MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 057a4fa95610763f1aa6c88e6076c8492787a39dd23049fa2324c588c15f75cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cryptbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 057a4fa95610763f1aa6c88e6076c8492787a39dd23049fa2324c588c15f75cf
SHA3-384 hash: 82d24338cb694ecf1dbdeaf95ba884763e67e61a35e4d86d73f3324e39ffbc1c08f023eb99fd71c4a94191bc8e7fb6d7
SHA1 hash: ba42ac8dcda21f6a43ac9e42a1c2f8ad5f1024a4
MD5 hash: 29c88b0a1cee4b9b0decdaf213f4daa4
humanhash: music-july-south-jupiter
File name:29c88b0a1cee4b9b0decdaf213f4daa4
Download: download sample
Signature Cryptbot
Create hunting rule
File size:657'920 bytes
First seen:2021-07-17 00:25:15 UTC
Last seen:2021-07-17 00:56:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e854b16b1e5e4f4b4d041111d063dc14 (1 x RedLineStealer, 1 x Cryptbot, 1 x DanaBot)
ssdeep 12288:Q/VJ9quYDw5/hjUkrbNK8ot39hSqV2H8/r329SOPXZHZF0m:Q/VJ9quYD2/hjHrbcd3jzV2HOmsAXh7L
Threatray 337 similar samples on MalwareBazaar
TLSH T1F3E4122032F18773D1B34A70583491906677B8B37E38750A66673B1E2E313AD7A257B7
Reporter zbetcheckin
Tags:32 CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
29c88b0a1cee4b9b0decdaf213f4daa4
Verdict:
Malicious activity
Analysis date:
2021-07-17 00:26:15 UTC
Tags:
stealer trojan loader
Link:
https://app.any.run/tasks/19b363b6-c43f-4cbd-9963-c5bf839cf8a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172300/
Detection(s):
SecuriteInfo.com.Trojan.Agent.FKKY.18235.8171.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/026fee88-cbdd-452a-95b6-3b3b68c16380
Result
Threat name:
Clipboard Hijacker Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817748
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450159 Sample: lYepom1rav Startdate: 17/07/2021 Architecture: WINDOWS Score: 100 89 Multi AV Scanner detection for domain / URL 2->89 91 Found malware configuration 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 15 other signatures 2->95 12 lYepom1rav.exe 22 2->12         started        17 SmartClock.exe 2->17         started        19 SmartClock.exe 2->19         started        process3 dnsIp4 83 wymeja52.top 165.22.50.14, 49723, 80 DIGITALOCEAN-ASNUS United States 12->83 85 morbom05.top 143.110.191.106, 49725, 80 COLLEGE-OF-ST-SCHOLASTICAUS United States 12->85 87 hofhes07.top 47.243.129.23, 49712, 49714, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 12->87 69 C:\Users\user\AppData\...\vbKrCJIVIZ.exe, PE32 12->69 dropped 71 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 12->71 dropped 111 Detected unpacking (changes PE section rights) 12->111 113 Detected unpacking (overwrites its own PE header) 12->113 115 Tries to harvest and steal ftp login credentials 12->115 117 2 other signatures 12->117 21 vbKrCJIVIZ.exe 25 12->21         started        file5 signatures6 process7 file8 59 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 21->59 dropped 61 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 21->61 dropped 63 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 21->63 dropped 65 3 other files (none is malicious) 21->65 dropped 101 Multi AV Scanner detection for dropped file 21->101 103 Machine Learning detection for dropped file 21->103 25 vpn.exe 7 21->25         started        27 4.exe 4 21->27         started        signatures9 process10 file11 30 cmd.exe 1 25->30         started        67 C:\Users\user\AppData\...\SmartClock.exe, PE32 27->67 dropped 33 SmartClock.exe 27->33         started        process12 signatures13 119 Submitted sample is a known malware sample 30->119 121 Obfuscated command line found 30->121 123 Uses ping.exe to sleep 30->123 125 Uses ping.exe to check the status of other devices and networks 30->125 35 cmd.exe 3 30->35         started        38 conhost.exe 30->38         started        process14 signatures15 97 Obfuscated command line found 35->97 99 Uses ping.exe to sleep 35->99 40 Smorta.exe.com 35->40         started        43 PING.EXE 1 35->43         started        46 findstr.exe 1 35->46         started        process16 dnsIp17 109 May check the online IP address of the machine 40->109 49 Smorta.exe.com 3 18 40->49         started        81 127.0.0.1 unknown unknown 43->81 73 C:\Users\user\AppData\...\Smorta.exe.com, Targa 46->73 dropped file18 signatures19 process20 dnsIp21 75 ip-api.com 208.95.112.1, 49741, 80 TUT-ASUS United States 49->75 77 UTTHxeXMrRzwq.UTTHxeXMrRzwq 49->77 57 C:\Users\user\AppData\...\ewqjpfpxukk.vbs, ASCII 49->57 dropped 53 wscript.exe 12 49->53         started        file22 process23 dnsIp24 79 iplogger.org 88.99.66.31, 443, 49742 HETZNER-ASDE Germany 53->79 105 System process connects to network (likely due to code injection or exploit) 53->105 107 May check the online IP address of the machine 53->107 signatures25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/057a4fa95610763f1aa6c88e6076c8492787a39dd23049fa2324c588c15f75cf/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 00:26:03 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=av5e7kkwcb3d6gvgzchga5wijetypi452iyet6rdetcyrqk7oxhq._file
Verdict:
malicious
Similar samples:
54f791796231f7899d753f0ba44e7387bf7748dc7a28adbd28f2067c9ab88605
Cryptbot
705b09578c6785adb9c29b9d9e5c57fe8c3892ec6cc0a04b099d205a1794aaf7
Cryptbot
719cf0c9eba47af19500753dc4213f551efdc09f13e2c71ef0e39b08a7aca888
Cryptbot
7e19416205cfb8e056d4628bdeb635e29cefba04fcb21ee55e7b0077427e4c99
Cryptbot
949b755ce7ba4afeffe8c261141b77bca5f443761aa062936141ed94b737e848
Cryptbot
9cbdf7f433f59f69ed01b5d6928259ad816d83c3680b8d14bbc54f2e8cd7b752
Cryptbot
af8df57ba3941ed8fa89543e4e98f2da5dfe7a0efaaa72aaca4c54ea9f5ccc58
Cryptbot
+ 327 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210717-96ak1l84e6/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
59f7aac1a730cb6c79b0c5d11e657d96e8a3f3cc362778716531af8c42c27015
MD5 hash:
af37266fa433ac45af1fca1a069b1b11
SHA1 hash:
cacf8a704d489ad16462b21fe6f524962effb845
Detections:
win_blacksoul_auto
Create hunting rule
win_cryptbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/bd0c96ac-db4d-4b16-a713-04f3041bf6ea/
SH256 hash:
057a4fa95610763f1aa6c88e6076c8492787a39dd23049fa2324c588c15f75cf
MD5 hash:
29c88b0a1cee4b9b0decdaf213f4daa4
SHA1 hash:
ba42ac8dcda21f6a43ac9e42a1c2f8ad5f1024a4
Link:
https://www.unpac.me/results/bd0c96ac-db4d-4b16-a713-04f3041bf6ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/057a4fa95610763f1aa6c88e6076c8492787a39dd23049fa2324c588c15f75cf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cryptbot

Executable exe 057a4fa95610763f1aa6c88e6076c8492787a39dd23049fa2324c588c15f75cf

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172300/
  
URLhaus
https://urlhaus.abuse.ch/url/1460333/

Comments


Avatar
zbet commented on 2021-07-17 00:25:16 UTC

url : hxxp://hofyva06.top/download.php?file=file.exe