MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32c6d9d772bf954b06f37b26d1b431aae37d1ff160747cce69d165db62643d49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CryptBot

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	32c6d9d772bf954b06f37b26d1b431aae37d1ff160747cce69d165db62643d49
SHA3-384 hash:	5f3bde2c65644fe6706e261951458114ddfb46c696dbe0c5edb89e5da076b2de3b6cdc8c0faf482053af397de664ccca
SHA1 hash:	21bafcc750c448c0eeb51e39abf5c83fde271af2
MD5 hash:	825853268535568f26f8a7e54d79655e
humanhash:	utah-green-summer-lactose
File name:	setup_x86_x64_install.exe
Download:	download sample
Signature	CryptBot Create hunting rule
File size:	1'131'792 bytes
First seen:	2021-11-12 20:17:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	926ad051f241773a229b90a03adae7c2 (1 x CryptBot)
ssdeep	12288:Xvg4FftmyUoWs4oC7C2ECsfx/bQLoqnQ8lclsgl7:bftmyUonLC7C2ECsfx/bQtQ8u7
Threatray	3 similar samples on MalwareBazaar
TLSH	T1D0356A4BBF5BC923D4B88CB985B493E5BB60F99005895BCF21E87613CCEE6D21C941C6
File icon (PE):
dhash icon	30aacca2aaccccb2 (1 x CryptBot)
Reporter	Anonymous
Tags:	CryptBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http://google.com

Verdict:

Malicious activity

Analysis date:

2021-11-12 22:02:38 UTC

Tags:

trojan stealer loader

Link:

https://app.any.run/tasks/ba26ade6-fe4e-41c8-82cb-b5e5d00c79c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CryptBot

Link:

https://www.capesandbox.com/analysis/205366/

Detection(s):

SecuriteInfo.com.UntrustedCertificate.iObit-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/618ecbfea00afa9663a56c2b/reports/c5f71007-0b73-43e9-b816-3593719f3a12/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

CryptBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c4ad2036-d13a-4275-be41-c51b2685d2c2

Result

Threat name:

Cryptbot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/888371

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Cryptbot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/32c6d9d772bf954b06f37b26d1b431aae37d1ff160747cce69d165db62643d49/

Threat name:

Win32.Trojan.Cryptbot

Status:

Malicious

First seen:

2021-11-12 20:18:07 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gldntv3sx6kuwbxtpmtndnbrvlrx2h7rmb2hzttj2fs5wytehveq._file

Verdict:

malicious

CryptBot

8f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17

CryptBot

bcd9aa0b18caf74a7d771c9802cdbb4f05a810c29c2d093252f004564fe4ed2b

CryptBot

Result

Malware family:

cryptbot

Score:

10/10

Tags:

family:cryptbot discovery spyware stealer

Link:

https://tria.ge/reports/211112-y3acraebd9/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

CryptBot

Malware Config

C2 Extraction:

lekocq57.top
morgov05.top

Unpacked files

SH256 hash:

e247e12ee93dc38f56b01d5573db2c1eb8535cbcffc0bbbfdbf4f0db61974551

MD5 hash:

40158b8adf709f3969fa35270c490fa9

SHA1 hash:

0a54dcee4d3ded3444c71429dcf6f29f2c36d54d

Link:

https://www.unpac.me/results/6f2bc346-3076-469e-a909-92ce2b484597/

SH256 hash:

32c6d9d772bf954b06f37b26d1b431aae37d1ff160747cce69d165db62643d49

MD5 hash:

825853268535568f26f8a7e54d79655e

SHA1 hash:

21bafcc750c448c0eeb51e39abf5c83fde271af2

Link:

https://www.unpac.me/results/6f2bc346-3076-469e-a909-92ce2b484597/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/32c6d9d772bf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	MALWARE_Win_CryptBot Create hunting rule
Author:	ditekSHen
Description:	CryptBot/Fugrafa stealer payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/205366/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample