MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef87eac9116238891e4267d49e2e26e9d613205a23ebf64cffe4af2f1b949e83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptOne


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef87eac9116238891e4267d49e2e26e9d613205a23ebf64cffe4af2f1b949e83
SHA3-384 hash: c2e72738f3ed57d1b28c9ce566ec14e0686090c54d9e5f0984391ae320c90633155eb265674e390f63a0fd0e2d21103c
SHA1 hash: 15753638771951a6a727abae8a97042151bc78ab
MD5 hash: d31354fb2753e99b082bf4f5bcfbbd98
humanhash: michigan-mockingbird-sodium-arkansas
File name:SecuriteInfo.com.Variant.Fugrafa.249259.22208.10766
Download: download sample
Signature CryptOne
Create hunting rule
File size:1'834'018 bytes
First seen:2022-08-17 10:36:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 033fc3209214566af0e06e5863a94256 (5 x CryptOne)
ssdeep 49152:/eZBYBfJXAE3jrgYkXlnS/kwbIwWFHC2CNeVv2Z:/eZBYBfKETrElS/kwNWFUUV+Z
Threatray 900 similar samples on MalwareBazaar
TLSH T1DD852300BAC045B3D55209325B252B62A97AB8700F95DFDF93D25DAEAE704C1DB3336B
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b3b3b371716b93b3 (25 x CryptOne, 12 x RemcosRAT, 6 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:CryptOne exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Fugrafa.249259.22208.10766
Verdict:
Malicious activity
Analysis date:
2022-08-17 10:37:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/42e61d1c-9261-4603-8ba1-11ebd6946f91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299245/
Detection(s):
SecuriteInfo.com.Variant.Fugrafa.249259.22208.10766.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29211/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62fcc552eb0bf1e2c6e1ea71/reports/54bfebea-cd98-4149-9e25-e8b5e812323a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/aab4aec5-9c54-4ff8-9caa-ca4ee6ee772d
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1052933
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 685448 Sample: SecuriteInfo.com.Variant.Fu... Startdate: 17/08/2022 Architecture: WINDOWS Score: 92 23 Antivirus detection for dropped file 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 Multi AV Scanner detection for dropped file 2->27 29 4 other signatures 2->29 9 SecuriteInfo.com.Variant.Fugrafa.249259.22208.exe 3 8 2->9         started        process3 file4 21 C:\Users\user\AppData\Local\...\KgoJFal.cpl, PE32 9->21 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        signatures7 31 Contains functionality to detect sleep reduction / modifications 14->31 17 rundll32.exe 14->17         started        process8 process9 19 rundll32.exe 17->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef87eac9116238891e4267d49e2e26e9d613205a23ebf64cffe4af2f1b949e83/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-08-17 10:37:12 UTC
File Type:
PE (Exe)
Extracted files:
88
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=56d6vsirmi4ishscm7kj4lrg5hlbgic2epv7mth74sxs6g4ut2bq._file
Verdict:
malicious
Similar samples:
0b44f1065f98dc2bde51bae5585152a276dd1f19573482589222cf24fc301c97
CryptOne
53425a77a0ba7663da782af01d94a2c3554af157e33741d70de0089fa8c6cc29
CryptOne
988fcf62c41a39cc6a59697c65be84119b52e7b73365064250fe1746b8f88b2b
CryptOne
c4e8a78d7af808b4fe0fa7d8c7da2b2e6a364264621ccf520578c9d5d05baa5a
CryptOne
da362dff8b39c6b4b92387f48f5beb91ce55dbdf8bfe6a6ec7b5e6f1aa269010
CryptOne
e10a201d8b7cb09109715199c099ef24618f50fe09d3c1c6e7abbab79a59d94b
CryptOne
+ 890 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220817-mns1rsedam/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
71fec6f27de4c8505098f204290b1c3022b31a4efe43cd2473826b4f01e395da
MD5 hash:
d470c7cd9a1ea6ee0b9c46e793aee408
SHA1 hash:
8ebc841b7f915fb0231150e8575f0a6e60151ad1
Link:
https://www.unpac.me/results/559e4a99-5842-40b8-b9a1-f8fd9cc2e81f/
SH256 hash:
98e3e9ac5f1958a18637e1c8262c868c7259b602791ed5c7a04f736863091e0d
MD5 hash:
7232ad7c4fece9fa2e4c3648853cbcc9
SHA1 hash:
97a2487c0c8df2f39271a5aaf10a0e235c929ac0
Link:
https://www.unpac.me/results/559e4a99-5842-40b8-b9a1-f8fd9cc2e81f/
SH256 hash:
ef87eac9116238891e4267d49e2e26e9d613205a23ebf64cffe4af2f1b949e83
MD5 hash:
d31354fb2753e99b082bf4f5bcfbbd98
SHA1 hash:
15753638771951a6a727abae8a97042151bc78ab
Link:
https://www.unpac.me/results/559e4a99-5842-40b8-b9a1-f8fd9cc2e81f/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef87eac91162/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef87eac9116238891e4267d49e2e26e9d613205a23ebf64cffe4af2f1b949e83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptOne

Executable exe ef87eac9116238891e4267d49e2e26e9d613205a23ebf64cffe4af2f1b949e83

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2273863/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/299245/

Comments