MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36c1ab5e18f20ba99b86a8f995b83a3909f9d3e8d8d7fd573ac1c4813fd2e31e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CryptBot


Vendor detections: 11


Intelligence 11 IOCs 4 YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36c1ab5e18f20ba99b86a8f995b83a3909f9d3e8d8d7fd573ac1c4813fd2e31e
SHA3-384 hash: ab3d6fb15606890aed46df6e5ac8b7fee7d23e65238fe2d20f948a40652040e72d3429810c17f5da2cc8e26e95377271
SHA1 hash: e314c43e297237cad9173cf65c774f99b56acbfc
MD5 hash: b00f279b575b3f07a06352a37a378323
humanhash: florida-illinois-jupiter-pennsylvania
File name:B00F279B575B3F07A06352A37A378323.exe
Download: download sample
Signature CryptBot
Create hunting rule
File size:8'704 bytes
First seen:2021-06-08 07:06:45 UTC
Last seen:2021-06-08 08:11:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 192:e5uCe4KHQ4VxbWEusqbAbbP77fWFKFkNp:eYCe4sQ4VxbWEunsnGYON
Threatray 1'271 similar samples on MalwareBazaar
TLSH C702D726F7A84739CABA4BBD3CF363010770F7599853EE5F2889514F4EA7B010512BA6
Reporter abuse_ch
Tags:CryptBot exe


Avatar
abuse_ch
CryptBot C2:
195.133.47.9:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
195.133.47.9:80 https://threatfox.abuse.ch/ioc/67395/
162.55.55.250:80 https://threatfox.abuse.ch/ioc/67974/
80.92.206.22:80 https://threatfox.abuse.ch/ioc/68028/
185.215.113.204:23302 https://threatfox.abuse.ch/ioc/68044/

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Loader.exe
Verdict:
Malicious activity
Analysis date:
2021-05-29 13:52:23 UTC
Tags:
evasion opendir loader trojan rat redline stealer raccoon phishing
Link:
https://app.any.run/tasks/2bdb66e6-0a91-4cbb-adcc-1818ca3a3ab4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165185/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30523.18549.10784.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Searching for analyzing tools
Searching for the window
Sending a custom TCP request
Launching a process
Sending a UDP request
Sending an HTTP POST request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Running batch commands
Connection attempt
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot Glupteba Raccoon RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798641
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to steal Internet Explorer form passwords
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Drops PE files with benign system names
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Performs DNS TXT record lookups
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Yara detected Cryptbot
Yara detected Evader
Yara detected Glupteba
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 431038 Sample: oPxwg2ab02.exe Startdate: 08/06/2021 Architecture: WINDOWS Score: 100 118 spolaect.info 2->118 120 sndvoices.com 2->120 122 5 other IPs or domains 2->122 158 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->158 160 Found malware configuration 2->160 162 Malicious sample detected (through community Yara rule) 2->162 164 15 other signatures 2->164 11 oPxwg2ab02.exe 14 8 2->11         started        16 csrss.exe 2->16         started        18 csrss.exe 2->18         started        signatures3 process4 dnsIp5 140 leselesp.info 172.67.160.61, 443, 49723 CLOUDFLARENETUS United States 11->140 142 ww.hackacademy.me 162.255.119.200, 49719, 80 NAMECHEAP-NETUS United States 11->142 102 C:\...\https___leselesp.info_app.exe.exe, PE32 11->102 dropped 104 http___212.192.241...files_file3.exe.exe, PE32 11->104 dropped 106 http___212.192.241...files_file2.exe.exe, PE32 11->106 dropped 108 2 other malicious files 11->108 dropped 192 Drops PE files to the document folder of the user 11->192 20 http___212.192.241.136_files_file1.exe.exe 29 11->20         started        25 http___212.192.241.136_files_file2.exe.exe 29 11->25         started        27 https___leselesp.info_app.exe.exe 19 11->27         started        29 2 other processes 11->29 file6 signatures7 process8 dnsIp9 124 g-partners.in 8.211.6.12, 49727, 49728, 49730 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 20->124 126 g-cleanpartners.in 20->126 136 4 other IPs or domains 20->136 92 C:\Users\user\AppData\...\93766520446.exe, PE32 20->92 dropped 94 C:\Users\user\AppData\...\32312936393.exe, PE32 20->94 dropped 96 C:\Users\user\AppData\...\07689309000.exe, PE32 20->96 dropped 98 6 other files (none is malicious) 20->98 dropped 166 Detected unpacking (changes PE section rights) 20->166 168 Detected unpacking (overwrites its own PE header) 20->168 170 May check the online IP address of the machine 20->170 31 cmd.exe 20->31         started        33 cmd.exe 20->33         started        35 cmd.exe 20->35         started        37 cmd.exe 20->37         started        128 rirgustauis.xyz 185.117.91.226 HZ-NL-ASGB Netherlands 25->128 130 api.ip.sb 25->130 172 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->172 174 Query firmware table information (likely to detect VMs) 25->174 176 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->176 184 5 other signatures 25->184 178 Modifies the windows firewall 27->178 180 Drops PE files with benign system names 27->180 39 https___leselesp.info_app.exe.exe 27->39         started        132 212.192.241.136, 49720, 49721, 80 RAPMSB-ASRU Russian Federation 29->132 134 195.201.17.219, 25524 HETZNER-ASDE Germany 29->134 182 Uses netsh to modify the Windows network and firewall settings 29->182 44 conhost.exe 29->44         started        46 taskkill.exe 29->46         started        file10 signatures11 process12 dnsIp13 48 93766520446.exe 31->48         started        53 conhost.exe 31->53         started        55 32312936393.exe 33->55         started        57 conhost.exe 33->57         started        59 07689309000.exe 35->59         started        61 conhost.exe 35->61         started        67 2 other processes 37->67 138 humisnee.com 172.67.206.104 CLOUDFLARENETUS United States 39->138 100 C:\Windows\rss\csrss.exe, PE32 39->100 dropped 186 Drops executables to the windows directory (C:\Windows) and starts them 39->186 188 Creates an autostart registry key pointing to binary in C:\Windows 39->188 63 cmd.exe 39->63         started        65 csrss.exe 39->65         started        file14 signatures15 process16 dnsIp17 110 tttttt.me 95.216.186.40, 443, 49747 HETZNER-ASDE Germany 48->110 112 34.88.52.57, 49748, 80 GOOGLEUS United States 48->112 82 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 48->82 dropped 84 C:\Users\user\AppData\...\vcruntime140.dll, PE32 48->84 dropped 86 C:\Users\user\AppData\...\ucrtbase.dll, PE32 48->86 dropped 90 56 other files (none is malicious) 48->90 dropped 144 Detected unpacking (changes PE section rights) 48->144 146 Detected unpacking (overwrites its own PE header) 48->146 148 Tries to steal Mail credentials (via file access) 48->148 150 Contains functionality to steal Internet Explorer form passwords 48->150 69 cmd.exe 48->69         started        114 nailedpizza.top 55->114 116 iplogger.org 55->116 88 C:\Users\user\AppData\...\edspolishpp.exe, PE32 55->88 dropped 152 May check the online IP address of the machine 55->152 154 Sample or dropped binary is a compiled AutoHotkey binary 55->154 71 edspolishpp.exe 55->71         started        156 Tries to harvest and steal browser information (history, passwords, etc) 59->156 73 netsh.exe 63->73         started        76 conhost.exe 63->76         started        file18 signatures19 process20 signatures21 78 conhost.exe 69->78         started        80 timeout.exe 69->80         started        190 Creates files in the system32 config directory 73->190 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36c1ab5e18f20ba99b86a8f995b83a3909f9d3e8d8d7fd573ac1c4813fd2e31e/
Threat name:
ByteCode-MSIL.Spyware.Fbkatz
Create hunting rule
Status:
Malicious
First seen:
2021-05-30 14:42:23 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3a2wxqy6if2tg4gvd4zlob2hee7tu7i3dl72vz2yhcicp6s4mpa._file
Verdict:
malicious
Similar samples:
04361291bf3ae8acd73f886bf5cab71fa35097256e12c0bb1b2360d4603a40e7
CryptBot
34eea6a07ea67c590471581473b4a17d5ac8214e1ec94464af43fb2ce7334808
CryptBot
418c5fa990720936d23f83e5bd72b11d4bbf045b33e60efe09e28aa074eac424
CryptBot
4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08
CryptBot
604d21a93ab88cdc9d0b609e73766a13e5959644eb35c7bc4fa8967378846004
CryptBot
6a966d8a8bc18b016f35a159c110eb8dd5527b83e39db5fa7300e4634c9cb096
CryptBot
9c8057521a53904ce86837434f6ca9075fea66d1c31914db6a6b49f68649191f
CryptBot
da19103e927e19daedc51212deb60ceca403e3e9876c52a9dec41d7e6215929b
CryptBot
e55e95de03dff2a35cb8304d855c944a5309c56ff8d369af0a542e600faa6808
CryptBot
ea50cc254fa1cc865d19d13bbdf206dc69092d6f723cb56a3843d74ba83e64a0
CryptBot
+ 1'261 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:glupteba family:metasploit family:raccoon family:redline botnet:28198d4512d0cf31c204eddceb4471d79950b588 botnet:606 botnet:kolya botnet:mix 08.06 botnet:subnew backdoor discovery dropper evasion infostealer loader persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/210608-7mgw7apjp2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
CryptBot
CryptBot Payload
Glupteba
Glupteba Payload
MetaSploit
Raccoon
RedLine
RedLine Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
195.201.17.219:25524
cengonic.xyz:80
116.202.18.132:38563
olmjby22.top
mortyl02.top
185.215.113.17:18597
Unpacked files
SH256 hash:
36c1ab5e18f20ba99b86a8f995b83a3909f9d3e8d8d7fd573ac1c4813fd2e31e
MD5 hash:
b00f279b575b3f07a06352a37a378323
SHA1 hash:
e314c43e297237cad9173cf65c774f99b56acbfc
Link:
https://www.unpac.me/results/f72604a6-9f81-44cb-9fe7-d3000109f6c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36c1ab5e18f20ba99b86a8f995b83a3909f9d3e8d8d7fd573ac1c4813fd2e31e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswor
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_CryptBot
Create hunting rule
Author:ditekSHen
Description:CryptBot/Fugrafa stealer payload
Rule name:MALWARE_Win_DanaBot
Create hunting rule
Author:ditekSHen
Description:Detects DanaBot variants
Rule name:MALWARE_Win_HyperBro03
Create hunting rule
Author:ditekSHen
Description:Hunt HyperBro IronTiger / LuckyMouse / APT27 malware
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/165185/

Comments