MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1913b57379e19d7d05f7a55160343d7d081fe01c668b0652097311a0e9f57940. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1913b57379e19d7d05f7a55160343d7d081fe01c668b0652097311a0e9f57940
SHA3-384 hash: bf7062f71172c07fba3c3cdd6b3acb348d3264e58fd46c8eb656dbcb5b27eb32dee1d6a5adcd93e7d19d333675a96e65
SHA1 hash: fba1795a04b5d6e932213b85f68239e0bd086c1f
MD5 hash: e493d514a5154df3ce530a3dee1d8d07
humanhash: purple-batman-gee-video
File name:e493d514a5154df3ce530a3dee1d8d07.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:663'552 bytes
First seen:2021-07-12 08:51:48 UTC
Last seen:2021-07-12 09:59:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6be17a13f940ac27163ce90e70d2a3b0 (1 x CryptBot)
ssdeep 12288:VX98EULLtJA+EH1bQ23ixmkODU4aUV9ByMT3yD4d0g1Gw1:VtHULLtX2dQzFOD9LV9BzO3g1L
Threatray 301 similar samples on MalwareBazaar
TLSH T15EE40220FAF1C03ED1F35635293987E01A3BBD536675891A7A163B4E2D362D27BA4307
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e493d514a5154df3ce530a3dee1d8d07.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 09:04:38 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/343affce-4584-4f7e-b6fd-7e2114a3fb7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170995/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.33296.31991.32085.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/881fec1a-788b-459e-84f5-d31122076d56
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814645
Signature
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447056 Sample: tyGBM3pwMh.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for dropped file 2->91 93 11 other signatures 2->93 12 tyGBM3pwMh.exe 22 2->12         started        17 SmartClock.exe 2->17         started        19 SmartClock.exe 2->19         started        process3 dnsIp4 83 aledna72.top 143.244.186.174, 49713, 80 COGENT-174US United States 12->83 85 otivzt10.top 47.243.129.23, 49710, 49712, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 12->85 69 C:\Users\user\AppData\...iUuXIvKrdK.exe, PE32 12->69 dropped 71 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 12->71 dropped 109 Detected unpacking (changes PE section rights) 12->109 111 Detected unpacking (overwrites its own PE header) 12->111 113 Tries to harvest and steal ftp login credentials 12->113 115 2 other signatures 12->115 21 EiUuXIvKrdK.exe 25 12->21         started        file5 signatures6 process7 file8 59 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 21->59 dropped 61 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 21->61 dropped 63 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 21->63 dropped 65 3 other files (none is malicious) 21->65 dropped 99 Antivirus detection for dropped file 21->99 101 Machine Learning detection for dropped file 21->101 25 vpn.exe 7 21->25         started        27 4.exe 4 21->27         started        signatures9 process10 file11 30 cmd.exe 1 25->30         started        67 C:\Users\user\AppData\...\SmartClock.exe, PE32 27->67 dropped 33 SmartClock.exe 27->33         started        process12 signatures13 117 Submitted sample is a known malware sample 30->117 119 Obfuscated command line found 30->119 121 Uses ping.exe to sleep 30->121 123 Uses ping.exe to check the status of other devices and networks 30->123 35 cmd.exe 3 30->35         started        38 conhost.exe 30->38         started        process14 signatures15 95 Obfuscated command line found 35->95 97 Uses ping.exe to sleep 35->97 40 Vigilanza.exe.com 35->40         started        43 PING.EXE 1 35->43         started        46 findstr.exe 1 35->46         started        process16 dnsIp17 107 May check the online IP address of the machine 40->107 49 Vigilanza.exe.com 3 18 40->49         started        81 127.0.0.1 unknown unknown 43->81 73 C:\Users\user\AppData\...\Vigilanza.exe.com, Targa 46->73 dropped file18 signatures19 process20 dnsIp21 75 ip-api.com 208.95.112.1, 49744, 80 TUT-ASUS United States 49->75 77 HuzkESWqLFmEcD.HuzkESWqLFmEcD 49->77 57 C:\Users\user\AppData\...\ursdytnbbbv.vbs, ASCII 49->57 dropped 53 wscript.exe 12 49->53         started        file22 process23 dnsIp24 79 iplogger.org 88.99.66.31, 443, 49745 HETZNER-ASDE Germany 53->79 103 System process connects to network (likely due to code injection or exploit) 53->103 105 May check the online IP address of the machine 53->105 signatures25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1913b57379e19d7d05f7a55160343d7d081fe01c668b0652097311a0e9f57940/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-11 09:31:47 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dej3k43z4gox2bpxuviwanb5pueb7ya4m2fqmuqjomi2b2pvpfaa._file
Verdict:
malicious
Similar samples:
056cc0e43fd5b75d6aaa8ab8651394428b1751c538b92aaa088ee3ff79efc20f
CryptBot
4b21de4f5c03de8e7e85bbdc317bd1050ba7bce099c1ba1cafb949ccadff90a2
CryptBot
6f8ce60168331070f8ca906c9c5e4d53e22b9b72a57c6e0c65bf6f83979d310f
CryptBot
7525f2c1ccec025adb8f773ab10ecd9cee7bacec9949a7415ad239cec969bfb8
CryptBot
78917f8c2ce40501bb4bf955f14e9f96dea7aa003bc6d21611d6c771a7df6a16
CryptBot
834ccdd87931ab88f011372377befbafda51abccff557c7dd3e01682580716fb
CryptBot
c10f974322f23a93c0354a3f57151b3017620313f5678310db27d05be10b4e98
CryptBot
e2627edaef3e465cadfb84b250bc0d47cef26af5d2334e5f49ab38d8f919b511
CryptBot
e5dae08e748e408a4a256bd0c5d216281596a20399ea0127ac35b1661248b3ea
CryptBot
f2a7cc00ce9933490e51df2d5df9e7b0b2165c73297a9fa8a99fbf51b85926b8
CryptBot
+ 291 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210712-b4g536k7ka/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
d668ec44955cbd88a44f30b83d6d27cae2ddeaec663e6b6b8f6fc86f4a90a2b9
MD5 hash:
99900a7bc5cfaaa6fcf3cbac137001f5
SHA1 hash:
52ae0cd838a70e56108784c04c92894f55a92c2b
Detections:
win_blacksoul_auto
Create hunting rule
win_cryptbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/8b0ff3df-e689-402f-9967-084514c3d7a7/
Parent samples :
c10f974322f23a93c0354a3f57151b3017620313f5678310db27d05be10b4e98
1913b57379e19d7d05f7a55160343d7d081fe01c668b0652097311a0e9f57940
SH256 hash:
1913b57379e19d7d05f7a55160343d7d081fe01c668b0652097311a0e9f57940
MD5 hash:
e493d514a5154df3ce530a3dee1d8d07
SHA1 hash:
fba1795a04b5d6e932213b85f68239e0bd086c1f
Link:
https://www.unpac.me/results/8b0ff3df-e689-402f-9967-084514c3d7a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1913b57379e19d7d05f7a55160343d7d081fe01c668b0652097311a0e9f57940

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_blacksoul_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.blacksoul.
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 1913b57379e19d7d05f7a55160343d7d081fe01c668b0652097311a0e9f57940

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1441648/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170995/

Comments