MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5851f9f14f370e7cb513418a3f65cc9afccd970a6e49479b643df9d5b0c27ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5851f9f14f370e7cb513418a3f65cc9afccd970a6e49479b643df9d5b0c27ca
SHA3-384 hash: 62c3f9150a0ffeb754cc32cb701623b4ff681c5ac4289ff394f177841ddd3bdcbf4efb0aee22b67ebd41de52e9be96b9
SHA1 hash: 5b72f16abc74ce45d700a38798bddcc1c951b801
MD5 hash: 839939e90ce8d4d3c3eb44b73ff4c32f
humanhash: pizza-lamp-ink-august
File name:839939e90ce8d4d3c3eb44b73ff4c32f.exe
Download: download sample
Signature CryptOne
Create hunting rule
File size:4'940'288 bytes
First seen:2022-10-05 14:56:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0e9c847d831a8ac3efa55818acb90d72 (4 x Glupteba, 1 x CryptOne)
ssdeep 98304:m2h1pKO+6PbFmS3VjVEOeTtJaAbLECnrZXJT7:msbFmS3VjVEOeTtJHbdnrz7
Threatray 11 similar samples on MalwareBazaar
TLSH T1F536DF2ABB0981B6CA7173F599AB55DE9430DC30906540F8EE832B48E536F7743BA347
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter abuse_ch
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316950/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41340/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/633d9b44c9e2f3435432d5a3/reports/9696f9fb-d49a-455e-a238-fab8270680fe/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5e785e9-694d-4873-a876-72e102e03444
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1084214
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 716771 Sample: y5RoVSMHNc.exe Startdate: 05/10/2022 Architecture: WINDOWS Score: 100 33 Antivirus detection for URL or domain 2->33 35 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 3 other signatures 2->39 7 y5RoVSMHNc.exe 2->7         started        process3 dnsIp4 29 217.195.155.154, 49699, 8081 SHOCK-1US Netherlands 7->29 31 get.geojs.io 172.67.70.233, 443, 49700 CLOUDFLARENETUS United States 7->31 41 Detected unpacking (changes PE section rights) 7->41 43 Detected unpacking (overwrites its own PE header) 7->43 45 Tries to harvest and steal browser information (history, passwords, etc) 7->45 11 cmd.exe 1 7->11         started        13 cmd.exe 1 7->13         started        15 WMIC.exe 1 7->15         started        17 15 other processes 7->17 signatures5 process6 process7 19 WMIC.exe 1 11->19         started        21 conhost.exe 11->21         started        23 WMIC.exe 1 13->23         started        25 conhost.exe 13->25         started        27 conhost.exe 15->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5851f9f14f370e7cb513418a3f65cc9afccd970a6e49479b643df9d5b0c27ca/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 14:57:18 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywcr7hyu6nyops2rgqmkh5s4zgx4zwlqu3sji6nwippz2wyme7fa._file
Verdict:
malicious
Similar samples:
2e442f59d4b93e0bd914cf49e47b2095b969cc742d9a3615e3d324e495cd2fe8
CryptOne
2e6e8729d76dc13a750db437a1677e60d579f785714e7c5bbff65085be0f08bf
CryptOne
5f2f29011be6cf5de2a601ddd3ea58224a73f663725f81a87a8659b520000e36
CryptOne
659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
CryptOne
760aa40751dd20657c6b0c9cf925f9e3afbf7078997171ee5fa03ef011aae03f
CryptOne
883e12a7cd81c09838284e4dbda9caa9d8df6ac57234e14ee0ee02bb2fcc2329
CryptOne
8b5320743f143e52e4d186b1244b9940a3538893eb22f324ef568e1ab2495b8d
CryptOne
8eb6ae80fd83cdfb03f10de49649d97029f10c3074e0683b9c9c9094b469289d
CryptOne
eba664b9b9e548e164adb7361d38ae26415fc7c337aa8a13ec0fa983ab6b2362
CryptOne
ec95bea63c3311e4b83f37fe2d189c6e06cd258c247faf00f3937c6283607afa
CryptOne
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/221005-sbkrhsehcp/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
Gathering data
Unpacked files
SH256 hash:
69d043f055680cbd141f3b1f02d9f893d0984596f1702b85aa960f8980bc6b6e
MD5 hash:
9b48c7427e6d09b88e0f40453f1b5e7b
SHA1 hash:
f40bcd1863f21f6fe9ec914ff432d84492860aa0
Link:
https://www.unpac.me/results/48448e88-164b-41d5-b94f-2338b974f97a/
SH256 hash:
c5851f9f14f370e7cb513418a3f65cc9afccd970a6e49479b643df9d5b0c27ca
MD5 hash:
839939e90ce8d4d3c3eb44b73ff4c32f
SHA1 hash:
5b72f16abc74ce45d700a38798bddcc1c951b801
Link:
https://www.unpac.me/results/48448e88-164b-41d5-b94f-2338b974f97a/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c5851f9f14f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5851f9f14f370e7cb513418a3f65cc9afccd970a6e49479b643df9d5b0c27ca

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316950/

Comments