MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01ad122315fff76fde6444be3cb0be1ffa1acc7f56c07840c1e38ad90b374732. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01ad122315fff76fde6444be3cb0be1ffa1acc7f56c07840c1e38ad90b374732
SHA3-384 hash: e868fdbce0de8b2da5aaeab3abfe1b906eda98992a43eb06360360ec2b7cc5172b87a59201b27b58ec192e1524889270
SHA1 hash: 3b196eed10d3ef00d6ead56639c11650b56e83a7
MD5 hash: e3959205680c393688204bb538de523c
humanhash: violet-july-yellow-east
File name:SecuriteInfo.com.W32.AIDetect.malware2.24893.4678
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'897'708 bytes
First seen:2021-04-12 09:55:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b914b6fd04316572d777593dc737715 (4 x CryptBot, 4 x RedLineStealer, 3 x ServHelper)
ssdeep 49152:tx4t969lXp6GjEcsE+4sMq6Kl1PoDE6H1dT+R0:t+L69lXseEcbzQXfQIA1dM0
Threatray 123 similar samples on MalwareBazaar
TLSH A6951240F9A18072FA65063515C3B6A2CC6CA9A1471589D78BBC2B1F3F736C09BBD4DE
Reporter SecuriteInfoCom
Tags:CryptBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware2.24893.4678
Verdict:
Malicious activity
Analysis date:
2021-04-12 09:56:51 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/1ca983a5-7e4e-447e-a2e1-ed2fdd04e01c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Cryptbot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133717/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.24893.4678.UNOFFICIAL
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a process from a recently created file
Deleting a recently created file
DNS request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/672860
Signature
Contains functionality to register a low level keyboard hook
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385378 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 12/04/2021 Architecture: WINDOWS Score: 64 49 clientconfig.passport.net 2->49 57 Multi AV Scanner detection for submitted file 2->57 10 SecuriteInfo.com.W32.AIDetect.malware2.24893.exe 7 2->10         started        signatures3 process4 signatures5 65 Contains functionality to register a low level keyboard hook 10->65 13 cmd.exe 1 10->13         started        16 makecab.exe 1 10->16         started        18 makecab.exe 1 10->18         started        20 5 other processes 10->20 process6 signatures7 67 Submitted sample is a known malware sample 13->67 22 cmd.exe 3 13->22         started        25 conhost.exe 13->25         started        27 conhost.exe 16->27         started        29 conhost.exe 18->29         started        31 conhost.exe 20->31         started        33 conhost.exe 20->33         started        35 conhost.exe 20->35         started        37 2 other processes 20->37 process8 signatures9 59 Obfuscated command line found 27->59 61 Uses ping.exe to sleep 27->61 63 Uses ping.exe to check the status of other devices and networks 27->63 39 PING.EXE 1 29->39         started        42 Implorando.exe.com 29->42         started        44 findstr.exe 1 29->44         started        process10 dnsIp11 51 127.0.0.1 unknown unknown 39->51 53 192.168.2.1 unknown unknown 39->53 46 Implorando.exe.com 42->46         started        process12 dnsIp13 55 DXTqGlxQqFdnT.DXTqGlxQqFdnT 46->55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01ad122315fff76fde6444be3cb0be1ffa1acc7f56c07840c1e38ad90b374732/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=agwreiyv773w7xteis7dzmf6d75bvtd7k3ahqqgb4ofnsczxi4za._file
Verdict:
suspicious
Similar samples:
06607b04da0cd27e4a7abff3df7ee0be86df8226e81a5706351526a3101d2aa2
CryptBot
0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948
CryptBot
207be23ccd62d0e3d9aefe12f5c2ab142a42a25b1e246e27e0ae9087c2fe96d3
CryptBot
2cad1d5cd3e145f720e3da8825183d78545b834fe146a8d1ec26c0e876980a66
CryptBot
79638b28279f6fc16f4d3a24a73ac67a405aa548aa09d6ca09f485b8e7e13901
CryptBot
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
CryptBot
df116f3585f1fe4b00c351a2941f6b85565e1fcc6da5569c6f7c80ddd1b4e2a8
CryptBot
e15820902d036f76c33cd6e8b2efdf4aed6e43a434680320aa7aba1ffca2ec17
CryptBot
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
CryptBot
ecee44992b84f86f98c14b5af66451c9e6306e7db33d038cef6d7292988da559
CryptBot
+ 113 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210412-nd9nyektys/
Behaviour
Checks processor information in registry
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
56ad942c5385d0eafae2258b9660008f7d6c214306631b27b4c984cf4a8f1395
MD5 hash:
b78271471e492568c89e5193ab3cb1d0
SHA1 hash:
5ebe555561da405d3d51d0b885f081a2b6a2123d
Link:
https://www.unpac.me/results/c08fde9a-e518-4a07-928e-85010d94631b/
SH256 hash:
01ad122315fff76fde6444be3cb0be1ffa1acc7f56c07840c1e38ad90b374732
MD5 hash:
e3959205680c393688204bb538de523c
SHA1 hash:
3b196eed10d3ef00d6ead56639c11650b56e83a7
Link:
https://www.unpac.me/results/c08fde9a-e518-4a07-928e-85010d94631b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
HiddenRun
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01ad122315fff76fde6444be3cb0be1ffa1acc7f56c07840c1e38ad90b374732

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 01ad122315fff76fde6444be3cb0be1ffa1acc7f56c07840c1e38ad90b374732

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1107048/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133717/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-14 15:15:47 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [F0002.001] Collection::Application Hook
1) [F0002.002] Collection::Polling
2) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
3) [C0032.001] Data Micro-objective::CRC32::Checksum
4) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
14) [C0017] Process Micro-objective::Create Process
15) [C0038] Process Micro-objective::Create Thread
16) [C0054] Process Micro-objective::Resume Thread
17) [C0018] Process Micro-objective::Terminate Process