MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297
SHA3-384 hash: d8938b6d099fe0f873d0cebd1a3b30db45efcbafb97d0b83119e7e6ea62ee711e02fed3b4842179a5f61a71e4bd77863
SHA1 hash: cec89fc1ffac4c4d30f88b99dfeafb74661dc57f
MD5 hash: 9b7b9e383bdaa6d350c768d010bd960a
humanhash: four-william-october-alanine
File name:9b7b9e383bdaa6d350c768d010bd960a.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:1'768'302 bytes
First seen:2021-05-29 14:45:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 650ed02ca4b6baad6b24f20402b6268b (7 x RedLineStealer, 1 x CryptBot, 1 x RemcosRAT)
ssdeep 49152:wXojUFthSLXszyLUIcc0ES+WtDXOBSeqvkveJx8Y:wXpF7SLHLcc0VmH+ueJV
Threatray 176 similar samples on MalwareBazaar
TLSH E0852365F3F6C2BAD4D11672C9B1B3341AADF9269B2644C723F443531E24FC1973924A
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://geospt56.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://geospt56.top/index.php https://threatfox.abuse.ch/ioc/66833/

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9b7b9e383bdaa6d350c768d010bd960a.exe
Verdict:
Malicious activity
Analysis date:
2021-05-29 14:46:48 UTC
Tags:
autoit stealer trojan loader
Link:
https://app.any.run/tasks/c05c368d-efbf-42b6-adfa-3cbbeadb4bc1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163181/
Detection(s):
Win.Malware.Pterodo-9865184-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending a UDP request
Launching a process
Creating a process from a recently created file
Deleting a recently created file
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cad8a3df-3d30-41e0-b73e-faca3d278a3d
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794260
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 426656 Sample: ki7Prfb5hh.exe Startdate: 29/05/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 5 other signatures 2->40 9 ki7Prfb5hh.exe 7 2->9         started        process3 signatures4 42 Contains functionality to register a low level keyboard hook 9->42 12 cmd.exe 1 9->12         started        process5 signatures6 44 Submitted sample is a known malware sample 12->44 46 Obfuscated command line found 12->46 48 Uses ping.exe to sleep 12->48 50 Uses ping.exe to check the status of other devices and networks 12->50 15 cmd.exe 3 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 52 Obfuscated command line found 15->52 54 Uses ping.exe to sleep 15->54 20 PING.EXE 1 15->20         started        23 Apparenze.exe.com 15->23         started        25 findstr.exe 1 15->25         started        process9 dnsIp10 30 127.0.0.1 unknown unknown 20->30 27 Apparenze.exe.com 23->27         started        process11 dnsIp12 32 ylNYcjyQqWBCsNgcSyA.ylNYcjyQqWBCsNgcSyA 27->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-28 06:32:14 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dikhgzk2rrn5shoyliyd2rmmvz2zu45vbw6ggwqphwrf366roklq._file
Verdict:
suspicious
Similar samples:
01e0e8312ba9622a57dfbf40615513bf2a01c38d9fba806e1bc9c08364b2041f
CryptBot
17cb52ffccb7fb8d9480f921392f29d520ec9a7c963a7ff8791328ba7638d22f
CryptBot
32e6aeda569edacaf5dea7f815c7e22e32ba8b7992bb787b68149cf0b06d273c
CryptBot
463a368c85c49254ec2a84f7a042c3ec68353b7e0280ba464701ca13a7391c5b
CryptBot
4b21de4f5c03de8e7e85bbdc317bd1050ba7bce099c1ba1cafb949ccadff90a2
CryptBot
6f8ce60168331070f8ca906c9c5e4d53e22b9b72a57c6e0c65bf6f83979d310f
CryptBot
957860a901820c6cd66f49700a18a4fc3243104f8147805d1bbec9ec651f009b
CryptBot
d2b955fca821c2d34342ca8bc610bda82a15676a0b44f5de15c78ee6b7de7e6b
CryptBot
de92c18843a74125a6adbfdcffe97c597d88ae21a8cdc560aa10b33870f6a472
CryptBot
e2627edaef3e465cadfb84b250bc0d47cef26af5d2334e5f49ab38d8f919b511
CryptBot
+ 166 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:danabot botnet:3 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210529-4hbgyjntvn/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
CryptBot
Danabot
Malware Config
C2 Extraction:
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163181/

Comments