MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10c0f1080840ab3cf7fd69f80a6b821a6f95cb7b57a7e43dfb757e9df598c18a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10c0f1080840ab3cf7fd69f80a6b821a6f95cb7b57a7e43dfb757e9df598c18a
SHA3-384 hash: c5fbaf5ee12f0fd919676edb4991479241dc0ab967b43bec49fa602939995a4994f81f47a9c6c82e8bbb03cc77a98dd7
SHA1 hash: ab0669145742f5cca5f10f5110ee4885fae591dd
MD5 hash: 32213915f00a2efe030c5b86ed5414b5
humanhash: winner-illinois-india-football
File name:32213915f00a2efe030c5b86ed5414b5.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:712'192 bytes
First seen:2021-03-24 07:38:52 UTC
Last seen:2021-03-24 09:55:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 89eedfa8c6a8f7c024268d7a02a3aaa8 (2 x Loki, 2 x RaccoonStealer, 1 x FickerStealer)
ssdeep 12288:AvriNVd1mTSdOtNu1VQIYyXteLeOUYdXjZusCK1QBlINg2sH0B:A+NSSdOtNKvsC/YdTotK10
Threatray 81 similar samples on MalwareBazaar
TLSH EBE4F12177F1C033E2E25971CD34C2B48B7BB83229BA899F7BD05A794E247D2D625706
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
A043A69DD5BC7B5E61D606F3A678D6C1.exe
Verdict:
Malicious activity
Analysis date:
2021-03-24 07:36:01 UTC
Tags:
evasion trojan loader stealer autoit
Link:
https://app.any.run/tasks/06824020-3581-496f-87db-c17d8862b1f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.56293.25742.11150.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file
Delayed reading of the file
Reading critical registry keys
Sending a UDP request
Creating a window
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/651793
Signature
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 374846 Sample: O5hVWHtH1b.exe Startdate: 24/03/2021 Architecture: WINDOWS Score: 100 97 HtcMxJDZqUppUy.HtcMxJDZqUppUy 2->97 99 maybo2.hk 2->99 101 2 other IPs or domains 2->101 121 Malicious sample detected (through community Yara rule) 2->121 123 Antivirus detection for dropped file 2->123 125 Multi AV Scanner detection for dropped file 2->125 127 11 other signatures 2->127 12 O5hVWHtH1b.exe 50 2->12         started        17 svchost.exe 2->17         started        19 svchost.exe 9 1 2->19         started        21 10 other processes 2->21 signatures3 process4 dnsIp5 105 morwhy03.top 35.228.217.164, 49713, 49714, 80 GOOGLEUS United States 12->105 107 akrvt04.top 8.209.101.43, 49717, 49718, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 12->107 109 bazfr32.top 12->109 89 C:\Users\user\AppData\Local\Temp\Joirk.exe, PE32 12->89 dropped 91 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 12->91 dropped 145 Detected unpacking (changes PE section rights) 12->145 147 Detected unpacking (overwrites its own PE header) 12->147 149 Tries to harvest and steal browser information (history, passwords, etc) 12->149 23 Joirk.exe 21 12->23         started        27 cmd.exe 1 12->27         started        151 Changes security center settings (notifications, updates, antivirus, firewall) 17->151 93 C:\ProgramData\Microsoft93etwork\...\qmgr.jfm, DOS 19->93 dropped 111 192.168.2.1 unknown unknown 21->111 file6 signatures7 process8 file9 81 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 23->81 dropped 83 C:\Users\user\AppData\Local\Temp\...\6.exe, PE32 23->83 dropped 85 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 23->85 dropped 87 2 other files (1 malicious) 23->87 dropped 133 Multi AV Scanner detection for dropped file 23->133 135 Machine Learning detection for dropped file 23->135 29 6.exe 7 23->29         started        31 5.exe 23->31         started        36 4.exe 4 23->36         started        38 vpn.exe 23->38         started        137 Submitted sample is a known malware sample 27->137 139 Obfuscated command line found 27->139 141 Uses ping.exe to sleep 27->141 143 Uses ping.exe to check the status of other devices and networks 27->143 40 conhost.exe 27->40         started        42 timeout.exe 1 27->42         started        signatures10 process11 dnsIp12 44 cmd.exe 29->44         started        46 svchost.exe 29->46         started        113 googlehosted.l.googleusercontent.com 172.217.168.33, 443, 49723 GOOGLEUS United States 31->113 115 doc-10-04-docs.googleusercontent.com 31->115 73 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 31->73 dropped 75 C:\Users\user\AppData\Local\...\Active.exe, PE32+ 31->75 dropped 77 C:\Users\user\AppData\...\AutoIt3_x64.exe, PE32+ 31->77 dropped 117 Query firmware table information (likely to detect VMs) 31->117 119 Sample is not signed and drops a device driver 31->119 79 C:\Users\user\AppData\...\SmartClock.exe, PE32 36->79 dropped 48 SmartClock.exe 36->48         started        50 cmd.exe 38->50         started        52 svchost.exe 38->52         started        file13 signatures14 process15 process16 54 cmd.exe 44->54         started        57 conhost.exe 44->57         started        59 conhost.exe 50->59         started        61 cmd.exe 50->61         started        signatures17 129 Obfuscated command line found 54->129 131 Uses ping.exe to sleep 54->131 63 Avvertire.exe.com 54->63         started        65 PING.EXE 54->65         started        68 findstr.exe 54->68         started        process18 dnsIp19 70 Avvertire.exe.com 63->70         started        95 127.0.0.1 unknown unknown 65->95 process20 dnsIp21 103 grcCwxjDXykM.grcCwxjDXykM 70->103
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10c0f1080840ab3cf7fd69f80a6b821a6f95cb7b57a7e43dfb757e9df598c18a/
Threat name:
Win32.Trojan.CryptBot
Create hunting rule
Status:
Malicious
First seen:
2021-03-24 07:10:04 UTC
AV detection:
18 of 48 (37.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdapccaiicvtz575nh4au24cdjxzls33k6t6ipp3ov7j35myygfa._file
Verdict:
malicious
Similar samples:
118f24dab3dce4a5ae6e3ab078551cbc628b475abeeafa07a5972622aaa38812
CryptBot
388d18b98704bff34ac1cb0a6603e68ba300205ee2f14e4bf482f1012d933231
CryptBot
7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d
CryptBot
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
CryptBot
9cda1177646d0a69217e80541b33a93f1343a3406729fd09fb19a19808cfed4b
CryptBot
b0e796694c790548cf9553a6ed536b21e8471064c4ae887304137ffcafbe257f
CryptBot
b31544541ebcdaeb7746d400b534e0ce49abb44d5922acacaa1653c492cbd650
CryptBot
bced04a0ef9306f81abe9dcd2bf613802076f1d2012f23bcc42a208acabf25dd
CryptBot
c8a30abef2939b6c3b6193feffbaf8ba4a87c79fc32e71b10b94bbdb8e1e238f
CryptBot
f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01
CryptBot
+ 71 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:xmrig discovery evasion miner spyware stealer
Link:
https://tria.ge/reports/210324-dpkxfqvxls/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Sets file to hidden
XMRig Miner Payload
CryptBot
xmrig
Unpacked files
SH256 hash:
7c9085a3037adecfddcab95ed781c93489d30d2078080bcd6f9ae5ff7bbdce3d
MD5 hash:
47c37c76c3dc228aa44f9836e444f711
SHA1 hash:
d18ac41bd348accf5f5fdcabe15a237ef5fa77aa
Link:
https://www.unpac.me/results/50f1afe2-d455-4615-bb95-b8c55ecd51ee/
SH256 hash:
10c0f1080840ab3cf7fd69f80a6b821a6f95cb7b57a7e43dfb757e9df598c18a
MD5 hash:
32213915f00a2efe030c5b86ed5414b5
SHA1 hash:
ab0669145742f5cca5f10f5110ee4885fae591dd
Link:
https://www.unpac.me/results/50f1afe2-d455-4615-bb95-b8c55ecd51ee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10c0f1080840ab3cf7fd69f80a6b821a6f95cb7b57a7e43dfb757e9df598c18a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswor
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_DanaBot
Create hunting rule
Author:ditekSHen
Description:Detects DanaBot variants
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 10c0f1080840ab3cf7fd69f80a6b821a6f95cb7b57a7e43dfb757e9df598c18a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1085767/
  
Delivery method
Distributed via web download

Comments