MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc0bd45536a6c15f8b76fe06fd637857e6fbb483dc620793aa3aa27e1ab75a62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ARCrypter


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc0bd45536a6c15f8b76fe06fd637857e6fbb483dc620793aa3aa27e1ab75a62
SHA3-384 hash: 5b152e6216be6e46c77bfa1b32d7ca5158bacccae9ae8767bf7cb542496f8920012f8adc2c959fc3b47ca01472cebc07
SHA1 hash: 1d4d3f0f6e3b94a6e2dc48c06c4b3686d0611860
MD5 hash: bc288a88a43c5a6d4b9dee33d3ef70eb
humanhash: fix-purple-ack-tango
File name:cc0bd45536a6c15f8b76fe06fd637857e6fbb483dc620793aa3aa27e1ab75a62
Download: download sample
Signature ARCrypter
Create hunting rule
File size:766'464 bytes
First seen:2022-11-17 02:15:59 UTC
Last seen:2022-11-17 03:39:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7f928347212fd6dce5f7ee29086225dd (2 x ARCrypter)
ssdeep 12288:0zQ88eWYgeWYg955/155/P6DQG8UNNbQzo1oh+V6WJl7TQAWZ:0zQ886DQZQVAo1A+IW37sA
Threatray 3'221 similar samples on MalwareBazaar
TLSH T133F4BF86A7A503F8E1BBD03888564506E7B2BC4547719BDF23A0176A4F732E29E3F351
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon d8949494d4b8f8e3 (2 x ARCrypter)
Reporter Arkbird_SOLG
Tags:ARCrypter dropper exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
414
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cc0bd455.exe
Verdict:
Malicious activity
Analysis date:
2022-11-16 13:45:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c9d22136-b780-4576-a4e2-2742f5aed04c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335135/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop20.30033.16460.15455.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Modifying an executable file
Delayed reading of the file
Launching cmd.exe command interpreter
Launching a tool to kill processes
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63759965f75d59fef0b9a0e6/reports/19bda0f0-4001-4d09-bd5b-d3d5876e73f0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7556a040-8179-4207-9abd-821f7c99cc4d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1115425
Signature
Antivirus / Scanner detection for submitted sample
Found Tor onion address
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 748120 Sample: 9BqCDIEOB6.exe Startdate: 17/11/2022 Architecture: WINDOWS Score: 60 27 Antivirus / Scanner detection for submitted sample 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Found Tor onion address 2->31 8 9BqCDIEOB6.exe 3 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        13 conhost.exe 8->13         started        file5 25 C:\Users\user\Desktop\9BqCDIEOB6.exe, ASCII 10->25 dropped 15 cmd.exe 1 10->15         started        17 taskkill.exe 1 10->17         started        19 taskkill.exe 1 10->19         started        21 8 other processes 10->21 process6 process7 23 conhost.exe 15->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc0bd45536a6c15f8b76fe06fd637857e6fbb483dc620793aa3aa27e1ab75a62/
Threat name:
Win64.Ransomware.ArcDropper
Create hunting rule
Status:
Malicious
First seen:
2022-08-06 06:53:37 UTC
File Type:
PE+ (Exe)
Extracted files:
4
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zqf5ivjwu3av7c3w7ydp2y3yk7tpxned3rrape5khkrh4gvxljra._file
Verdict:
malicious
Similar samples:
257b99a8149825c3714e40ef1f4e0d1ccb35e0cc692deeb4e9fab1f38d9dddc9
ARCrypter
2e1d1c1629abb3aa966337d50dce159721048417ee11b47127302dae0eb3f09c
ARCrypter
32708c5d376f130b48bf3bd706879c1945a2d701036d94e25aceea41a4042052
ARCrypter
36e08c2df39cd84d8969a95de6a6882fbc954e7ca31a5a5d4be8ec33cfa84649
ARCrypter
39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d
ARCrypter
8d40ac7ff823a82053b413326beba33bf94380a79c49165545fed3e92089b6eb
ARCrypter
a1a3d07b7d2a764011affbede324e5f01590697e110a1c934d21c3627d3d1484
ARCrypter
b14cde376a8a7a9d7ad34cdfd07108c132ad8be7f60c5c0a0f17b6b63eb28b49
ARCrypter
e0efcfb64134200889c4a098fcd2d0d0031bf6b5b5e0c718059b39bdf63aad91
ARCrypter
eee0f2f6b2524498f8287f95dd184828a044677700d61e2c0a109866f3dd504d
ARCrypter
+ 3'211 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221117-cp52lshe4t/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Deletes itself
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/143e0fef-d032-4d81-ba34-e5bde220e5ce
Unpacked files
SH256 hash:
cc0bd45536a6c15f8b76fe06fd637857e6fbb483dc620793aa3aa27e1ab75a62
MD5 hash:
bc288a88a43c5a6d4b9dee33d3ef70eb
SHA1 hash:
1d4d3f0f6e3b94a6e2dc48c06c4b3686d0611860
Link:
https://www.unpac.me/results/d07480a0-d876-4332-bfc3-68ab5cb147ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc0bd45536a6c15f8b76fe06fd637857e6fbb483dc620793aa3aa27e1ab75a62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://blogs.blackberry.com/en/2022/11/arcrypter-ransomware-expands-its-operations-from-latin-america-to-the-world
Cape
Cape
https://www.capesandbox.com/analysis/335135/

Comments