MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04c7a8fc8e75fa2a6f788b3c92cd46d6d99a517add2f875d9fdf8b4377d54acf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04c7a8fc8e75fa2a6f788b3c92cd46d6d99a517add2f875d9fdf8b4377d54acf
SHA3-384 hash: 87c53c83078fa155bd5220c2d85fa624d02afeadb444ed716f9c7347eff62a2ce937b2cacf192440334d79252bc8b345
SHA1 hash: 66621986e07fa188ca06665b6a06587ef721cd8c
MD5 hash: 88e0aec3a6fafc199feb2171cb04a634
humanhash: romeo-kansas-equal-pip
File name:88e0aec3a6fafc199feb2171cb04a634.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'816'845 bytes
First seen:2021-05-31 16:00:43 UTC
Last seen:2021-05-31 16:39:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97ae071900480747f111dc72f77ef2b1 (3 x CryptBot)
ssdeep 49152:3nHmqMI1LsPuQU8U4GvAgwNF7H9jMoWaLmuKY0WQ/mApf:3nkdrh797W4mFYtfApf
Threatray 172 similar samples on MalwareBazaar
TLSH D5852316B7E1C8B5D0A317712F48B7BE0DB47AB0131582DB57A42C0B6966BC1AF3E247
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://moryce07.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://moryce07.top/index.php https://threatfox.abuse.ch/ioc/67614/

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MainSetupFile.exe
Verdict:
Malicious activity
Analysis date:
2021-05-30 18:35:01 UTC
Tags:
stealer trojan loader
Link:
https://app.any.run/tasks/9ff1b5b2-fa55-48b5-b850-42491909d819

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163542/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Deleting a recently created file
DNS request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794817
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 427213 Sample: 7dguPnfyzM.exe Startdate: 31/05/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 4 other signatures 2->40 9 7dguPnfyzM.exe 7 2->9         started        process3 signatures4 42 Contains functionality to register a low level keyboard hook 9->42 12 cmd.exe 1 9->12         started        process5 signatures6 44 Submitted sample is a known malware sample 12->44 46 Obfuscated command line found 12->46 48 Uses ping.exe to sleep 12->48 50 Uses ping.exe to check the status of other devices and networks 12->50 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 52 Obfuscated command line found 15->52 54 Uses ping.exe to sleep 15->54 20 PING.EXE 1 15->20         started        23 Parlato.exe.com 15->23         started        25 findstr.exe 1 15->25         started        process9 dnsIp10 30 127.0.0.1 unknown unknown 20->30 27 Parlato.exe.com 1 23->27         started        process11 dnsIp12 32 SpWtAXNWYfIBsFAiwMEbCu.SpWtAXNWYfIBsFAiwMEbCu 27->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04c7a8fc8e75fa2a6f788b3c92cd46d6d99a517add2f875d9fdf8b4377d54acf/
Threat name:
Win32.PUA.7zip
Create hunting rule
Status:
Malicious
First seen:
2021-05-30 18:53:00 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=atd2r7eoox5cu33yrm6jftkg23mzuul23uxyoxm736fug56vjlhq._file
Verdict:
malicious
Similar samples:
056cc0e43fd5b75d6aaa8ab8651394428b1751c538b92aaa088ee3ff79efc20f
CryptBot
4b21de4f5c03de8e7e85bbdc317bd1050ba7bce099c1ba1cafb949ccadff90a2
CryptBot
5ae264a5e12c7eb4d1ff850aba54812c279b9a6eaceb66635db25adaf05b9c09
CryptBot
6f8ce60168331070f8ca906c9c5e4d53e22b9b72a57c6e0c65bf6f83979d310f
CryptBot
7c3ec59724f79c69f7bb889f8dac9e89a45ad3629a25c954c26905b5b953e3f5
CryptBot
834ccdd87931ab88f011372377befbafda51abccff557c7dd3e01682580716fb
CryptBot
d2b955fca821c2d34342ca8bc610bda82a15676a0b44f5de15c78ee6b7de7e6b
CryptBot
e2627edaef3e465cadfb84b250bc0d47cef26af5d2334e5f49ab38d8f919b511
CryptBot
e5dae08e748e408a4a256bd0c5d216281596a20399ea0127ac35b1661248b3ea
CryptBot
f2a7cc00ce9933490e51df2d5df9e7b0b2165c73297a9fa8a99fbf51b85926b8
CryptBot
+ 162 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/210531-m5r227f85e/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
CryptBot
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04c7a8fc8e75fa2a6f788b3c92cd46d6d99a517add2f875d9fdf8b4377d54acf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163542/

Comments