MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe
SHA3-384 hash: 8ed39b7475120b34101231b34dd0dae6abb66a1bd22a681276c3b6bd7e47be2b27f2cf42a2b92519cbd4458881ba8d0d
SHA1 hash: 2e990ec1fdee46b2f8aa6323f428b5b1403f451a
MD5 hash: f9cbb8637e9c0a5bc3ed7800a364285c
humanhash: three-don-rugby-venus
File name:6_ico.exe
Download: download sample
File size:1'836'544 bytes
First seen:2021-02-26 22:23:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:U+H3DebTkXHzl/21v11R8GyusMExdqtaQ0Qr:13DD8vvR85NDbef
Threatray 246 similar samples on MalwareBazaar
TLSH FB85339E3E146AE8E2951E7677D9960C9B826D3CDC93E21330C3717FC1A1DB26D03462
Reporter JasonMilletary

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lv.bin
Verdict:
Malicious activity
Analysis date:
2021-02-26 19:51:54 UTC
Tags:
evasion opendir loader
Link:
https://app.any.run/tasks/e54e94c6-88cd-48dd-928f-370b5f504725

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119549/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Sending a UDP request
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/620251
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 17:51:32 UTC
AV detection:
21 of 48 (43.75%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
00723545fff6ce259e729f8f1f9c7129e0d667502f94ef137bbbd9642ced4cc0
01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
1a859f18a203b53f7c893f9e3d3cbfeb6bd9c0d479f1ddd5626ba4c9eb34e670
4df95b25eba61af4dafea962aece44721deaebbb49cd3636fe3d20f169009d99
5a2f819b56fc962aa6f4e34d59eea86956299b3ff809ca166e404440b9af7ca6
80530706a080d68ebd18bcf85dae9dbe6477c39d7e4aa7381a1c73902c344201
9237e5cae5f698d5ad9f6c61af8bd866e599abb05f5bc49474d98e269a29a588
9681746b0d72e882c0949fcbdd3005b15720d66b4a8795b9d7c8c98a59048582
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
e68f17cfe87742103150ca9abd6cc16581caa6e0e0243d03fae2c89c2609c974
+ 236 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion spyware
Link:
https://tria.ge/reports/210226-4s5d43lvbx/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Identifies Wine through registry keys
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe
MD5 hash:
f9cbb8637e9c0a5bc3ed7800a364285c
SHA1 hash:
2e990ec1fdee46b2f8aa6323f428b5b1403f451a
Link:
https://www.unpac.me/results/29ae8834-72a2-4588-aba6-812740dc0731/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Executable exe 5a2f819b56fc962aa6f4e34d59eea86956299b3ff809ca166e404440b9af7ca6

Executable exe ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe

(this sample)

  
Dropped by
SHA256 5a2f819b56fc962aa6f4e34d59eea86956299b3ff809ca166e404440b9af7ca6
Cape
Cape
https://www.capesandbox.com/analysis/119549/

Comments