MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ce81e2dd2330f10eb414e56222cd1ba4c26591381f07e199b08f623b8c4b8f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ce81e2dd2330f10eb414e56222cd1ba4c26591381f07e199b08f623b8c4b8f9
SHA3-384 hash: 5ad6895eaaada3be6ec4ffedb3ca2e2fbc35fda778fce9a101fe8c2b201bb01eb1c0deb24a08b551710cfbe6b1501e0c
SHA1 hash: 129e9dd019f62810a669b29bf44e3eca485c9c5a
MD5 hash: b68f0ee033a8cd19ce47f6ae4f0eaee4
humanhash: arkansas-sweet-early-lithium
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.63733.4520.11539
Download: download sample
Signature CryptBot
Create hunting rule
File size:659'456 bytes
First seen:2021-03-27 19:31:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 63a73449ffa402e797523b0dc39eb2af (1 x ArkeiStealer, 1 x CryptBot, 1 x RedLineStealer)
ssdeep 12288:kCAqjnGiRJPvZl0uJYv/QwruonzrlXkbCy1qsm+xEynSG7jA72wD:kCAdiRdOv/NruUObJLlxEujK
Threatray 106 similar samples on MalwareBazaar
TLSH 4FE401017AC0C533E8A1293958B5C7F4467AFDF26B25A9CBB7D42B5D4A322F25A31703
Reporter SecuriteInfoCom
Tags:CryptBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PWS.Siggen2.63733.4520.11539
Verdict:
Malicious activity
Analysis date:
2021-03-27 19:33:15 UTC
Tags:
stealer trojan loader evasion
Link:
https://app.any.run/tasks/39fce23e-6a68-41e1-bf94-240d32afbaa3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127283/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.63733.4520.11539.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file
Delayed reading of the file
Reading critical registry keys
Creating a window
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching a process
Launching cmd.exe command interpreter
Stealing user critical data
Launching the process to create tasks for the scheduler
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f30ec13-e303-4580-b518-6ae05b396c0a
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655923
Signature
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376897 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 27/03/2021 Architecture: WINDOWS Score: 100 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 Multi AV Scanner detection for dropped file 2->63 65 5 other signatures 2->65 10 SecuriteInfo.com.Trojan.PWS.Siggen2.63733.4520.exe 50 2->10         started        process3 dnsIp4 51 akpgi08.top 35.242.170.33, 49723, 49724, 80 GOOGLEUS United States 10->51 53 morurt06.top 34.65.191.195, 49721, 49722, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 10->53 55 bafoe62.top 10->55 45 C:\Users\user\AppData\Local\Temp\Lunyt.exe, PE32 10->45 dropped 47 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 10->47 dropped 67 Detected unpacking (overwrites its own PE header) 10->67 69 Tries to harvest and steal browser information (history, passwords, etc) 10->69 15 Lunyt.exe 7 10->15         started        18 cmd.exe 1 10->18         started        file5 signatures6 process7 signatures8 75 Multi AV Scanner detection for dropped file 15->75 77 Machine Learning detection for dropped file 15->77 79 Contains functionality to register a low level keyboard hook 15->79 81 Uses schtasks.exe or at.exe to add and modify task schedules 15->81 20 cmd.exe 1 15->20         started        22 at.exe 1 15->22         started        83 Submitted sample is a known malware sample 18->83 85 Obfuscated command line found 18->85 87 Uses ping.exe to sleep 18->87 89 Uses ping.exe to check the status of other devices and networks 18->89 24 conhost.exe 18->24         started        26 timeout.exe 1 18->26         started        process9 process10 28 cmd.exe 3 20->28         started        31 conhost.exe 20->31         started        33 conhost.exe 22->33         started        signatures11 71 Obfuscated command line found 28->71 73 Uses ping.exe to sleep 28->73 35 PING.EXE 1 28->35         started        38 Sul.exe.com 28->38         started        40 findstr.exe 1 28->40         started        process12 dnsIp13 49 127.0.0.1 unknown unknown 35->49 42 Sul.exe.com 38->42         started        process14 dnsIp15 57 AwDaEkJrcGENqqzHXgEdAN.AwDaEkJrcGENqqzHXgEdAN 42->57
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ce81e2dd2330f10eb414e56222cd1ba4c26591381f07e199b08f623b8c4b8f9/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2021-03-27 13:05:54 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ftub4losgmhrb22bjzlcelgrxjgcmwitqhyh4gm3bd3chogexd4q._file
Verdict:
malicious
Similar samples:
3688975dcd3f7829cfe55f7dd46166e0d6bd46c842c169c9fb4adb317f1d571f
CryptBot
388d18b98704bff34ac1cb0a6603e68ba300205ee2f14e4bf482f1012d933231
CryptBot
6c219118acdf6e43d54298e2a7c268c0877a4f31c207cd29d2e038a858cea9fe
CryptBot
7b55f92633f9e8b7aad9234dd19148549c4b068f8199bb2ea4cfa6ef3175e569
CryptBot
9cda1177646d0a69217e80541b33a93f1343a3406729fd09fb19a19808cfed4b
CryptBot
b0e796694c790548cf9553a6ed536b21e8471064c4ae887304137ffcafbe257f
CryptBot
b9fe450826cf7e036b06af03cee2288464efff6bc72c4ada9299c38128ee5f77
CryptBot
bced04a0ef9306f81abe9dcd2bf613802076f1d2012f23bcc42a208acabf25dd
CryptBot
e15820902d036f76c33cd6e8b2efdf4aed6e43a434680320aa7aba1ffca2ec17
CryptBot
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
CryptBot
+ 96 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210327-bhd2f9smta/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Unpacked files
SH256 hash:
6bc3b386587fd5cca192513faac5ca42cd7a21d17deaacdece8eb00ca54ed16a
MD5 hash:
f610658d764cd02c53ab8bdf2867f247
SHA1 hash:
e3c7ce06baac9e996327c082701e54dfa7435e09
Link:
https://www.unpac.me/results/46211d6a-34c0-47b7-99ea-07686b30afeb/
SH256 hash:
2ce81e2dd2330f10eb414e56222cd1ba4c26591381f07e199b08f623b8c4b8f9
MD5 hash:
b68f0ee033a8cd19ce47f6ae4f0eaee4
SHA1 hash:
129e9dd019f62810a669b29bf44e3eca485c9c5a
Link:
https://www.unpac.me/results/46211d6a-34c0-47b7-99ea-07686b30afeb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ce81e2dd2330f10eb414e56222cd1ba4c26591381f07e199b08f623b8c4b8f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 2ce81e2dd2330f10eb414e56222cd1ba4c26591381f07e199b08f623b8c4b8f9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1095248/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127283/

Comments