MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f
SHA3-384 hash: 1d367e4abb0789b9dc013dfcef085972dffdf4627e790c4d2f169905d7c4b551f8125a42bf554b7d77788015e91618b2
SHA1 hash: a5895766a4cafe68ec6774282b949350dcd88798
MD5 hash: a2e4d1e6f943c9b0c6d6f21c43121592
humanhash: vermont-lion-item-early
File name:a2e4d1e6f943c9b0c6d6f21c43121592.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:2'375'609 bytes
First seen:2021-03-25 11:08:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 49152:k71m4m8W7OCMwerL1G5Qy+fSNe4kA81GfCY1D4OiHs1Fex73DNZ:kBmn8WlMNL1QUJ4HqGa+kDNZ
Threatray 208 similar samples on MalwareBazaar
TLSH AEB533A1E759C177D88B5C3F6FB08096CDB4FC5E5874C3165305BE0E72B63A28826B62
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
download.zip
Verdict:
Malicious activity
Analysis date:
2021-03-25 11:03:03 UTC
Tags:
autoit stealer trojan loader evasion
Link:
https://app.any.run/tasks/22693474-095b-4050-8932-b4fa1ac289d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Sending a UDP request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/653799
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Svchost Process
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 375838 Sample: 52mvY6iktp.exe Startdate: 25/03/2021 Architecture: WINDOWS Score: 100 98 Multi AV Scanner detection for dropped file 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 Detected unpacking (changes PE section rights) 2->102 104 7 other signatures 2->104 11 52mvY6iktp.exe 21 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        process3 file4 78 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->78 dropped 80 C:\Users\user\AppData\Local\Temp\...\6.exe, PE32 11->80 dropped 82 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->82 dropped 84 2 other files (1 malicious) 11->84 dropped 18 vpn.exe 7 11->18         started        20 6.exe 7 11->20         started        22 5.exe 15 11->22         started        25 4.exe 4 11->25         started        process5 file6 28 cmd.exe 1 18->28         started        31 svchost.exe 18->31         started        33 cmd.exe 1 20->33         started        35 svchost.exe 20->35         started        108 Query firmware table information (likely to detect VMs) 22->108 37 WerFault.exe 21 9 22->37         started        76 C:\Users\user\AppData\...\SmartClock.exe, PE32 25->76 dropped 39 SmartClock.exe 25->39         started        signatures7 process8 signatures9 118 Submitted sample is a known malware sample 28->118 120 Obfuscated command line found 28->120 122 Uses ping.exe to sleep 28->122 124 Uses ping.exe to check the status of other devices and networks 28->124 41 cmd.exe 3 28->41         started        44 conhost.exe 28->44         started        46 cmd.exe 3 33->46         started        48 conhost.exe 33->48         started        process10 signatures11 114 Obfuscated command line found 41->114 116 Uses ping.exe to sleep 41->116 50 Parlato.exe.com 41->50         started        53 PING.EXE 41->53         started        56 findstr.exe 41->56         started        59 Nascosta.exe.com 46->59         started        61 findstr.exe 46->61         started        63 PING.EXE 46->63         started        process12 dnsIp13 106 May check the online IP address of the machine 50->106 65 Parlato.exe.com 50->65         started        92 127.0.0.1 unknown unknown 53->92 94 192.168.2.1 unknown unknown 53->94 74 C:\Users\user\AppData\...\Parlato.exe.com, Targa 56->74 dropped 68 Nascosta.exe.com 59->68         started        file14 signatures15 process16 dnsIp17 86 ip-api.com 208.95.112.1, 49735, 80 TUT-ASUS United States 65->86 88 SzHjeLkdmedyhHqKaboL.SzHjeLkdmedyhHqKaboL 65->88 70 wscript.exe 65->70         started        90 oeBaWlhJhVQq.oeBaWlhJhVQq 68->90 process18 dnsIp19 96 iplogger.org 88.99.66.31, 443, 49736 HETZNER-ASDE Germany 70->96 110 System process connects to network (likely due to code injection or exploit) 70->110 112 May check the online IP address of the machine 70->112 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-03-25 06:20:01 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cwkmrtgd4qkfur7fneyvk5yovscfs5ifj2arwek5adfqecobku7q._file
Verdict:
malicious
Similar samples:
08c4b529de76e13d9b005b84f70d3338685a7bad66b30816d839e7d4bffd14f7
CryptBot
388d18b98704bff34ac1cb0a6603e68ba300205ee2f14e4bf482f1012d933231
CryptBot
6c219118acdf6e43d54298e2a7c268c0877a4f31c207cd29d2e038a858cea9fe
CryptBot
7b55f92633f9e8b7aad9234dd19148549c4b068f8199bb2ea4cfa6ef3175e569
CryptBot
7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d
CryptBot
b0e796694c790548cf9553a6ed536b21e8471064c4ae887304137ffcafbe257f
CryptBot
b31544541ebcdaeb7746d400b534e0ce49abb44d5922acacaa1653c492cbd650
CryptBot
b9fe450826cf7e036b06af03cee2288464efff6bc72c4ada9299c38128ee5f77
CryptBot
bced04a0ef9306f81abe9dcd2bf613802076f1d2012f23bcc42a208acabf25dd
CryptBot
f4e11cd74d31517b59663b1eb83955c4f2dc270143bea943b5b82c5c936fcc01
CryptBot
+ 198 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210325-48p2bn3hf2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Unpacked files
SH256 hash:
39086226e07d0a8f436ededf59e4ab3541e516ee2f585f5668f8675d77acfe86
MD5 hash:
743f87878cfe08bbd20804f27cfaa027
SHA1 hash:
be5caa12890065613b611d6fe0f627e5f259ef7e
Link:
https://www.unpac.me/results/16d1d0b2-0c1c-4bcd-8b97-8540beb49d3d/
SH256 hash:
a56d515897f4d9d336602a1809949629f0e79e1fa0d55154b3b1121fb6138085
MD5 hash:
b3d3f51c4249eeaa7d5245ea4f8c7460
SHA1 hash:
2a3627e3aeeab195eec76c2a65394d178c954f9f
Link:
https://www.unpac.me/results/16d1d0b2-0c1c-4bcd-8b97-8540beb49d3d/
SH256 hash:
af603b43b7427dba07eb3850ba6d10802a8de0c88118745df106b605179c3c59
MD5 hash:
614939a185af7e809a26b605b4ca521a
SHA1 hash:
a8981b56da9491eb0e43c82d6fa2bbf4a3c3b219
Link:
https://www.unpac.me/results/16d1d0b2-0c1c-4bcd-8b97-8540beb49d3d/
SH256 hash:
a884d7baa0a2bb7e1ec322ce95e27463437ad9b273d10ddc11798053f49333c6
MD5 hash:
65edcb07edc94be9e0158e79712c704c
SHA1 hash:
6a8cd4f5ae73fe646e3dc9d02c064e6237475b02
Link:
https://www.unpac.me/results/16d1d0b2-0c1c-4bcd-8b97-8540beb49d3d/
SH256 hash:
1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f
MD5 hash:
a2e4d1e6f943c9b0c6d6f21c43121592
SHA1 hash:
a5895766a4cafe68ec6774282b949350dcd88798
Link:
https://www.unpac.me/results/16d1d0b2-0c1c-4bcd-8b97-8540beb49d3d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1090674/
  
Delivery method
Distributed via web download

Comments