MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7c0067cbd323aca05863947271f757ec819758148f985110b08d34a32f2abcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7c0067cbd323aca05863947271f757ec819758148f985110b08d34a32f2abcd
SHA3-384 hash: 94c76c188e1a55ab357b25508d5d924cf36f3a9e68b74b5e359dee866eb32d50c100836a7752b0938601e7c33387b001
SHA1 hash: a01caae584ab9c013cce3fb51341e96c232c8e47
MD5 hash: 3cd9324df77c1da0999fbf5a609a6000
humanhash: batman-solar-ack-eighteen
File name:virussign.com_3cd9324df77c1da0999fbf5a609a6000
Download: download sample
File size:138'323 bytes
First seen:2022-07-15 16:28:50 UTC
Last seen:2024-07-24 21:57:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVyv:UVqoCl/YgjxEufVU0TbTyDDalYv
TLSH T139D3E8277E00541ED5568AF02CAD9B6EBE215F762FA0AC0733627B4429B520B76F131F
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
dhash icon 92e0b496a2cada72 (11 x Adware.Generic, 5 x Adware.InstalleRex, 2 x Adware.Yantai)
Reporter KdssSupport
Tags:exe


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
virussign.com_3cd9324df77c1da0999fbf5a609a6000
Verdict:
No threats detected
Analysis date:
2022-07-16 05:51:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0c46e1d0-cf20-490e-88c4-e5372369a410

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/290004/
Detection(s):
Win.Trojan.VBGeneric-6735875-0
Create hunting rule

Win.Trojan.Agent-1109049
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Setting a single autorun event
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62d196733ec0b068997bdb6b/reports/f890a4b8-af0c-4ad3-8262-7c34a85aa174/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CryptOne, Mofksys
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1034412
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
System process connects to network (likely due to code injection or exploit)
Yara detected Mofksys
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 666905 Sample: hvfCBHDQ5o.com_3cd9324df77c... Startdate: 17/07/2022 Architecture: WINDOWS Score: 100 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected Mofksys 2->49 51 2 other signatures 2->51 9 hvfCBHDQ5o.exe 1 2 2->9         started        13 explorer.exe 1 2->13         started        15 svchost.exe 1 2->15         started        17 3 other processes 2->17 process3 file4 37 C:\Windows\Resources\Themes\explorer.exe, MS-DOS 9->37 dropped 69 Drops executables to the windows directory (C:\Windows) and starts them 9->69 71 Drops PE files with benign system names 9->71 19 explorer.exe 14 9->19         started        signatures5 process6 dnsIp7 39 codecmd03.googlecode.com 19->39 41 codecmd02.googlecode.com 19->41 43 3 other IPs or domains 19->43 33 C:\Windows\Resources\spoolsv.exe, MS-DOS 19->33 dropped 53 Antivirus detection for dropped file 19->53 55 System process connects to network (likely due to code injection or exploit) 19->55 57 Machine Learning detection for dropped file 19->57 59 Drops PE files with benign system names 19->59 24 spoolsv.exe 2 19->24         started        file8 signatures9 process10 file11 35 C:\Windows\Resources\svchost.exe, MS-DOS 24->35 dropped 61 Antivirus detection for dropped file 24->61 63 Machine Learning detection for dropped file 24->63 65 Drops executables to the windows directory (C:\Windows) and starts them 24->65 67 Drops PE files with benign system names 24->67 28 svchost.exe 2 2 24->28         started        signatures12 process13 signatures14 73 Antivirus detection for dropped file 28->73 75 Detected CryptOne packer 28->75 77 Machine Learning detection for dropped file 28->77 79 Drops executables to the windows directory (C:\Windows) and starts them 28->79 31 spoolsv.exe 1 28->31         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7c0067cbd323aca05863947271f757ec819758148f985110b08d34a32f2abcd/
Threat name:
Win32.Trojan.Golsys
Create hunting rule
Status:
Malicious
First seen:
2022-07-14 07:35:56 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=27aam7f5gi5mubmghfdsoh3vp3ebs5mbjd4ykeilbdjuumxsvpgq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/220715-ty8mjaccf9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Executes dropped EXE
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
d7c0067cbd323aca05863947271f757ec819758148f985110b08d34a32f2abcd
MD5 hash:
3cd9324df77c1da0999fbf5a609a6000
SHA1 hash:
a01caae584ab9c013cce3fb51341e96c232c8e47
Link:
https://www.unpac.me/results/1b2aaf27-7088-46c7-ac16-35937380e0e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/d7c0067cbd323aca05863947271f757ec819758148f985110b08d34a32f2abcd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d7c0067cbd323aca05863947271f757ec819758148f985110b08d34a32f2abcd

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/290004/

Comments