MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8ee793a3ee636c3d37b1f68c9eeff85e5177eea0d25c5641f1b86770ef9679d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8ee793a3ee636c3d37b1f68c9eeff85e5177eea0d25c5641f1b86770ef9679d
SHA3-384 hash: a952b19e56d8650ec1751c32c2759d29cf1fe565f6d916f36a7645bb118383e2b74515391775591f25ad24e408396acc
SHA1 hash: b975106f8865227965c398fb4b846ecb3a5505db
MD5 hash: 30db48120f441e7d9d6fb77715da4195
humanhash: fix-mango-violet-wisconsin
File name:30db48120f441e7d9d6fb77715da4195.exe
Download: download sample
Signature CryptOne
Create hunting rule
File size:1'898'242 bytes
First seen:2022-11-09 16:51:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:t84UKlwOttRxvphBKCuS58gw8uRKrQoZPMJ:txlDj7vphKpHorQl
Threatray 2'443 similar samples on MalwareBazaar
TLSH T1D0952302F8C69572E9A12D36297957105A3DBD601F24DF9BB3D45A6EEE300C0E7307AB
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
30db48120f441e7d9d6fb77715da4195.exe
Verdict:
Malicious activity
Analysis date:
2022-11-09 17:05:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c4352059-8cbd-4ad1-8985-9b61f6c9dadd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331369/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/50628/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/636bdab382dd9f2e26532f4c/reports/36f5248c-6033-4f64-a0e9-51c3e5025525/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/174c707a-f8cd-4d27-ba28-126ad97791a0
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1109524
Signature
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8ee793a3ee636c3d37b1f68c9eeff85e5177eea0d25c5641f1b86770ef9679d/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-11-09 14:58:21 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
24 of 40 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zdxhsor64y3mhu33d5umt3x7qxsro7xkbus4kza7dodhodxzm6oq._file
Verdict:
malicious
Similar samples:
132061ecc922628fdf86038d740ef678172a54fe61a0b8822ae3834e8ecb15b5
CryptOne
4247573cc4a284836565f3109a6262cfc31ed920f82237db6fdbbc1aace0f616
CryptOne
6a4e8a5b81223afdbe0d39158cb013057e41d5ae6626e1e6c8aef0a5dfd02ca2
CryptOne
6e3f4c2e85d7fb134f7ca95e0593e76447baed8c9e2def7ae94d88bad3257189
CryptOne
8c8a4db691bc7fffd379eab27c0336621f553982006b196c39be8f4e3f29e85f
CryptOne
a1365ab85683efd1a97af1b0b86e8f9f587b2c5fa9efe2f5c705d4e4e74e3ee3
CryptOne
a17e4f8171fbdb1637b555e889cca857e7c38662637c056201c78da8c94494dd
CryptOne
c24acebd63f3832f4d82501dac66fd98b6056b7542e524a1cfe634c78269b607
CryptOne
+ 2'433 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221109-vdez6acbdl/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
a16aecc4bfa306298b76c76cc97e8ad3d9f1b0a7b554b079d190ec1992b9c26c
MD5 hash:
b19f577371334dddac6488acf8edb08d
SHA1 hash:
5c4d59db12715d6a0c7a2bff0f1492986bab2388
Link:
https://www.unpac.me/results/7974b9c3-4436-4d7d-92db-8fa3e166014a/
SH256 hash:
b2edec1573c5650d7338a7b928e1bb25d02cda84672e2095737c4e583cbc67cf
MD5 hash:
f93924789c3f0acb7a9ad56d03f80f96
SHA1 hash:
7dcf6a539f548b12801e11f1722499c2d027e7e5
Link:
https://www.unpac.me/results/7974b9c3-4436-4d7d-92db-8fa3e166014a/
SH256 hash:
c8ee793a3ee636c3d37b1f68c9eeff85e5177eea0d25c5641f1b86770ef9679d
MD5 hash:
30db48120f441e7d9d6fb77715da4195
SHA1 hash:
b975106f8865227965c398fb4b846ecb3a5505db
Link:
https://www.unpac.me/results/7974b9c3-4436-4d7d-92db-8fa3e166014a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8ee793a3ee636c3d37b1f68c9eeff85e5177eea0d25c5641f1b86770ef9679d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe c8ee793a3ee636c3d37b1f68c9eeff85e5177eea0d25c5641f1b86770ef9679d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2405501/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/331369/

Comments