MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06cf7c7c1a2d8f8647c977803466fd5b3a39dded0312fb23575eeacfaeaf07d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06cf7c7c1a2d8f8647c977803466fd5b3a39dded0312fb23575eeacfaeaf07d6
SHA3-384 hash: bd19e0a3659668bb99529ab711002a0a8a150a4a0c3aecb3061d7b9279a85cae13aac51ee758f5342a2750f9e80c97c3
SHA1 hash: 02da0f0321e163cbabcbf3935204352b6a7de36d
MD5 hash: b9d0d135d4feddc5dbda11c5aa4cc586
humanhash: winter-mississippi-wyoming-yankee
File name:b9d0d135d4feddc5dbda11c5aa4cc586
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'689'547 bytes
First seen:2021-06-24 01:16:59 UTC
Last seen:2021-06-24 03:44:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 011a034751880c1944da3b5ecc18520d (8 x RedLineStealer, 4 x CryptBot, 3 x ArkeiStealer)
ssdeep 49152:4GDQeT5KRjBVqCNoWdqSB2OfFyiegevL4ko2cF:4Gv5KRj2IcvLRo2q
Threatray 236 similar samples on MalwareBazaar
TLSH 3F7523313BC681F5D5E20270B9ADBBB494BCEE211F0245D78758AE1326367D19B7E28C
Reporter zbetcheckin
Tags:32 CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b9d0d135d4feddc5dbda11c5aa4cc586
Verdict:
Malicious activity
Analysis date:
2021-06-24 01:18:45 UTC
Tags:
trojan stealer
Link:
https://app.any.run/tasks/eb44e40f-6207-4e8b-8f24-fe741c03aa91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d09fcb35-1828-47b4-8de1-9ffc154d1570
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807024
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439439 Sample: RojuDvOJlj Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 4 other signatures 2->44 9 RojuDvOJlj.exe 7 2->9         started        process3 signatures4 46 Contains functionality to register a low level keyboard hook 9->46 12 cmd.exe 1 9->12         started        process5 signatures6 48 Submitted sample is a known malware sample 12->48 50 Obfuscated command line found 12->50 52 Uses ping.exe to sleep 12->52 54 Uses ping.exe to check the status of other devices and networks 12->54 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 58 Obfuscated command line found 15->58 60 Uses ping.exe to sleep 15->60 20 Dir.exe.com 15->20         started        22 PING.EXE 1 15->22         started        25 findstr.exe 1 15->25         started        process9 dnsIp10 28 Dir.exe.com 27 20->28         started        34 127.0.0.1 unknown unknown 22->34 32 C:\Users\user\AppData\Local\...\Dir.exe.com, Targa 25->32 dropped file11 process12 dnsIp13 36 YNEVKGXfIJBtHDPRfsabtvLROtTe.YNEVKGXfIJBtHDPRfsabtvLROtTe 28->36 56 Tries to harvest and steal browser information (history, passwords, etc) 28->56 signatures14
Detection:
cryptbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/06cf7c7c1a2d8f8647c977803466fd5b3a39dded0312fb23575eeacfaeaf07d6/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 21:13:07 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a3hxy7a2fwhymr6jo6adizx5lm5dtxpnamjpwi2xl3vm7lvpa7la._file
Verdict:
malicious
Similar samples:
02a87432aa8362fae07a1f6f53e01635c45dce79453e057a899bcf1588b40763
CryptBot
02b2395502a744108c7c09bafafb58af53016603294bdb780d667bb91c484363
CryptBot
04c7a8fc8e75fa2a6f788b3c92cd46d6d99a517add2f875d9fdf8b4377d54acf
CryptBot
1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297
CryptBot
530656ad87a4e5c0f07998323ebca34348af7c7a2e585196f2d0c73580832e36
CryptBot
8e8a09fbbc7eddbe0d27909b557a9e185a57eb0be431cb16fa363fd7ca5cd679
CryptBot
957860a901820c6cd66f49700a18a4fc3243104f8147805d1bbec9ec651f009b
CryptBot
a2ed4456865129f69ed876a3262526d1193bc881708d46d86be1528f23c1b749
CryptBot
f611711bbcb210e6e679026be24fd78215dc623abfb926d6811274eec16a3ca7
CryptBot
f9ea5610c7a0bb3fcf4380200e3056266e06819f0ae956ee96961211b1ef98a5
CryptBot
+ 226 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/210624-e6t6fl1dnx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
CryptBot
Unpacked files
SH256 hash:
262d18d6dc3bc29de34c9435abe3da16c216e3a8f1bcab348f3b83fb5576d8d6
MD5 hash:
a0566a607b5598a7ffcc02c2d799b85a
SHA1 hash:
d6a5df43d96401678207ef5f3448e9cc7146fe95
Link:
https://www.unpac.me/results/67d4247e-9337-4459-9720-064ab38eacef/
SH256 hash:
06cf7c7c1a2d8f8647c977803466fd5b3a39dded0312fb23575eeacfaeaf07d6
MD5 hash:
b9d0d135d4feddc5dbda11c5aa4cc586
SHA1 hash:
02da0f0321e163cbabcbf3935204352b6a7de36d
Link:
https://www.unpac.me/results/67d4247e-9337-4459-9720-064ab38eacef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06cf7c7c1a2d8f8647c977803466fd5b3a39dded0312fb23575eeacfaeaf07d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 06cf7c7c1a2d8f8647c977803466fd5b3a39dded0312fb23575eeacfaeaf07d6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393163/
  
URLhaus
https://urlhaus.abuse.ch/url/1393602/
  
URLhaus
https://urlhaus.abuse.ch/url/1393651/

Comments