MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948
SHA3-384 hash: d35202d25cacbd08db6c9d80d32e465803e7ccd14bb25e2a7e1664b0e03291fe39ff20f01b69a44c20af0f7abfe51e42
SHA1 hash: e84cc31bfece34b438fea81b149f834db1632df9
MD5 hash: 010d7703a5d4cfea5ea6e9ced6b42eff
humanhash: nebraska-west-alanine-mike
File name:32_64_ver_2_bit.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'807'502 bytes
First seen:2021-04-06 12:28:35 UTC
Last seen:2021-04-06 12:28:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:A1qUuHGmg09lDNfEWp3iszF7UPVfVogWJGjHwzhP5vOfZPqSfdRfwIMHLtK21qOw:A1qUuN9VNhzu9fVok7wNIpgVtKOqV3mY
Threatray 126 similar samples on MalwareBazaar
TLSH 5D852215E9EDC0FDD952F930BDC62992DABDAE2D3B9789F7977138210AB41C1C26C180
Reporter JAMESWT_WT
Tags:34.232.69.120 CryptBot exe signed

Code Signing Certificate

Organisation:Piriform Software Ltd
Issuer:DigiCert SHA2 Assured ID Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2019-10-14T00:00:00Z
Valid to:2022-10-18T12:00:00Z
Serial number: 02fa994d660de659ee9037ecb437d766
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 9784efa9505d3c762d0529b0bacf1cf14b7c134289e7f132e5059551c5b7b0d4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
iMazing-2135-Crack---License-Key-Free-Download-2021_2c62b3b72cef62d5fa373e.zip
Verdict:
Malicious activity
Analysis date:
2021-04-05 17:21:44 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/1e6e6774-bd15-4223-954d-3cfeaf5cc6cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Predatorthethief
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132654/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Jacard.184087.14432.10100.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Deleting a recently created file
DNS request
Sending a UDP request
Creating a file in the %temp% subdirectories
Launching the process to create tasks for the scheduler
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/667504
Signature
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 382683 Sample: 32_64_ver_2_bit.exe Startdate: 06/04/2021 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 2 other signatures 2->62 11 32_64_ver_2_bit.exe 7 2->11         started        process3 signatures4 70 Contains functionality to register a low level keyboard hook 11->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 11->72 14 cmd.exe 1 11->14         started        17 at.exe 1 11->17         started        process5 signatures6 74 Submitted sample is a known malware sample 14->74 76 Obfuscated command line found 14->76 78 Uses ping.exe to sleep 14->78 80 Uses ping.exe to check the status of other devices and networks 14->80 19 cmd.exe 3 14->19         started        22 conhost.exe 14->22         started        24 conhost.exe 17->24         started        process7 signatures8 64 Obfuscated command line found 19->64 66 Uses ping.exe to sleep 19->66 26 Male.exe.com 19->26         started        28 PING.EXE 1 19->28         started        31 findstr.exe 1 19->31         started        process9 dnsIp10 34 Male.exe.com 47 26->34         started        52 127.0.0.1 unknown unknown 28->52 54 192.168.2.1 unknown unknown 28->54 44 C:\Users\user\AppData\...\Male.exe.com, Targa 31->44 dropped file11 process12 dnsIp13 46 dyhkw15.top 34.118.72.185, 49738, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 34->46 48 esmxc01.top 34.65.214.4, 49740, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 34->48 50 2 other IPs or domains 34->50 68 Tries to harvest and steal browser information (history, passwords, etc) 34->68 38 cmd.exe 1 34->38         started        signatures14 process15 process16 40 conhost.exe 38->40         started        42 timeout.exe 1 38->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-06 04:16:27 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
12 of 48 (25.00%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
2678fa4d8a8650f8ce4b24880eaf89c49cffa228a419b8e5cf26972a959d87cc
CryptBot
2cad1d5cd3e145f720e3da8825183d78545b834fe146a8d1ec26c0e876980a66
CryptBot
2ce81e2dd2330f10eb414e56222cd1ba4c26591381f07e199b08f623b8c4b8f9
CryptBot
883bd670d55447865cc753c58efafc0c26c17c8d2b11b10f3bc9f70093abe507
CryptBot
b2a25a9f27131c62b7d78cd92136392c36b1c0323084627382c80b1d639bc3ae
CryptBot
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
CryptBot
e15820902d036f76c33cd6e8b2efdf4aed6e43a434680320aa7aba1ffca2ec17
CryptBot
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
CryptBot
ecee44992b84f86f98c14b5af66451c9e6306e7db33d038cef6d7292988da559
CryptBot
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
CryptBot
+ 116 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210406-1xh1anhwrs/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
d0183461622de393596ee2931954e81abcdac78a0d63c1a9edd74d819a1c9922
MD5 hash:
f3edd292787986b5e0da721f4cc45daf
SHA1 hash:
a8779c34213397d0473e5e01e0da18f112dc84e3
Link:
https://www.unpac.me/results/5e7f1cf7-2fe1-41bc-8208-cc47d6556122/
SH256 hash:
0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948
MD5 hash:
010d7703a5d4cfea5ea6e9ced6b42eff
SHA1 hash:
e84cc31bfece34b438fea81b149f834db1632df9
Link:
https://www.unpac.me/results/5e7f1cf7-2fe1-41bc-8208-cc47d6556122/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132654/

Comments