MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f
SHA3-384 hash: b81d443c83935b26666e4e4cf64cc1bbbfd343306aa5e3767bb41c462c5ebccd611f2740db1bbb92e1b26482ea3b303c
SHA1 hash: e9f2c0a7e105fe35d3bf72b2cd014d32476e0780
MD5 hash: 43a8636f8748675fb63d026bae9c73b3
humanhash: south-purple-orange-sodium
File name:24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:7'837'696 bytes
First seen:2024-01-21 19:20:32 UTC
Last seen:2024-01-21 21:38:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d57093b1df31c39974f3f351924783cf (3 x Cryptbot)
ssdeep 98304:nVEhTEPMnmpIOHOdMJ7/nATC4K7XsWkkjaHjTo82Pb0cM:nKqPo5MJzATC4C8Wfsj
Threatray 679 similar samples on MalwareBazaar
TLSH T15686CE30D0356E27D84311B8E20513005A8B1A8A6B6B52357AF96C67E3BD46F2FDDF6C
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon b282a88e8eaab692 (26 x CryptBot, 2 x RedLineStealer)
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://fygbib44.top/gate.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
361
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472092/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.48668.28215.24080.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a window
Creating a file in the %temp% directory
DNS request
Sending an HTTP POST request
Sending a custom TCP request
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cerbu packed
Link:
https://www.filescan.io/uploads/65ad6e9f68f6c896b6d40667/reports/6b351f42-7b58-4db1-8adc-9bfd9c4c9e2d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30bbb52e-6050-439b-9e72-09c1768954b3
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1378349
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Detected unpacking (creates a PE file in dynamic memory)
Found C&C like URL pattern
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Cryptbot
Yara detected CryptbotV2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1378349 Sample: 24FCA3CD8AAD055B2284FDF5C0C... Startdate: 21/01/2024 Architecture: WINDOWS Score: 100 32 fygbib44.top 2->32 36 Snort IDS alert for network traffic 2->36 38 Multi AV Scanner detection for domain / URL 2->38 40 Found malware configuration 2->40 42 8 other signatures 2->42 8 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe 93 2->8         started        13 sartst.exe 2->13         started        signatures3 process4 dnsIp5 34 fygbib44.top 108.186.145.244, 49729, 80 PEGTECHINCUS United States 8->34 28 C:\Users\user\AppData\Roaming\...\sartst.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\Roaming\...\sartst.chm, ASCII 8->30 dropped 44 Detected unpacking (creates a PE file in dynamic memory) 8->44 46 Self deletion via cmd or bat file 8->46 48 Contains functionality to change the desktop window for a process (likely to hide graphical interactions) 8->48 15 cmd.exe 1 8->15         started        18 cmd.exe 1 8->18         started        file6 signatures7 process8 signatures9 50 Uses schtasks.exe or at.exe to add and modify task schedules 15->50 20 conhost.exe 15->20         started        22 schtasks.exe 1 15->22         started        24 conhost.exe 18->24         started        26 timeout.exe 1 18->26         started        process10
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2023-04-20 15:13:23 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=et6khtmkvucvwiue7x24btltmqvyroyz3z6dcnzwdzdffhnfwz7q._file
Verdict:
malicious
Similar samples:
06724c588f5b9381effa96ca72ae6c136b6ec64ae1e898942d34142e40078bab
CryptBot
21ada98043ea73edf58648a2a43856bed7f8e9fafdc948aae020b1dbb3053d90
CryptBot
349fcfd6f24473d8b0c9429c0f71459a178125b6d42a48129d357ce99eca94fe
CryptBot
54f791796231f7899d753f0ba44e7387bf7748dc7a28adbd28f2067c9ab88605
CryptBot
6b2a97d42b3da43843b8cbfc4fa53d954be3b041e853c9cd87bb37fe88a91573
CryptBot
719cf0c9eba47af19500753dc4213f551efdc09f13e2c71ef0e39b08a7aca888
CryptBot
7e19416205cfb8e056d4628bdeb635e29cefba04fcb21ee55e7b0077427e4c99
CryptBot
a0ee463632a3799ed2b21d598d1fa8c4ed7198f3debd175a1eb89b2055b57ccd
CryptBot
ae4ccd912a3f2ad87789956660ee5485bb5fcd0f36c1d0d4f1272e3ae1f668f3
CryptBot
b02c2218b9249530276db1fc8e233dffde2beba38b1d90b9549ca650029ab90f
CryptBot
+ 669 additional samples on MalwareBazaar
Result
Malware family:
cryptbot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot discovery spyware stealer
Link:
https://tria.ge/reports/240121-x2mq1shcc7/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Maps connected drives based on registry
Checks computer location settings
Deletes itself
Executes dropped EXE
Reads user/profile data of web browsers
CryptBot
Malware Config
C2 Extraction:
http://fygbib44.top/gate.php
Unpacked files
SH256 hash:
e439f02b72a882498d512689f380e1323c4d8342578fe8608e81061cf4a8aee1
MD5 hash:
3d90ab79b9719aded136b7cd437ebb21
SHA1 hash:
dbec6e868a293cb0bd58d35191b1423ab8942384
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/5257842f-1ef6-4f96-8308-b0ea581a16e4/
Parent samples :
90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f
8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4
cc7cb2ebb12103aea621ec7962819aced4680b4322bc213a9257b36c8f2dab3e
cfa0a176bad0046bd498a5a7f5140ca92734b096c541a54acd1b002f228ec47c
22f34cc0b56ea1709b3af15b41b43fc40fca2b77debb8400108d3f517ee2ed4a
607e8a91c76f444784c2cbc1090cf8724d882d9861641a1f6e0de6b2b9401859
2de4a8c16d3643a3c58c63f4e7df2836919316635c05718dac1e474b6eb7fe29
ec61895ef8af01ff00970e46f7ba98c24bf9079d71e09d3c18576f1a9efc93c2
c1955052a26634f3571423dc64d3fd10c55fdb27f29eb3afd292787693ffcf91
4d4f7a1cb34d5309e1c82e7110209c974a08b3e82eaaf7799d7d9a3a176132ca
48860a4eb801109046a591d18809b1ff3e2b658f2a09c6fb36c4948cb88eb939
08ec22dd1d931a9d4194d5e46bc42914e62227c11e9fedce2175fe6a53eb4f92
6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8
7e18e5fe9e980c48ad67cc2ce7423e818e15c1256e2ffe4ce85c5cfbd5b30877
5dbc3e721cd340dd80bfa7d0127d920f5f2630aa4b3b3ecfb8d2af9f28f0e208
4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db
6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea
1ffa8b06cb779360f8c42ccd4527ae3076d25d11b3a90976f04ea430173e9b85
e92f111b8aa01289f72c66585219861e0117c9939de56741cbb234fee55536fe
b69687c4b9aa0c1599840ea90562d3833367e8095addfc725fc2b52fad6ee565
SH256 hash:
60d4f88fc0a0d20e50798992beeebd29216508995c86f16d1e5bcc806462e880
MD5 hash:
219327c79f62083b289ed6ade998343d
SHA1 hash:
6067793fce5ef18324baceda1a4018459be7730c
Detections:
CryptBot
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Link:
https://www.unpac.me/results/5257842f-1ef6-4f96-8308-b0ea581a16e4/
SH256 hash:
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f
MD5 hash:
43a8636f8748675fb63d026bae9c73b3
SHA1 hash:
e9f2c0a7e105fe35d3bf72b2cd014d32476e0780
Link:
https://www.unpac.me/results/5257842f-1ef6-4f96-8308-b0ea581a16e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/472092/

Comments