MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7c2520fd55045ea01727074499c9c691a7a7c18cdc3602edc6cdc316ce45dc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7c2520fd55045ea01727074499c9c691a7a7c18cdc3602edc6cdc316ce45dc1
SHA3-384 hash: 74ae5461bdf1d79a7aca026fbc6e87f4a86119b23e743816d77688438d33fe84c72fc71b94641d3d6557843ef05dcab3
SHA1 hash: f5c4cbbb70af97088cbf534041be30fb46eeb0e5
MD5 hash: fc06195745470a798ccfea66071085a1
humanhash: king-grey-fillet-floor
File name:fc06195745470a798ccfea66071085a1
Download: download sample
File size:5'399'226 bytes
First seen:2021-06-24 11:12:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 49152:t+eyauztjYdfem6Y9hB+RbmJdHJ7dKbmp5fTd2hF8L4uLA/jVDuVuRyY/:1yd9mnHfXd7nlq
Threatray 4'517 similar samples on MalwareBazaar
TLSH F0466BC0FA6711F2DA870E710CF7435ABB3143214276AF81EB75272AFC47696263A761
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fc06195745470a798ccfea66071085a1
Verdict:
No threats detected
Analysis date:
2021-06-24 11:16:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2693c37f-9238-4a4b-a113-e7c5686f2fe9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167983/
Detection(s):
Win.Trojan.VBGeneric-6735875-0
Create hunting rule

Win.Trojan.Agent-1109049
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8909f15-b4c4-4c99-ac35-aa035975d4ef
Result
Threat name:
CryptOne Mofksys
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807396
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Yara detected Mofksys
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 439807 Sample: bI2mk4yC8b Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 61 clientconfig.passport.net 2->61 79 Antivirus / Scanner detection for submitted sample 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 Yara detected Mofksys 2->83 85 5 other signatures 2->85 11 bI2mk4yC8b.exe 1 3 2->11         started        15 svchost.exe 2->15         started        17 svchost.exe 9 1 2->17         started        20 10 other processes 2->20 signatures3 process4 dnsIp5 55 C:\Windows\Resources\Themes\icsys.icn.exe, MS-DOS 11->55 dropped 57 C:\Users\user\Desktop\bi2mk4yc8b.exe, PE32 11->57 dropped 103 Drops executables to the windows directory (C:\Windows) and starts them 11->103 22 icsys.icn.exe 2 11->22         started        27 bi2mk4yc8b.exe 1 11->27         started        105 Changes security center settings (notifications, updates, antivirus, firewall) 15->105 29 MpCmdRun.exe 1 15->29         started        59 127.0.0.1 unknown unknown 17->59 file6 signatures7 process8 dnsIp9 63 192.168.2.1 unknown unknown 22->63 51 C:\Windows\Resources\Themes\explorer.exe, MS-DOS 22->51 dropped 87 Antivirus detection for dropped file 22->87 89 Machine Learning detection for dropped file 22->89 91 Drops executables to the windows directory (C:\Windows) and starts them 22->91 93 Drops PE files with benign system names 22->93 31 explorer.exe 2 15 22->31         started        36 conhost.exe 27->36         started        38 conhost.exe 29->38         started        file10 signatures11 process12 dnsIp13 65 codecmd03.googlecode.com 31->65 67 codecmd02.googlecode.com 31->67 69 2 other IPs or domains 31->69 49 C:\Windows\Resources\spoolsv.exe, MS-DOS 31->49 dropped 71 Antivirus detection for dropped file 31->71 73 System process connects to network (likely due to code injection or exploit) 31->73 75 Machine Learning detection for dropped file 31->75 77 Drops PE files with benign system names 31->77 40 spoolsv.exe 2 31->40         started        file14 signatures15 process16 file17 53 C:\Windows\Resources\svchost.exe, MS-DOS 40->53 dropped 95 Antivirus detection for dropped file 40->95 97 Machine Learning detection for dropped file 40->97 99 Drops executables to the windows directory (C:\Windows) and starts them 40->99 101 Drops PE files with benign system names 40->101 44 svchost.exe 1 40->44         started        signatures18 process19 signatures20 107 Antivirus detection for dropped file 44->107 109 Detected CryptOne packer 44->109 111 Machine Learning detection for dropped file 44->111 113 Drops executables to the windows directory (C:\Windows) and starts them 44->113 47 spoolsv.exe 1 44->47         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7c2520fd55045ea01727074499c9c691a7a7c18cdc3602edc6cdc316ce45dc1/
Threat name:
Win32.Worm.Mofksys
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 11:13:18 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
32672928863af3e154d0e2cc454c5fd31f217a3bfabc7acff2223bb72a5bbe6f
5553a7b6943f4c1435ec14ecb41b95029d6f2a94f7f415f660c14bd8b68ab7f9
603b8b4a8d2fedea549b4f06b345da9234a06ceab9366175c8de484df155a2b9
6c094a18d2ab75c95ffc39399cece2eebdb8064f91cec40226be037fb20f64d9
7c1eae5e28280689e8db038813d781a47158b6d76f849aeb0c204058dfe94590
7e6cda4ef7fb776128b314c7a1c2938abffc2ab3def50eac650f2b49a59dc573
9e963186264d8f04f86916921e1f197bd98bd7305af779247c9ff4632d05900b
a2bd87a81b3cc4f40cc8f1e6ba1111a010ad3970b4dff9e98c729142af28b823
b23274e47a003476681da8925f2c15ff1c7ef988cabf76dbf1e5799a914a3ab1
b603bb5bf05a55c7687cbfa64566cb5608947284b8eaf0da2b1b6d282fee3ecd
+ 4'507 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210624-p9e7zre9s2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
c7c2520fd55045ea01727074499c9c691a7a7c18cdc3602edc6cdc316ce45dc1
MD5 hash:
fc06195745470a798ccfea66071085a1
SHA1 hash:
f5c4cbbb70af97088cbf534041be30fb46eeb0e5
Link:
https://www.unpac.me/results/0d6ec561-82d5-456e-a191-2189536621f3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7c2520fd55045ea01727074499c9c691a7a7c18cdc3602edc6cdc316ce45dc1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c7c2520fd55045ea01727074499c9c691a7a7c18cdc3602edc6cdc316ce45dc1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1394454/
Cape
Cape
https://www.capesandbox.com/analysis/167983/

Comments