MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0016755526279c5c404b670ecb2d81af46066d879c389924a6574ab9864b5c04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0016755526279c5c404b670ecb2d81af46066d879c389924a6574ab9864b5c04
SHA3-384 hash: c127ae628ea52d616d0de5c9a149f29311ba4a4f2456f354b19fb334f50bda86a21a000caadccbae571acb49642d1524
SHA1 hash: 1025ed93e5f44d51b96f1a788764cc4487ee477e
MD5 hash: ca16ca4aa9cf9777274447c9f4ba222e
humanhash: winter-oxygen-princess-nebraska
File name:SecuriteInfo.com.Trojan.DownLoader44.7181.30928.15794
Download: download sample
Signature CryptBot
Create hunting rule
File size:2'740'224 bytes
First seen:2021-11-29 20:39:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 497bb8e047f00ee41c710ddd37634657 (7 x CryptBot)
ssdeep 49152:MChUuz9ubrD0rNoVNsLdq0MTq24FdizzlzKGg6W6SYjUN+dCo:vUuxGD0iVNsL9cqtdi8GE6hA+3
Threatray 7'758 similar samples on MalwareBazaar
TLSH T171C5336B4C457942DBDE6635B2524E8D8C81CF1B6346BE702E9F6C2B78476CCAB0442B
Reporter SecuriteInfoCom
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.DownLoader44.7181.30928.15794
Verdict:
Malicious activity
Analysis date:
2021-11-29 20:42:06 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/29f5a6b7-db5c-43a0-b5c3-1fe033c1fdc7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.7181.30928.15794.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Creating a file in the %temp% subdirectories
Creating a window
DNS request
Sending an HTTP POST request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware packed virus zusy
Link:
https://www.filescan.io/uploads/61a53aa8bbfd2af97cbac7dc/reports/4650b585-2421-4163-a82f-df02d2899324/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8bad4ea-1152-4c89-9c0d-517b4b63804c
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/898296
Signature
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0016755526279c5c404b670ecb2d81af46066d879c389924a6574ab9864b5c04/
Threat name:
Win32.Trojan.SelfDel
Create hunting rule
Status:
Malicious
First seen:
2021-11-28 12:45:48 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
41db78fad794ca70ba68d9225112a0a8f6d50799effca89a88736e3df0c925ae
CryptBot
5232589e3096a9f29234f1927955c884e544b6177d027658bac201a64a63ce25
CryptBot
8f983b92dea0643ef2b8411e5506def0c0235b1addd4daa9d13e59ff4f88a1ef
CryptBot
acda9ae5a6c865eb3291e1bb7cc41e6b0f86a12e180c984a2f4fcb302505021b
CryptBot
b1e542752d5c1a59c5efa28cd63de4235b394bdd700c3e3fb6daf71e10de7d72
CryptBot
c1a8d0767c3eee51e264da05003007415326296636a74e143056e7e2fea7dc51
CryptBot
d565f4380b4f2d25673f08df8e88d331e0daf7946a73c83e8d1630e2b347ddf9
CryptBot
e13fb6156b386d9cea3a46c3835a97636ad0eeddda3b354f86f19915721638fc
CryptBot
e2ab039851029d1511405468f5cbc7c6bb046a7005c7503078ebab6ef3708ed7
CryptBot
+ 7'748 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/211129-zfwg5scfgj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
CryptBot
Unpacked files
SH256 hash:
caffdc8d8cc2966cad637503162b2b709bc57282fe35b766af9d8e8bded3f17f
MD5 hash:
b31876e5a36c8d59f3f5a7922ea06a88
SHA1 hash:
890911643ac95501b804a74c3ea783cf802a3ad0
Link:
https://www.unpac.me/results/89a1ba6a-1bcd-4b8a-bf03-2815997140e9/
SH256 hash:
0016755526279c5c404b670ecb2d81af46066d879c389924a6574ab9864b5c04
MD5 hash:
ca16ca4aa9cf9777274447c9f4ba222e
SHA1 hash:
1025ed93e5f44d51b96f1a788764cc4487ee477e
Link:
https://www.unpac.me/results/89a1ba6a-1bcd-4b8a-bf03-2815997140e9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/001675552627/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0016755526279c5c404b670ecb2d81af46066d879c389924a6574ab9864b5c04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 0016755526279c5c404b670ecb2d81af46066d879c389924a6574ab9864b5c04

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1833058/
  
Delivery method
Distributed via web download

Comments