MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 292a5973504850b613bc2bf171ca13af404030c276b87b335d1f3877ae1d6533. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cryptbot


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 292a5973504850b613bc2bf171ca13af404030c276b87b335d1f3877ae1d6533
SHA3-384 hash: 82fcf340e1c124e4c8d941b97a6307e9c1253a0ab7636a03b7c456c26642db927ac68d3eacb2a5b611dbe6700212cf9a
SHA1 hash: 857f7f2d7833597658dd00c4c31b3dd61393ecd8
MD5 hash: be8f8a6a796c925907d4047a808e7f5e
humanhash: sweet-king-lactose-uranus
File name:be8f8a6a796c925907d4047a808e7f5e.exe
Download: download sample
Signature Cryptbot
Create hunting rule
File size:1'328'685 bytes
First seen:2021-07-17 13:30:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:PNxTwUibv1ZdVOcw4T2Upx4j6Y3bGF88R3sB56zlX4rgEBpXuwM:cbv1ZabY2UKaer6aEEBpPM
Threatray 353 similar samples on MalwareBazaar
TLSH T1415523567F82C43AFBD1087198B10BF0693BFE242EE8E716B709B9DD66704129438B75
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bcd4db4df2b58bfb92a5c7e7395abd99.exe
Verdict:
Malicious activity
Analysis date:
2021-07-17 09:50:29 UTC
Tags:
trojan stealer loader
Link:
https://app.any.run/tasks/a2264762-52a6-4d1e-b7e4-ce12d1fc014f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172337/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37917b72-8262-449c-9a47-2248909f78c6
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817819
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Regsvr32 Anomaly
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450230 Sample: 5atoqs9Dh6.exe Startdate: 17/07/2021 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 7 other signatures 2->64 10 5atoqs9Dh6.exe 25 2->10         started        13 SmartClock.exe 2->13         started        15 SmartClock.exe 2->15         started        process3 file4 44 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 10->44 dropped 46 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 10->46 dropped 48 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 10->48 dropped 50 3 other files (none is malicious) 10->50 dropped 17 vpn.exe 7 10->17         started        19 4.exe 4 10->19         started        process5 file6 22 cmd.exe 1 17->22         started        42 C:\Users\user\AppData\...\SmartClock.exe, PE32 19->42 dropped 25 SmartClock.exe 19->25         started        process7 signatures8 66 Submitted sample is a known malware sample 22->66 68 Obfuscated command line found 22->68 70 Uses ping.exe to sleep 22->70 72 Uses ping.exe to check the status of other devices and networks 22->72 27 cmd.exe 3 22->27         started        30 conhost.exe 22->30         started        process9 signatures10 74 Obfuscated command line found 27->74 76 Uses ping.exe to sleep 27->76 32 PING.EXE 1 27->32         started        35 Divino.exe.com 27->35         started        37 findstr.exe 1 27->37         started        process11 dnsIp12 52 127.0.0.1 unknown unknown 32->52 54 192.168.2.1 unknown unknown 32->54 39 Divino.exe.com 35->39         started        process13 dnsIp14 56 pMnCrqXnnfZBTzzpFneolcBylumKo.pMnCrqXnnfZBTzzpFneolcBylumKo 39->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/292a5973504850b613bc2bf171ca13af404030c276b87b335d1f3877ae1d6533/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 08:26:55 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fevfs42qjbilme54fpyxdsqtv5aeamgco24hwm25d44hplq5muzq._file
Verdict:
suspicious
Similar samples:
057a4fa95610763f1aa6c88e6076c8492787a39dd23049fa2324c588c15f75cf
Cryptbot
1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a
Cryptbot
3d364150c09d1f0c4a9eab0144fb4754bdcfa96ad1d0bd874308e625c5958b75
Cryptbot
705b09578c6785adb9c29b9d9e5c57fe8c3892ec6cc0a04b099d205a1794aaf7
Cryptbot
9cbdf7f433f59f69ed01b5d6928259ad816d83c3680b8d14bbc54f2e8cd7b752
Cryptbot
a300239150c8818d18e9a0df037ffd76d4467a84b8918543c227f8059cb4599f
Cryptbot
af8df57ba3941ed8fa89543e4e98f2da5dfe7a0efaaa72aaca4c54ea9f5ccc58
Cryptbot
b3a99ecc4ab9f73d814f0f64a3aa0c71ee3cf94872f2f8ca3a2a1c5d630c095d
Cryptbot
e94bc4b9b7fc5813237818bc03a68b8b9060362d46ae1723e9216ce80ddbc864
Cryptbot
ebc481038bcd4c6f9fb1e636fb74da578ee7e1dca710369b3ef01f421032e89d
Cryptbot
+ 343 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210717-k9424tf7qs/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/6861f236-761a-4d49-9552-eadf3779d6e7/
SH256 hash:
72d577c5e8e2f6eb82d0d92d3da2bc76f08e4ac6714dfcf3203dc9106ff729c0
MD5 hash:
22dac56afb4b568171803e3c80d37c4b
SHA1 hash:
ca981ac7136fb3032b7b47f7bf807c3e4e44bb4c
Link:
https://www.unpac.me/results/6861f236-761a-4d49-9552-eadf3779d6e7/
SH256 hash:
6739fe9e68fa66fd15d726e529a07cb28f6896aa3e6b9cdc0d579ba483559ffc
MD5 hash:
71fd323709de2827a30c3be149da2e07
SHA1 hash:
a07a3f1f416eb47359a62ab1449bd8a6224d6833
Link:
https://www.unpac.me/results/6861f236-761a-4d49-9552-eadf3779d6e7/
SH256 hash:
292a5973504850b613bc2bf171ca13af404030c276b87b335d1f3877ae1d6533
MD5 hash:
be8f8a6a796c925907d4047a808e7f5e
SHA1 hash:
857f7f2d7833597658dd00c4c31b3dd61393ecd8
Link:
https://www.unpac.me/results/6861f236-761a-4d49-9552-eadf3779d6e7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/292a5973504850b613bc2bf171ca13af404030c276b87b335d1f3877ae1d6533

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Cryptbot

Executable exe 292a5973504850b613bc2bf171ca13af404030c276b87b335d1f3877ae1d6533

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1461158/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172337/

Comments