MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b077c09e3e5b9035d53cf73f0afc4455463dcb2289816f15f50f68f6b5f5df7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b077c09e3e5b9035d53cf73f0afc4455463dcb2289816f15f50f68f6b5f5df7
SHA3-384 hash: f9de3abbfa3871f41356c0c19ebc51cf3d9c4638e3ddf849df5802a4bd7e91068f152730b2bcba8e9fa3dbb662f4a9bd
SHA1 hash: 77edda424477c5737ce30f2b2440921a2525a214
MD5 hash: 042edfa930d712dd70b6adee1218d3d9
humanhash: uncle-juliet-autumn-uranus
File name:042edfa930d712dd70b6adee1218d3d9.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:704'512 bytes
First seen:2021-07-30 06:16:30 UTC
Last seen:2021-07-30 06:44:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c27a98a29b21693846ec47ce91a249f1 (2 x RaccoonStealer, 2 x Smoke Loader, 2 x GCleaner)
ssdeep 12288:dnIjvmmWAk6xHgupN9e5pOELFfan1wpbbCdkpzoOlLXwKaBt+8pvRUZem3c:SvDW4zA3VJKKfzrlLkBzpJ4X
Threatray 69 similar samples on MalwareBazaar
TLSH T105E4E030A680D039E4B712F845B9D3BCA83C7EA2AB3451CF53E52AEE46356E59C30757
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter abuse_ch
Tags:CryptBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
584
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
042edfa930d712dd70b6adee1218d3d9.exe
Verdict:
Malicious activity
Analysis date:
2021-07-30 06:22:57 UTC
Tags:
stealer trojan
Link:
https://app.any.run/tasks/8382f118-a4ab-4514-978e-2464f790e992

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175210/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.50785.18249.4157.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2567018c-e618-4ae4-b0d7-b8b445939132
Result
Threat name:
Cryptbot Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/824300
Signature
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cryptbot
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b077c09e3e5b9035d53cf73f0afc4455463dcb2289816f15f50f68f6b5f5df7/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 20:36:31 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fmdxycpd4w4qgxktz5z7bl6eivkghxfsfcmbn4k7kd3i6227lx3q._file
Verdict:
malicious
Similar samples:
1572ca8f4bf2788214713ed2f8f3f7da579a76fd335a7ce898dde275ef4f9739
CryptBot
21a27023f4316ff356a2ff7d5c8ef5431d65217da4496820d8865666fe8cd11e
CryptBot
30e374185ded5944c1ff0b2150cdaf2af9decb76a41089351cd21db2c3d1afae
CryptBot
48ab70d33532409f5394c271fe0fba6234b15b36584234d5b595b9791972bec1
CryptBot
7cd14dd834ca1aab6cb21eee48c07c13ae10a9c62d6122aa690ae2ec9809ad80
CryptBot
c34a85e738b7c8fa703aaa447cd24d17ff08baae5d4b44b7c2131c5df164b9a3
CryptBot
fccd7d5301e46046f199343583a436d0869f49ae668aeedd41b76d75c403701e
CryptBot
ffb27074c9ab066faecbaa1ad2e2824ba16553f0cf56fc658e62bc137db50c63
CryptBot
+ 59 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:danabot botnet:4 banker discovery persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210730-nrns5tnkq2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Danabot
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
ewaqug42.top
morjau04.top
142.11.244.124:443
142.11.206.50:443
Unpacked files
SH256 hash:
30ec5b29c1fad62bef400ae3e98a8445bfaa4683aa4fb8e874a88d4f4513702d
MD5 hash:
fbcd11bb1573c197ab5b54368b729f09
SHA1 hash:
f52de113e5294623667ae56e9e74a26c879817bb
Detections:
win_cryptbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/3717154b-4455-4f4a-91a3-c81f4be01125/
Parent samples :
c1d11f66c89d2b7a284d8b61092fab044066c5443250d90d2dd9f3221857900a
b5835bcf48839eb68a402761c8474123758bd43d08b81738bbf84620df49e307
2b077c09e3e5b9035d53cf73f0afc4455463dcb2289816f15f50f68f6b5f5df7
SH256 hash:
2b077c09e3e5b9035d53cf73f0afc4455463dcb2289816f15f50f68f6b5f5df7
MD5 hash:
042edfa930d712dd70b6adee1218d3d9
SHA1 hash:
77edda424477c5737ce30f2b2440921a2525a214
Link:
https://www.unpac.me/results/3717154b-4455-4f4a-91a3-c81f4be01125/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b077c09e3e5b9035d53cf73f0afc4455463dcb2289816f15f50f68f6b5f5df7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.cryptbot.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 2b077c09e3e5b9035d53cf73f0afc4455463dcb2289816f15f50f68f6b5f5df7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1489477/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175210/

Comments