MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c70080a16f834ce9c1fb6fdf0e98bd76a2b230dbbf8529c9bdbc27531042c9ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c70080a16f834ce9c1fb6fdf0e98bd76a2b230dbbf8529c9bdbc27531042c9ca
SHA3-384 hash: b04c28215641c87def8daf62ddcd509c20583466f215406e6f39f95ea9db379774bf20273b8f0086f3391d31a2002058
SHA1 hash: 37ec8eacb19ace469d12c0d2717b30adbf61e144
MD5 hash: 18ebab354f5e00a6db82541c3076bc54
humanhash: pip-sweet-carolina-ceiling
File name:SecuriteInfo.com.Win64.CrypterX-gen.4118.23067
Download: download sample
File size:710'128 bytes
First seen:2023-11-20 07:18:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:HRs5f1S1RJ8oy7PTjVcAAaPpaOYN7zsl2RdWN/8ypu8KN541rVIxxJom:OoUPTjVBAaRaf9CqdWN/8ah850rWx/7
TLSH T16AE47303BA978DB5D39B2736C5BF04042B7CE8816213DF9F798AA3592843777AE40617
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon d48eaece9ca692de
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win64.CrypterX-gen.4118.23067
Verdict:
Malicious activity
Analysis date:
2023-11-20 07:21:28 UTC
Tags:
zgrat pureloader loader stealer purelogs
Link:
https://app.any.run/tasks/b83daf6b-73f2-492f-84c6-b22480c35958

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459238/
Detection(s):
SecuriteInfo.com.Win64.CrypterX-gen.4118.23067.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Creating a file in the %temp% subdirectories
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Sending a TCP request to an infection source
Stealing user critical data
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/c70080a16f834ce9c1fb6fdf0e98bd76a2b230dbbf8529c9bdbc27531042c9ca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/95117644-a86c-4ec2-be5e-ba9e22bf1d29
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1344990
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Drops VBS files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1344990 Sample: SecuriteInfo.com.Win64.Cryp... Startdate: 20/11/2023 Architecture: WINDOWS Score: 100 31 tbsgroup-vn.com 2->31 33 246.204.9.0.in-addr.arpa 2->33 51 Snort IDS alert for network traffic 2->51 53 Sigma detected: Drops script at startup location 2->53 55 .NET source code contains potential unpacker 2->55 57 3 other signatures 2->57 8 SecuriteInfo.com.Win64.CrypterX-gen.4118.23067.exe 14 6 2->8         started        13 wscript.exe 1 2->13         started        signatures3 process4 dnsIp5 35 tbsgroup-vn.com 198.177.123.158, 443, 49703, 49711 FINALFRONTIERVG United States 8->35 27 C:\Users\user\AppData\...\streamfab_615.exe, PE32+ 8->27 dropped 29 C:\Users\user\AppData\...\streamfab_615.vbs, ASCII 8->29 dropped 67 Drops VBS files to the startup folder 8->67 69 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->69 71 Modifies the context of a thread in another process (thread injection) 8->71 73 Injects a PE file into a foreign processes 8->73 15 SecuriteInfo.com.Win64.CrypterX-gen.4118.23067.exe 24 8->15         started        75 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->75 20 streamfab_615.exe 14 5 13->20         started        file6 signatures7 process8 dnsIp9 37 94.156.66.79, 49709, 49710, 49713 TERASYST-ASBG Bulgaria 15->37 25 C:\Users\user\AppData\...\sqlite.interop.dll, PE32+ 15->25 dropped 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->39 41 Tries to steal Mail credentials (via file / registry access) 15->41 43 Found many strings related to Crypto-Wallets (likely being stolen) 15->43 49 2 other signatures 15->49 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Injects a PE file into a foreign processes 20->47 22 streamfab_615.exe 24 20->22         started        file10 signatures11 process12 signatures13 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->59 61 Tries to steal Mail credentials (via file / registry access) 22->61 63 Tries to harvest and steal browser information (history, passwords, etc) 22->63 65 Tries to harvest and steal Bitcoin Wallet information 22->65
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c70080a16f834ce9c1fb6fdf0e98bd76a2b230dbbf8529c9bdbc27531042c9ca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c70080a16f834ce9c1fb6fdf0e98bd76a2b230dbbf8529c9bdbc27531042c9ca/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-11-20 05:21:28 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4aibilpqngotqp3n7pq5gf5o2rlemg3x6cstsn5xqtvgecczhfa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/231120-h5h5nsed53/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c70080a16f834ce9c1fb6fdf0e98bd76a2b230dbbf8529c9bdbc27531042c9ca
MD5 hash:
18ebab354f5e00a6db82541c3076bc54
SHA1 hash:
37ec8eacb19ace469d12c0d2717b30adbf61e144
Link:
https://www.unpac.me/results/073d7bc3-0567-45e6-bc92-312cad5053dc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c70080a16f83/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c70080a16f834ce9c1fb6fdf0e98bd76a2b230dbbf8529c9bdbc27531042c9ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/459238/

Comments