MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 183f842ce161e8f0cce88d6451b59fb681ac86bd3221ab35bfd675cb42f056ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 183f842ce161e8f0cce88d6451b59fb681ac86bd3221ab35bfd675cb42f056ac
SHA3-384 hash: de71ea6a4494a00d65a1491bd126ed2a5868472c33b26fcbbbbeaa2faef822e18a3f4a9da26aec480363d7fbe450ad69
SHA1 hash: 7f277f5f8f9c2831d40a2dc415566a089a820151
MD5 hash: 12d20a973f8cd9c6373929ae14efe123
humanhash: blossom-ack-nine-november
File name:12d20a973f8cd9c6373929ae14efe123.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:2'596'864 bytes
First seen:2022-10-06 00:50:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c117da3077c670912eb41c7c8833ea16 (1 x CryptBot)
ssdeep 49152:y3bq2vicPwiX3QrebPmY8URYjsynbHph:wbvD/gSDmxUk
TLSH T18CC5E3B768B35BF2C7D96E71A0D568B50D84C1332D15A07CAC4482FCC57A3FA52EAA31
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon dcf8ecd4968eaa8a (1 x CryptBot)
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://sginiv12.top/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://sginiv12.top/gate.php https://threatfox.abuse.ch/ioc/871786/

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317063/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.22748.13381.14953.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %temp% directory
Reading critical registry keys
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/633e2676d089a0c15dd565cd/reports/db6cb237-21ec-4efe-96e4-b713d48bdc44/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/210cbe30-fcdb-4c6a-b3d7-4a14fb03f535
Result
Threat name:
CryptbotV2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1084572
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found C&C like URL pattern
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected CryptbotV2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 717129 Sample: LVFsOtnY73.exe Startdate: 06/10/2022 Architecture: WINDOWS Score: 100 18 sginiv12.top 2->18 24 Snort IDS alert for network traffic 2->24 26 Multi AV Scanner detection for domain / URL 2->26 28 Antivirus detection for URL or domain 2->28 30 6 other signatures 2->30 8 LVFsOtnY73.exe 45 2->8         started        signatures3 process4 dnsIp5 20 bytcox01.top 8->20 22 sginiv12.top 35.228.162.210, 49702, 80 GOOGLEUS United States 8->22 32 Self deletion via cmd or bat file 8->32 34 Tries to harvest and steal browser information (history, passwords, etc) 8->34 12 cmd.exe 1 8->12         started        signatures6 process7 process8 14 conhost.exe 12->14         started        16 timeout.exe 1 12->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/183f842ce161e8f0cce88d6451b59fb681ac86bd3221ab35bfd675cb42f056ac/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 10:12:07 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=da7yilhbmhupbthirvsfdnm7w2a2zbv5giq2wnn72z24wqxqk2wa._file
Verdict:
malicious
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/221006-a7gqmagccm/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Maps connected drives based on registry
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
CryptBot
Malware Config
C2 Extraction:
[<
http://sginiv12.top/gate.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/601dd4fa-8518-4c7e-baae-b8b52886eb11
Unpacked files
SH256 hash:
8d58b74f4ca5560ffbca47c96146c8b06c81483109e2286b11c135410e93aa77
MD5 hash:
a9657008659519d8e199f576452d4a11
SHA1 hash:
7a2195923ff11563ea6a8d44eb4015f5cb93834b
Link:
https://www.unpac.me/results/e9fba29a-fd5b-4ffc-86fe-46efae3febdf/
SH256 hash:
183f842ce161e8f0cce88d6451b59fb681ac86bd3221ab35bfd675cb42f056ac
MD5 hash:
12d20a973f8cd9c6373929ae14efe123
SHA1 hash:
7f277f5f8f9c2831d40a2dc415566a089a820151
Link:
https://www.unpac.me/results/e9fba29a-fd5b-4ffc-86fe-46efae3febdf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/183f842ce161/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/183f842ce161e8f0cce88d6451b59fb681ac86bd3221ab35bfd675cb42f056ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317063/

Comments