MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cryptbot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a
SHA3-384 hash: a54f72417506edf57beb82a505cb90fe8c105467bfa37a484fd7d2dd5bb40a870ed3b4c86685ba1d5c36d729d6984ba4
SHA1 hash: c7ccc88111ad400b1ea72000c3179b1672c440b9
MD5 hash: f268f8707a3c2a9a2ed4663e60c9cdc0
humanhash: pennsylvania-twenty-three-idaho
File name:f268f8707a3c2a9a2ed4663e60c9cdc0.exe
Download: download sample
Signature Cryptbot
Create hunting rule
File size:1'859'456 bytes
First seen:2021-07-16 09:41:04 UTC
Last seen:2021-07-16 10:41:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 524711ec9c5a149fe3bf3479d0b505b6 (3 x Cryptbot)
ssdeep 49152:hJlNAYShf3weGZt+chWw5jqOjfKRaLxIbg3Yzj:hJwYGPrGZt+chlLQCxIlv
Threatray 324 similar samples on MalwareBazaar
TLSH T1DF8500DC66ACB22AC1EF35F1BA1CD71504A5AF9F13E2CC96730CFF09E52D2854A25285
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f268f8707a3c2a9a2ed4663e60c9cdc0.exe
Verdict:
Malicious activity
Analysis date:
2021-07-16 09:45:12 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/a4b6407e-f60b-4585-b9ea-87a9accb4433

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172160/
Detection(s):
Win.Malware.Crypzip-9879015-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bd85372d-5388-4d33-81f6-370b017a596f
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817395
Signature
Contains functionality to register a low level keyboard hook
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 449806 Sample: idfMv4NlXM.exe Startdate: 16/07/2021 Architecture: WINDOWS Score: 100 40 wymdxy53.top 2->40 42 clientconfig.passport.net 2->42 44 UTTHxeXMrRzwq.UTTHxeXMrRzwq 2->44 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected Cryptbot 2->62 64 2 other signatures 2->64 10 idfMv4NlXM.exe 7 2->10         started        signatures3 process4 signatures5 66 Contains functionality to register a low level keyboard hook 10->66 13 cmd.exe 1 10->13         started        process6 signatures7 68 Submitted sample is a known malware sample 13->68 70 Obfuscated command line found 13->70 72 Uses ping.exe to sleep 13->72 74 Uses ping.exe to check the status of other devices and networks 13->74 16 cmd.exe 3 13->16         started        19 conhost.exe 13->19         started        process8 signatures9 54 Obfuscated command line found 16->54 56 Uses ping.exe to sleep 16->56 21 Perse.exe.com 16->21         started        23 PING.EXE 1 16->23         started        26 findstr.exe 1 16->26         started        process10 dnsIp11 29 Perse.exe.com 22 21->29         started        46 127.0.0.1 unknown unknown 23->46 48 192.168.2.1 unknown unknown 23->48 34 C:\Users\user\AppData\Local\...\Perse.exe.com, Targa 26->34 dropped file12 process13 dnsIp14 50 hofhes07.top 47.243.129.23, 49739, 49741, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 29->50 52 zMKgKlyUiwiYBmwySVCrnL.zMKgKlyUiwiYBmwySVCrnL 29->52 36 C:\Users\user\AppData\...\nInURmyrWarfi.exe, PE32 29->36 dropped 38 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 29->38 dropped 76 Tries to harvest and steal ftp login credentials 29->76 78 Tries to harvest and steal browser information (history, passwords, etc) 29->78 80 Tries to steal Crypto Currency Wallets 29->80 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 09:42:07 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=djykpxukhe3droadg3u5fmrfyl6rthm5h3wtvuwaa5swzqqmfnfa._file
Verdict:
malicious
Similar samples:
0dbfcf05490597b25cd7e6abaf698d821b00301625a85b3f1ee8e75d8a090a49
Cryptbot
12f0a80b6374b38a3997a7ef4528f26ccbca664b26e48533e7d1f36c78da76f4
Cryptbot
349fcfd6f24473d8b0c9429c0f71459a178125b6d42a48129d357ce99eca94fe
Cryptbot
396371c1ad1e04ac40a581cb49c0cb5f0480438f35a2a5e7b44446983acce75f
Cryptbot
600f6200d1eb3f8cd3371327fd9808b24389a13fc69a39aacc2af5c1d15886fc
Cryptbot
90ac0149296d9e41ed0cac8e96866f26e60b7585f75dddff13f67136ef694b63
Cryptbot
ab8d377d550ebae841ab75d2d6257fb38960efc049037bbd2468483871897e5d
Cryptbot
df85a38611751933558ef9e7da81e81025ffc5e5e92cedaf4d97fb0b9f147422
Cryptbot
eb4e54c1372f7002b2b49a9918e67f84d65e52f1b12c5b7313420a48d5305e41
Cryptbot
f35ceca80969fd2b7e78808fbe17aade7468a724562bfab1a2cdd022eba84302
Cryptbot
+ 314 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210716-brmn91lhjj/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
a57a41be92e8fd0b3766e7368cd8b70aedae564801dd600c0c9adb64282ceed5
MD5 hash:
9745c2e5a33244c20b817f6ddf1d9fb6
SHA1 hash:
2a4145bfe24eea9498bbb2e93e34e5ea3ab49911
Link:
https://www.unpac.me/results/9dbd010d-a88b-4b1b-b241-5fea4d17866d/
SH256 hash:
1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a
MD5 hash:
f268f8707a3c2a9a2ed4663e60c9cdc0
SHA1 hash:
c7ccc88111ad400b1ea72000c3179b1672c440b9
Link:
https://www.unpac.me/results/9dbd010d-a88b-4b1b-b241-5fea4d17866d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cryptbot

Executable exe 1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1393651/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172160/

Comments