MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dbfcf05490597b25cd7e6abaf698d821b00301625a85b3f1ee8e75d8a090a49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cryptbot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dbfcf05490597b25cd7e6abaf698d821b00301625a85b3f1ee8e75d8a090a49
SHA3-384 hash: 5a13af4f1eb55e0d516bb1b8b26c491a22dda16b1b4655d73a7170de37f25773938d44350b3fd6cb66cd0113e21c600b
SHA1 hash: afa6958cca2c7a992c714970e82b44d77ea07dc9
MD5 hash: edff1f449c32df2a819f06f0974bbdbf
humanhash: bakerloo-avocado-steak-mirror
File name:edff1f449c32df2a819f06f0974bbdbf.exe
Download: download sample
Signature Cryptbot
Create hunting rule
File size:1'780'789 bytes
First seen:2021-07-16 08:13:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e04eb610508ddb951732064297e50b65 (6 x CryptBot)
ssdeep 49152:A1z/eUQJ2uQmvhMT4B3ovBn3qOw2S8OO6GlQNh:A1jeUI2NmeT+3oJ6Ow2Sbrdf
Threatray 319 similar samples on MalwareBazaar
TLSH T1EA852300F6D345BAD1A7F234360DDA5625B5BC2F17214AC7B380FE0B69F26816A2D277
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
edff1f449c32df2a819f06f0974bbdbf.exe
Verdict:
Malicious activity
Analysis date:
2021-07-16 08:16:04 UTC
Tags:
stealer trojan loader
Link:
https://app.any.run/tasks/141ff1e7-2f74-477f-82fd-36e7fadc3dfc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Terse
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172129/
Detection(s):
SecuriteInfo.com.Artemis49B29ACBAB7D.5513.3860.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ceebba8a-dd85-480d-85f6-d28baee28401
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/817340
Signature
Contains functionality to register a low level keyboard hook
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449751 Sample: 4l3UYq0wUX.exe Startdate: 16/07/2021 Architecture: WINDOWS Score: 76 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Found many strings related to Crypto-Wallets (likely being stolen) 2->38 9 4l3UYq0wUX.exe 7 2->9         started        process3 signatures4 40 Contains functionality to register a low level keyboard hook 9->40 12 cmd.exe 1 9->12         started        process5 signatures6 42 Submitted sample is a known malware sample 12->42 44 Obfuscated command line found 12->44 46 Uses ping.exe to sleep 12->46 48 Uses ping.exe to check the status of other devices and networks 12->48 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 50 Obfuscated command line found 15->50 52 Uses ping.exe to sleep 15->52 20 PING.EXE 1 15->20         started        23 Sommesso.exe.com 15->23         started        25 findstr.exe 1 15->25         started        process9 dnsIp10 30 127.0.0.1 unknown unknown 20->30 27 Sommesso.exe.com 23->27         started        process11 dnsIp12 32 ZCXDZYPNuC.ZCXDZYPNuC 27->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0dbfcf05490597b25cd7e6abaf698d821b00301625a85b3f1ee8e75d8a090a49/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-15 17:59:16 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bw746bkjawl3exgx42v262mnqinqamawewufwpy65dtv3cqjbjeq._file
Verdict:
malicious
Similar samples:
12f0a80b6374b38a3997a7ef4528f26ccbca664b26e48533e7d1f36c78da76f4
Cryptbot
349fcfd6f24473d8b0c9429c0f71459a178125b6d42a48129d357ce99eca94fe
Cryptbot
396371c1ad1e04ac40a581cb49c0cb5f0480438f35a2a5e7b44446983acce75f
Cryptbot
600f6200d1eb3f8cd3371327fd9808b24389a13fc69a39aacc2af5c1d15886fc
Cryptbot
90ac0149296d9e41ed0cac8e96866f26e60b7585f75dddff13f67136ef694b63
Cryptbot
97d497e3e5e60db871dfde169070847b7067fcd409f9dbed19584c3b64ac9ac9
Cryptbot
ab8d377d550ebae841ab75d2d6257fb38960efc049037bbd2468483871897e5d
Cryptbot
c3fd41da298b657f36085d828012a94c9979400b753c028eb26d0a6fb50b05bb
Cryptbot
df85a38611751933558ef9e7da81e81025ffc5e5e92cedaf4d97fb0b9f147422
Cryptbot
eb4e54c1372f7002b2b49a9918e67f84d65e52f1b12c5b7313420a48d5305e41
Cryptbot
+ 309 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210716-mepnjts1zj/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
3fb53ee1210adaf3f566abfb48c4ffe82fac2bcf4ac30d8fad02a803f8adb28c
MD5 hash:
aad9996b3439d83e41030650729cd2ca
SHA1 hash:
e3221fa171c6f93e5e4ea2b0c23dd7346c58f70b
Link:
https://www.unpac.me/results/6dfbc518-87b7-4cad-a196-230db7b5ebb4/
SH256 hash:
0dbfcf05490597b25cd7e6abaf698d821b00301625a85b3f1ee8e75d8a090a49
MD5 hash:
edff1f449c32df2a819f06f0974bbdbf
SHA1 hash:
afa6958cca2c7a992c714970e82b44d77ea07dc9
Link:
https://www.unpac.me/results/6dfbc518-87b7-4cad-a196-230db7b5ebb4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0dbfcf05490597b25cd7e6abaf698d821b00301625a85b3f1ee8e75d8a090a49

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cryptbot

Executable exe 0dbfcf05490597b25cd7e6abaf698d821b00301625a85b3f1ee8e75d8a090a49

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1393651/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172129/

Comments