MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 126f515316ff7d1be06266adcbbd565f18437b293b690765dcf55f500cb048e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CryptBot

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash:	126f515316ff7d1be06266adcbbd565f18437b293b690765dcf55f500cb048e0
SHA3-384 hash:	bd1a0f14dde82d5912e45c03c45d52b40894f90a571dc7aa88adce64e44ba2778337f3a6b313ff09c3b05192191b1e55
SHA1 hash:	4a75e27a1ed940a6f27f5f2bf316f7ebf95b0858
MD5 hash:	fcf7a9f612586c76b3597985dc5e2b79
humanhash:	virginia-early-echo-delta
File name:	fcf7a9f612586c76b3597985dc5e2b79.exe
Download:	download sample
Signature	CryptBot Create hunting rule
File size:	652'800 bytes
First seen:	2021-03-30 07:14:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8d51505bd41d41cb00a4bb7b4e4cc380 (1 x CryptBot)
ssdeep	12288:IYzF6Td1+9J+n2XUNABXFTNXAV7n5Nk6IqFCbutV7nrWm57G+:IsUdn2XvFRXAxnvk6IqFCijP57G
Threatray	33 similar samples on MalwareBazaar
TLSH	DDD40222B6E1C032D52258750432D6750636FC729BB8AEC7BBD02BAE5F352C1C63675B
Reporter	abuse_ch
Tags:	CryptBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

fcf7a9f612586c76b3597985dc5e2b79.exe

Verdict:

Malicious activity

Analysis date:

2021-03-30 07:24:14 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/be93fd0e-c026-4815-97e1-114271d214a5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CryptBot

Link:

https://www.capesandbox.com/analysis/127937/

Detection(s):

Win.Trojan.Generic-9848010-0

Win.Malware.Generickdz-9848016-0

Win.Malware.Generickdz-9848021-0

Win.Ransomware.Gandcrypt-9848025-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% directory

Deleting a recently created file

Creating a file

Delayed reading of the file

Reading critical registry keys

Creating a window

DNS request

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Glupteba

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/658115

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Glupteba

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/126f515316ff7d1be06266adcbbd565f18437b293b690765dcf55f500cb048e0/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cjxvcuyw756rxydcm2w4xpkwl4meg6zjhnuqozo46vpvadfqjdqa._file

Verdict:

suspicious

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/210330-3ctml3n9da/

Behaviour

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

e9c743133a450c6dbc187184b7ca7034b97d1abd3e538113645a2a83fd659829

MD5 hash:

a24f8ad6f76e7bd8cac0debd19579aba

SHA1 hash:

94508f6d5e8aa813c03b6a92c2ade26f23c1b6ed

Link:

https://www.unpac.me/results/afa6ec21-a9e4-42e8-99e9-148022ad8e30/

SH256 hash:

126f515316ff7d1be06266adcbbd565f18437b293b690765dcf55f500cb048e0

MD5 hash:

fcf7a9f612586c76b3597985dc5e2b79

SHA1 hash:

4a75e27a1ed940a6f27f5f2bf316f7ebf95b0858

Link:

https://www.unpac.me/results/afa6ec21-a9e4-42e8-99e9-148022ad8e30/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Vundo

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/126f515316ff7d1be06266adcbbd565f18437b293b690765dcf55f500cb048e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MALWARE_Win_CryptBot Create hunting rule
Author:	ditekSHen
Description:	CryptBot/Fugrafa stealer payload

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com