MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 361dc084efc29ddc0a837710fc28a872389e3a61413e5c82fcbefc1906c7b29f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 10


Intelligence 10 IOCs 2 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 361dc084efc29ddc0a837710fc28a872389e3a61413e5c82fcbefc1906c7b29f
SHA3-384 hash: facc9394a25f2b7c883402cc328dd8cf1802c1e0cd8bcd504f2cc7ed05e646ef6ca7f4e3ffc8d97a03ade69242f34e13
SHA1 hash: 9e0111f30fdb7e9b3a5b5372fed19f8e212dde3f
MD5 hash: e53e5d09597782552953de1b7a74df06
humanhash: alaska-timing-helium-football
File name:e53e5d09597782552953de1b7a74df06
Download: download sample
Signature CryptBot
Create hunting rule
File size:6'296'195 bytes
First seen:2021-07-06 01:36:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 98304:pAI+5p+goreqMswPavGIM45Uz8hyraVTe5fh8ndVttAwor7B0DIFIT9ZrQIQq+xZ:it5p+gyhio5UzQbM37yDRZcBZ
Threatray 79 similar samples on MalwareBazaar
TLSH 7156332693418977D2A15A35D80FF1BBF42BFB841F7821CF17C4497E6C326292BB4299
Reporter zbetcheckin
Tags:32 CryptBot exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://alemed12.top/index.php https://threatfox.abuse.ch/ioc/157600/
http://mordmy01.top/index.php https://threatfox.abuse.ch/ioc/157601/

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
x86_x64_setup.exe
Verdict:
Malicious activity
Analysis date:
2021-07-05 22:42:48 UTC
Tags:
trojan evasion stealer vidar loader rat redline opendir keylogger agenttesla raccoon phishing autoit danabot
Link:
https://app.any.run/tasks/74aa0021-da8c-4628-bd8f-2728e61af74b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169821/
Detection(s):
Win.Malware.Fabookie-9797757-0
Create hunting rule

Win.Malware.Generic-9849070-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e0e6dd75-0e8a-4d4d-924c-1b71982fc2cb
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/812008
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates multiple autostart registry keys
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 444419 Sample: 9cYXsscTTT Startdate: 06/07/2021 Architecture: WINDOWS Score: 100 137 email.yg9.me 2->137 173 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->173 175 Multi AV Scanner detection for domain / URL 2->175 177 Found malware configuration 2->177 179 16 other signatures 2->179 10 9cYXsscTTT.exe 14 15 2->10         started        13 WinHoster.exe 2->13         started        15 WinHoster.exe 2->15         started        signatures3 process4 file5 111 C:\Program Files (x86)\...\lylal220.exe, PE32 10->111 dropped 113 C:\Program Files (x86)\...\hjjgaa.exe, PE32 10->113 dropped 115 C:\Program Files (x86)\...\guihuali-game.exe, PE32 10->115 dropped 117 5 other files (4 malicious) 10->117 dropped 17 LabPicV3.exe 10->17         started        20 RunWW.exe 90 10->20         started        24 NMemo3Setp.exe 15 7 10->24         started        26 4 other processes 10->26 process6 dnsIp7 73 C:\Users\user\AppData\Local\...\LabPicV3.tmp, PE32 17->73 dropped 28 LabPicV3.tmp 17->28         started        139 157.90.127.76, 49727, 80 REDIRISRedIRISAutonomousSystemES United States 20->139 141 sergeevih43.tumblr.com 74.114.154.22, 443, 49722 AUTOMATTICUS Canada 20->141 75 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->75 dropped 89 11 other files (none is malicious) 20->89 dropped 181 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->181 183 Tries to harvest and steal browser information (history, passwords, etc) 20->183 185 Tries to steal Crypto Currency Wallets 20->185 32 cmd.exe 20->32         started        143 videoconvert-download38.xyz 172.67.201.250, 443, 49733 CLOUDFLARENETUS United States 24->143 145 88.99.66.31 HETZNER-ASDE Germany 24->145 77 C:\Users\user\AppData\Roaming\3656057.exe, PE32 24->77 dropped 79 C:\Users\user\AppData\Roaming\8480270.exe, PE32 24->79 dropped 81 C:\Users\user\AppData\Roaming\7416123.exe, PE32 24->81 dropped 34 3656057.exe 24->34         started        37 7416123.exe 24->37         started        39 8480270.exe 24->39         started        147 ip-api.com 208.95.112.1, 49719, 80 TUT-ASUS United States 26->147 149 star-mini.c10r.facebook.com 157.240.17.35, 443, 49725 FACEBOOKUS United States 26->149 151 3 other IPs or domains 26->151 83 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 26->83 dropped 85 C:\Users\user\AppData\Local\...\lylal220.tmp, PE32 26->85 dropped 87 C:\Users\user\AppData\...\MediaBurner.tmp, PE32 26->87 dropped 41 MediaBurner.tmp 26->41         started        43 lylal220.tmp 26->43         started        45 jfiag3g_gg.exe 1 26->45         started        47 4 other processes 26->47 file8 signatures9 process10 dnsIp11 119 C:\Users\user\AppData\Local\...\12(((((.exe, PE32 28->119 dropped 129 3 other files (none is malicious) 28->129 dropped 49 12(((((.exe 28->49         started        53 conhost.exe 32->53         started        55 taskkill.exe 32->55         started        57 timeout.exe 32->57         started        121 C:\Users\user\AppData\...\WinHoster.exe, PE32 34->121 dropped 167 Creates multiple autostart registry keys 34->167 59 WinHoster.exe 34->59         started        153 104.21.80.171 CLOUDFLARENETUS United States 37->153 155 192.168.2.1 unknown unknown 37->155 131 7 other files (none is malicious) 37->131 dropped 61 WerFault.exe 37->61         started        133 4 other files (none is malicious) 41->133 dropped 64 _____________bob.exe 41->64         started        157 requested404.com 63.250.33.126, 49723, 49724, 49728 NAMECHEAP-NETUS United States 43->157 123 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 43->123 dropped 135 3 other files (none is malicious) 43->135 dropped 66 e rgegd _   _)))_.exe 43->66         started        169 Tries to harvest and steal browser information (history, passwords, etc) 45->169 125 C:\Users\user\AppData\Local\...\mscoree.dll, PE32+ 47->125 dropped 127 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 47->127 dropped 68 conhost.exe 47->68         started        file12 signatures13 process14 dnsIp15 91 C:\Program Files (x86)\...\Vyzhajexaelu.exe, PE32 49->91 dropped 93 C:\...\Vyzhajexaelu.exe.config, XML 49->93 dropped 95 C:\Users\user\AppData\Local\...\prolab.exe, PE32 49->95 dropped 105 2 other files (none is malicious) 49->105 dropped 171 Creates multiple autostart registry keys 49->171 159 104.42.151.234 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 61->159 161 162.0.220.187 ACPCA Canada 64->161 97 C:\Program Files (x86)\...\Caroxukilu.exe, PE32 64->97 dropped 99 C:\...\Caroxukilu.exe.config, XML 64->99 dropped 101 C:\Users\user\...\ultramediaburner.exe, PE32 64->101 dropped 107 2 other files (none is malicious) 64->107 dropped 70 ultramediaburner.exe 64->70         started        163 173.222.108.210 AKAMAI-ASN1EU United States 66->163 165 162.0.210.44 ACPCA Canada 66->165 103 C:\Program Files\...\irecord.exe, PE32 66->103 dropped file16 signatures17 process18 file19 109 C:\Users\user\...\ultramediaburner.tmp, PE32 70->109 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/361dc084efc29ddc0a837710fc28a872389e3a61413e5c82fcbefc1906c7b29f/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 01:37:12 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gyo4bbhpyko5ycudo4ipykfioi4j4otbie7fzax4x36bsbwhwkpq._file
Verdict:
malicious
Similar samples:
2df4e3a4d7b6e5f33ef54c73ff86ffc76d8667ff587756a2887bf91687ab46a9
CryptBot
4905fecf9b5d2057f495dcd21e81e03db0114af804fe59931cd901fbfbde5c9a
CryptBot
83b3a04479c4310f0ac695041b3c1d60c144be650d4b8838a395ca5a46e722e2
CryptBot
9bd52703dba9fde3dda64118f9404ed8c3aab6cd3c6b6924f173fcbd5d83fd96
CryptBot
b1298f0877eba17945d3468c06927f6cfc2b52f413bcc2b995f75436e0b7e7dd
CryptBot
d03c955b566ad3308d6f9fe90c320300b097e649c9c7380d48cf06815d4988b9
CryptBot
e1fffde5cce94f703cbaf29b14bf0e7569ad207a0a7f4fc63484ced33307198b
CryptBot
f84ae3bdd7a26957eebe4e4893718bd512960c013a8aa4903998af16072c0041
CryptBot
fcebd1383b524b3ed55ce93204ab0199fc3c8871783dc2b197ce3148c66a5ca1
CryptBot
fe8417ad3e0bad396fd009f20ad6cb106605098ec72fb933bb6f8e16cb6d437d
CryptBot
+ 69 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:vidar discovery infostealer persistence stealer upx vmprotect
Link:
https://tria.ge/reports/210706-z9gxyl4ags/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
Vidar
Unpacked files
SH256 hash:
e7ea471d02218191b90911b15cc9991eab28a1047a914c784966ecd182bd499c
MD5 hash:
7f7c75db900d8b8cd21c7a93721a6142
SHA1 hash:
c8b86e62a8479a4e6b958d2917c60dccef8c033f
Link:
https://www.unpac.me/results/c329d98f-3f90-4b95-874a-57486a0c4acb/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/c329d98f-3f90-4b95-874a-57486a0c4acb/
SH256 hash:
a0c42ce1e2d65be3678c4d398ae1d278724debfd13df186c5f5149f60edec148
MD5 hash:
cad724b3bcc5cdd33a90247073096388
SHA1 hash:
de99ef741fd51302d91709fba8af3b2587203486
Link:
https://www.unpac.me/results/c329d98f-3f90-4b95-874a-57486a0c4acb/
SH256 hash:
4fb3c029c0ee96c8e184db0f237b78196a203550572569a19d1abfb5ad92cc2d
MD5 hash:
543a72e4846aa427016eccef85475a6f
SHA1 hash:
7a1c555e41c9da17336aa80f19a97fef161b280e
Link:
https://www.unpac.me/results/c329d98f-3f90-4b95-874a-57486a0c4acb/
SH256 hash:
6bea897b06441f33f33764c26f62c206666a204768cf3e5c0ae6912d8e86780f
MD5 hash:
128250f29b71047e68f7b2ba44b10535
SHA1 hash:
fc7fbe41eec8ac9e286451ade80a2f5c7abddc1c
Link:
https://www.unpac.me/results/c329d98f-3f90-4b95-874a-57486a0c4acb/
SH256 hash:
5f32b0641ec2d655b227fa0b47de34c9c8a0ce5d8dbef4373b93da7a34cb80d9
MD5 hash:
c96846066afeda582e8d20a927d74cd3
SHA1 hash:
60cddafec86e52ee18fcbe605e4d66277d7b772d
Link:
https://www.unpac.me/results/c329d98f-3f90-4b95-874a-57486a0c4acb/
SH256 hash:
867ffa27657903ff4350fcb3ff9a148415fd3510b0ddbb3746b9edb6c52d16d8
MD5 hash:
0f9a4c1f04a82c1de73e08136250c0d8
SHA1 hash:
cef08fd91e6de076ccaf97fb346fd7022acef986
Link:
https://www.unpac.me/results/c329d98f-3f90-4b95-874a-57486a0c4acb/
SH256 hash:
08585596c158f669ccc3867dd330448206e4e172d71c8fb37a8a9cdb4b371244
MD5 hash:
fd29450cd97a5c9d7124778f7ac89bdd
SHA1 hash:
eb1310c25770cf9c837430f945ccea760b48fedb
Link:
https://www.unpac.me/results/c329d98f-3f90-4b95-874a-57486a0c4acb/
SH256 hash:
361dc084efc29ddc0a837710fc28a872389e3a61413e5c82fcbefc1906c7b29f
MD5 hash:
e53e5d09597782552953de1b7a74df06
SHA1 hash:
9e0111f30fdb7e9b3a5b5372fed19f8e212dde3f
Link:
https://www.unpac.me/results/c329d98f-3f90-4b95-874a-57486a0c4acb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/361dc084efc29ddc0a837710fc28a872389e3a61413e5c82fcbefc1906c7b29f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CryptBot

Executable exe 361dc084efc29ddc0a837710fc28a872389e3a61413e5c82fcbefc1906c7b29f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/169821/

Comments


Avatar
zbet commented on 2021-07-06 01:36:26 UTC

url : hxxp://4e87beed-34c0-467a-9142-a3fbcaa9f78f.s3.ap-south-1.amazonaws.com/WW/Setup.exe