MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3b9a8dde21bf3c1bb09426a261c77eb4b59cb2f36ac82e5b8f6b4a4d3565b5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



CryptBot


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash: c3b9a8dde21bf3c1bb09426a261c77eb4b59cb2f36ac82e5b8f6b4a4d3565b5b
SHA3-384 hash: e46ef0ed6b7a44156f74bfb606a76696469095f74a070583c39ba00b96a7aca2ffd2746768c61abe6d664c86b00d8cf3
SHA1 hash: 73870de4caa2eaaf162c81c34740527e12b8467c
MD5 hash: 267667a4bbfdfcf20c407c2b191fd0ed
humanhash: shade-eighteen-asparagus-tennessee
File name:267667a4bbfdfcf20c407c2b191fd0ed.exe
Download: download sample
Signature CryptBot
File size:380'416 bytes
First seen:2021-09-28 11:23:08 UTC
Last seen:2021-09-28 12:08:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56c207817e66e7690a43bf97b1ee7374 (5 x RaccoonStealer, 3 x RedLineStealer, 2 x ArkeiStealer)
ssdeep 6144:KWlOABZeO3au2bLpXWdCn7p7DdVr1gmImu3kr1jtCGT7AqLKVt8xijgSFDE:KW8EZ93aBLpXaqhRXgw5Cw8VtDjv9
Threatray 463 similar samples on MalwareBazaar
TLSH T16684CF2077E0C034F5B712F959BAC3B9AA29BEB16B2491CF63C116EA16746E4DC30753
File icon (PE):PE icon
dhash icon ead8ac9cc6a68ee0 (93 x RedLineStealer, 47 x RaccoonStealer, 15 x Smoke Loader)
Reporter @abuse_ch
Tags:CryptBot exe

Intelligence


File Origin
# of uploads :
2
# of downloads :
88
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
73a7c33edf74031bf7c3e893215476eb.exe
Verdict:
Malicious activity
Analysis date:
2021-09-28 10:13:59 UTC
Tags:
trojan loader rat redline stealer opendir evasion

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
Cryptbot Glupteba
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Yara detected Cryptbot
Yara detected Generic Downloader
Yara detected Glupteba
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492301 Sample: 7yyqdBJVGf.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 103 Multi AV Scanner detection for domain / URL 2->103 105 Antivirus detection for URL or domain 2->105 107 Multi AV Scanner detection for dropped file 2->107 109 10 other signatures 2->109 12 7yyqdBJVGf.exe 46 2->12         started        17 IntelRapid.exe 2->17         started        19 IntelRapid.exe 2->19         started        21 rundll32.exe 2->21         started        process3 dnsIp4 85 pacdpo22.top 45.140.167.227, 49752, 80 THEFIRST-ASRU United Kingdom 12->85 87 zukelx03.top 185.185.71.183, 49756, 49757, 80 SPRINTHOSTRU Russian Federation 12->87 89 moreil02.top 104.168.214.97, 49755, 80 HOSTWINDSUS United States 12->89 77 C:\Users\user\AppData\Local\Temp\File.exe, PE32 12->77 dropped 79 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 12->79 dropped 127 Detected unpacking (overwrites its own PE header) 12->127 129 Self deletion via cmd delete 12->129 131 Tries to harvest and steal browser information (history, passwords, etc) 12->131 23 File.exe 25 12->23         started        27 cmd.exe 1 12->27         started        133 Query firmware table information (likely to detect VMs) 17->133 135 Hides threads from debuggers 17->135 137 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->137 file5 signatures6 process7 file8 67 C:\Users\user\AppData\Local\...\wheezy.exe, PE32 23->67 dropped 69 C:\Users\user\AppData\Local\...\parted.exe, PE32+ 23->69 dropped 71 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 23->71 dropped 73 3 other files (none is malicious) 23->73 dropped 119 Multi AV Scanner detection for dropped file 23->119 29 parted.exe 4 23->29         started        33 wheezy.exe 1 5 23->33         started        121 Submitted sample is a known malware sample 27->121 123 Obfuscated command line found 27->123 125 Uses ping.exe to check the status of other devices and networks 27->125 35 conhost.exe 27->35         started        37 timeout.exe 1 27->37         started        signatures9 process10 file11 81 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 29->81 dropped 139 Multi AV Scanner detection for dropped file 29->139 141 Query firmware table information (likely to detect VMs) 29->141 143 Hides threads from debuggers 29->143 145 Tries to detect sandboxes / dynamic malware analysis system (registry check) 29->145 39 IntelRapid.exe 29->39         started        147 Machine Learning detection for dropped file 33->147 42 cmd.exe 1 33->42         started        44 dllhost.exe 33->44         started        signatures12 process13 signatures14 113 Query firmware table information (likely to detect VMs) 39->113 115 Hides threads from debuggers 39->115 117 Tries to detect sandboxes / dynamic malware analysis system (registry check) 39->117 46 cmd.exe 3 42->46         started        49 conhost.exe 42->49         started        process15 signatures16 149 Obfuscated command line found 46->149 51 Bisogna.exe.com 46->51         started        54 PING.EXE 1 46->54         started        57 findstr.exe 1 46->57         started        process17 dnsIp18 111 May check the online IP address of the machine 51->111 60 Bisogna.exe.com 3 18 51->60         started        83 127.0.0.1 unknown unknown 54->83 75 C:\Users\user\AppData\...\Bisogna.exe.com, Targa 57->75 dropped file19 signatures20 process21 dnsIp22 91 ip-api.com 208.95.112.1, 49836, 80 TUT-ASUS United States 60->91 93 192.168.2.1 unknown unknown 60->93 95 YWPUxosKSQKjQIKzFVtwgwCR.YWPUxosKSQKjQIKzFVtwgwCR 60->95 63 wscript.exe 60->63         started        process23 dnsIp24 97 iplogger.org 88.99.66.31, 443, 49849 HETZNER-ASDE Germany 63->97 99 System process connects to network (likely due to code injection or exploit) 63->99 101 May check the online IP address of the machine 63->101 signatures25
Threat name:
Win32.Trojan.Raccrypt
Status:
Malicious
First seen:
2021-09-28 11:24:05 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Result
Malware family:
danabot
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery evasion persistence spyware stealer themida trojan
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
142.11.192.232:443
192.119.110.73:443
142.11.242.31:443
192.210.222.88:443
Unpacked files
SH256 hash:
ec2a60df73ecd003eb14a9528b9501cfb84169f28494cfc4d0a6b69b95e61924
MD5 hash:
74cc8ab4a0aef4a7229382d60841cb4e
SHA1 hash:
b3487d50e6d5b7f87fc0602cabb485b03553d96b
SH256 hash:
c3b9a8dde21bf3c1bb09426a261c77eb4b59cb2f36ac82e5b8f6b4a4d3565b5b
MD5 hash:
267667a4bbfdfcf20c407c2b191fd0ed
SHA1 hash:
73870de4caa2eaaf162c81c34740527e12b8467c

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_CryptBot
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe c3b9a8dde21bf3c1bb09426a261c77eb4b59cb2f36ac82e5b8f6b4a4d3565b5b

(this sample)

  
Delivery method
Distributed via web download

Comments