1'555'261 bytes
First seen:2022-11-03 22:43:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 24576:zry2uXzmwL9+F+Bm+zeRjCYzhj/voVut+FaduUYDXvrKsMIladIpn1K6uNe4BFjq:zunZW+zeprrvMugFaduTXw/dIpUteB
Threatray 1'942 similar samples on MalwareBazaar
TLSH T1E17522067AD50872D0B12E3859F48B75613CBD311F388ADB93A47A6D1E341C2AE36B77
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter jstrosch
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-03 22:50:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e9bc6f3-2912-41ef-b7c3-2b22b1185f56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/328231/
Detection(s):
SecuriteInfo.com.Trojan.Uztuby.4.21386.15255.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/48221/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6364443315611f8d8bf8af7f/reports/9a1bdfba-f2d7-4cb0-ae06-2007351c5037/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/471a27ef-f7c3-4540-8ebf-a1bd4da7e382
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1105013
Signature
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 737675 Sample: file.exe Startdate: 04/11/2022 Architecture: WINDOWS Score: 80 22 Antivirus detection for dropped file 2->22 24 Multi AV Scanner detection for dropped file 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 3 other signatures 2->28 9 file.exe 8 2->9         started        process3 file4 20 C:\Users\user\AppData\Local\Temp\eMB88vx.P, PE32 9->20 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        process7 16 rundll32.exe 14->16         started        process8 18 rundll32.exe 16->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3bd2da0149a8c2a98a4e8ec4d8ca2fcadd1be76a6cc99850babaca6ff6fbb27/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-03 22:44:14 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yo6s3iautkgcvgfe5dwe3dfc7sw5dptwu3gjtbilvowkn73pxmtq._file
Verdict:
malicious
Similar samples:
190f4fb1b115015c5953c32d83b90e4574b371611ca78f6d37f6c0839b7be9b5
CryptOne
2df4e3a4d7b6e5f33ef54c73ff86ffc76d8667ff587756a2887bf91687ab46a9
CryptOne
56f958f289d5af36088cf03190de09be80dc84e6bb71b5b9ab6439c9e7f1152d
CryptOne
9dbdfabbc99542e1c94b7a29eaf437b7fa4c898c4add1a677b126257ae54f94e
CryptOne
bb9377d30a6a0abe24b7eca70250745afc078f116871bb94b5d617a207b37a9c
CryptOne
bf714f661724be71712eba1e8c6660a08e39b2deb3aaa09631fc568ebf7c0d83
CryptOne
dd2a5dcb0106f4c6e7b91ececccef95ff651daa95d78210d41287fe1de0cb639
CryptOne
f19dff408fd65268a61ec79e52e8c19780d7364b20560eac8a09f12d14487e19
CryptOne
+ 1'932 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221103-2nvlxsgcd9/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/23f3a699-43ea-4fe8-ba70-b7defdebbb54
Unpacked files
SH256 hash:
ccef85a60f40ed00b645265466a48f994ad314514ca643735c5882c62ea20b73
MD5 hash:
ec0fbe52d69b8ff4e2139fd15b3b5dba
SHA1 hash:
8224986ac9fced2c9f4553f6f1829ec9155f40fb
Link:
https://www.unpac.me/results/b0963b6d-8803-43fb-9a96-3df97b7b3f69/
SH256 hash:
9e9951decddd5709d8bded35e84f4eab4771122784c7a6466e816f405d7aa74d
MD5 hash:
25618362716240eb2969f53960259c5e
SHA1 hash:
7249419ab73f53f88285ccfe66dd2f8c8d563aa8
Link:
https://www.unpac.me/results/b0963b6d-8803-43fb-9a96-3df97b7b3f69/
SH256 hash:
c3bd2da0149a8c2a98a4e8ec4d8ca2fcadd1be76a6cc99850babaca6ff6fbb27
MD5 hash:
bca27f15c3ed6319a0fd8950518741f2
SHA1 hash:
04811efcac15000fab0cb7583b9476b3207a3d13
Link:
https://www.unpac.me/results/b0963b6d-8803-43fb-9a96-3df97b7b3f69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3bd2da0149a8c2a98a4e8ec4d8ca2fcadd1be76a6cc99850babaca6ff6fbb27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe c3bd2da0149a8c2a98a4e8ec4d8ca2fcadd1be76a6cc99850babaca6ff6fbb27

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/328231/

Comments