MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32ecbb31b795b66ace206da2ca93e22f05a002d070ba5a5965bf89c0c91beb82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs 2 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32ecbb31b795b66ace206da2ca93e22f05a002d070ba5a5965bf89c0c91beb82
SHA3-384 hash: 2e9a4b5cb7cfa08e2abc9ce2710a445aa9db9e9f71ce0d20635c7728200b89ee069907abd6281a22911042d0ddc36889
SHA1 hash: 4ae27f5a2ec7c7aa26ca725d79397e4645c807c6
MD5 hash: be891367a9a7f020097506d3e964bd08
humanhash: oxygen-quebec-sad-cola
File name:4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:11'264 bytes
First seen:2021-06-09 13:20:50 UTC
Last seen:2021-06-09 13:46:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 192:dD5G0QXE2YYgL2pA+On9xLrkYT00bOTFi7Dgvlnnh7/r+5d:dD5G0QXaq49xLrku00aTQqLa5
Threatray 539 similar samples on MalwareBazaar
TLSH 2C32B60177E84A10E6BF8B782DB343211671FA568D32CB5E1CC6429D5C72B94CAB2F76
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
http://olmqmc32.top/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://olmqmc32.top/index.php https://threatfox.abuse.ch/ioc/80694/
http://morovz03.top/index.php https://threatfox.abuse.ch/ioc/80695/

Intelligence

File Origin
# of uploads :
2
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
main_setup_x86x64.exe
Verdict:
Malicious activity
Analysis date:
2021-06-05 19:41:42 UTC
Tags:
trojan evasion loader rat redline stealer raccoon danabot phishing
Link:
https://app.any.run/tasks/6b5e4a66-2c6c-4196-8be7-c56a4e6e72c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165623/
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.53141.11046.22906.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
DNS request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Sending a custom TCP request
Sending a TCP request to an infection source
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot Glupteba RedLine
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/799542
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sample is not signed and drops a device driver
Sample or dropped binary is a compiled AutoHotkey binary
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Cryptbot
Yara detected Evader
Yara detected Glupteba
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 431938 Sample: uew5jAHqCT.exe Startdate: 09/06/2021 Architecture: WINDOWS Score: 100 148 xrNsGxREeZNXdNtLyIUStGJxq.xrNsGxREeZNXdNtLyIUStGJxq 2->148 150 api.ip.sb 2->150 152 3 other IPs or domains 2->152 186 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->186 188 Multi AV Scanner detection for domain / URL 2->188 190 Malicious sample detected (through community Yara rule) 2->190 192 17 other signatures 2->192 12 uew5jAHqCT.exe 15 5 2->12         started        17 svchost.exe 2->17         started        19 svchost.exe 9 1 2->19         started        21 9 other processes 2->21 signatures3 process4 dnsIp5 162 212.192.241.136, 49710, 49711, 80 RAPMSB-ASRU Russian Federation 12->162 164 ww.hackacademy.me 162.255.119.200, 49709, 49715, 80 NAMECHEAP-NETUS United States 12->164 168 4 other IPs or domains 12->168 132 C:\Users\...\YWGEES0ZMEOYCPJB4FSSR4JD.exe, PE32 12->132 dropped 134 C:\Users\...\D0QQQG6T5ZTX91Q65IA9Y2NV.exe, PE32 12->134 dropped 228 May check the online IP address of the machine 12->228 23 cmd.exe 1 12->23         started        25 cmd.exe 1 12->25         started        27 cmd.exe 1 12->27         started        29 cmd.exe 12->29         started        230 Changes security center settings (notifications, updates, antivirus, firewall) 17->230 31 MpCmdRun.exe 17->31         started        166 127.0.0.1 unknown unknown 19->166 33 csrss.exe 21->33         started        35 csrss.exe 21->35         started        file6 signatures7 process8 process9 37 YWGEES0ZMEOYCPJB4FSSR4JD.exe 29 23->37         started        42 conhost.exe 23->42         started        44 D0QQQG6T5ZTX91Q65IA9Y2NV.exe 19 25->44         started        46 conhost.exe 25->46         started        48 powershell.exe 26 27->48         started        50 conhost.exe 27->50         started        52 conhost.exe 29->52         started        54 taskkill.exe 29->54         started        56 conhost.exe 31->56         started        dnsIp10 156 g-partners.in 47.254.169.135, 49718, 49720, 49722 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 37->156 158 g-cleanpartners.in 37->158 160 3 other IPs or domains 37->160 124 C:\Users\user\AppData\...\89575903634.exe, PE32 37->124 dropped 126 C:\Users\user\AppData\...\74334121256.exe, PE32 37->126 dropped 128 C:\Users\user\AppData\...\08384165292.exe, PE32 37->128 dropped 130 6 other files (4 malicious) 37->130 dropped 198 May check the online IP address of the machine 37->198 200 Machine Learning detection for dropped file 37->200 58 cmd.exe 37->58         started        60 cmd.exe 37->60         started        62 cmd.exe 37->62         started        64 cmd.exe 37->64         started        202 Detected unpacking (changes PE section rights) 44->202 204 Detected unpacking (overwrites its own PE header) 44->204 206 Modifies the windows firewall 44->206 208 Drops PE files with benign system names 44->208 66 D0QQQG6T5ZTX91Q65IA9Y2NV.exe 44->66         started        file11 signatures12 process13 dnsIp14 71 08384165292.exe 58->71         started        74 conhost.exe 58->74         started        76 74334121256.exe 60->76         started        80 conhost.exe 60->80         started        82 89575903634.exe 62->82         started        84 conhost.exe 62->84         started        90 2 other processes 64->90 154 humisnee.com 172.67.206.104, 443, 49736 CLOUDFLARENETUS United States 66->154 122 C:\Windows\rss\csrss.exe, PE32 66->122 dropped 194 Drops executables to the windows directory (C:\Windows) and starts them 66->194 196 Creates an autostart registry key pointing to binary in C:\Windows 66->196 86 csrss.exe 66->86         started        88 cmd.exe 66->88         started        file15 signatures16 process17 dnsIp18 210 Detected unpacking (overwrites its own PE header) 71->210 212 May check the online IP address of the machine 71->212 214 Machine Learning detection for dropped file 71->214 92 08384165292.exe 71->92         started        170 nailedpizza.top 76->170 172 iplogger.org 76->172 136 C:\Users\user\AppData\...\edspolishpp.exe, PE32 76->136 dropped 216 Sample or dropped binary is a compiled AutoHotkey binary 76->216 97 edspolishpp.exe 76->97         started        218 Tries to harvest and steal browser information (history, passwords, etc) 82->218 174 server10.sndvoices.com 172.67.137.101, 443, 49741, 49742 CLOUDFLARENETUS United States 86->174 176 spolaect.info 172.67.161.225, 443, 49744 CLOUDFLARENETUS United States 86->176 178 3 other IPs or domains 86->178 138 C:\Windows\System32\drivers\Winmon.sys, PE32+ 86->138 dropped 140 C:\Users\user\AppData\Local\...\dsefix.exe, PE32+ 86->140 dropped 142 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 86->142 dropped 144 4 other files (none is malicious) 86->144 dropped 220 Detected unpacking (changes PE section rights) 86->220 222 Uses schtasks.exe or at.exe to add and modify task schedules 86->222 224 Sample is not signed and drops a device driver 86->224 99 schtasks.exe 86->99         started        101 mountvol.exe 86->101         started        103 mountvol.exe 86->103         started        105 mountvol.exe 86->105         started        226 Uses netsh to modify the Windows network and firewall settings 88->226 107 netsh.exe 88->107         started        109 conhost.exe 88->109         started        file19 signatures20 process21 dnsIp22 180 bukkva.site 109.234.38.213, 49730, 49735, 80 VDSINA-ASRU Russian Federation 92->180 182 elb097307-934924932.us-east-1.elb.amazonaws.com 50.19.84.107, 49729, 80 AMAZON-AESUS United States 92->182 184 2 other IPs or domains 92->184 146 C:\Users\user\AppData\...\1623277417602.exe, PE32 92->146 dropped 232 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 92->232 234 Tries to steal Instant Messenger accounts or passwords 92->234 236 Tries to harvest and steal browser information (history, passwords, etc) 92->236 238 Tries to harvest and steal Bitcoin Wallet information 92->238 111 1623277417602.exe 92->111         started        240 Machine Learning detection for dropped file 97->240 114 conhost.exe 99->114         started        116 conhost.exe 101->116         started        118 conhost.exe 103->118         started        120 conhost.exe 105->120         started        242 Creates files in the system32 config directory 107->242 file23 signatures24 process25 signatures26 244 Machine Learning detection for dropped file 111->244
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32ecbb31b795b66ace206da2ca93e22f05a002d070ba5a5965bf89c0c91beb82/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-06-01 23:02:02 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=glwlwmnxsw3gvtranwrmve7cf4c2aawqoc5fuwlfx6e4bsi35oba._file
Verdict:
malicious
Similar samples:
0631f79b64656ff71ed923284acc5ee41ebb530eb42cecbd78846b6ddd180b9f
CryptBot
129da3e565d7ab1c5e5c3705be3811b629e058be9af50d354bf7949605062416
CryptBot
418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
CryptBot
604d21a93ab88cdc9d0b609e73766a13e5959644eb35c7bc4fa8967378846004
CryptBot
88483e5e82b2362be92c707450c3205427359e6c18bf7ae4d723282451af18d5
CryptBot
8f336beae23842b6b56afcbfa1752e3ea3c07b992b084fba9eb15c6747b8f990
CryptBot
9c8057521a53904ce86837434f6ca9075fea66d1c31914db6a6b49f68649191f
CryptBot
9fad25499af5a99eceaa0a6c887f47a3f67165713951e107505f67b2437869c0
CryptBot
b8e668c23618913f4c5a32515a7fee9663099f5e53c24f93a6eecd8c488531d1
CryptBot
bbc9b84daa55aafd452be5d6e3398292a94bf5fb50c62e5c76366953eab5e080
CryptBot
+ 529 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:danabot family:fickerstealer family:glupteba family:metasploit family:redline botnet:3 botnet:mix 09.06 backdoor banker discovery dropper infostealer loader spyware stealer trojan
Link:
https://tria.ge/reports/210609-q63k3m5vqe/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Glupteba
Glupteba Payload
MetaSploit
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
fickerstealer
CryptBot
CryptBot Payload
Danabot
Malware Config
C2 Extraction:
bukkva.site:80
olmqmc32.top
morovz03.top
185.215.113.17:18597
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
Unpacked files
SH256 hash:
32ecbb31b795b66ace206da2ca93e22f05a002d070ba5a5965bf89c0c91beb82
MD5 hash:
be891367a9a7f020097506d3e964bd08
SHA1 hash:
4ae27f5a2ec7c7aa26ca725d79397e4645c807c6
Link:
https://www.unpac.me/results/dcb77809-c85d-456e-9732-b3c85d295b00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32ecbb31b795b66ace206da2ca93e22f05a002d070ba5a5965bf89c0c91beb82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165623/

Comments